Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Help?


  • This topic is locked This topic is locked
11 replies to this topic

#1 Svorax

Svorax

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 05 July 2008 - 09:31 PM

Recently I was infected by a virus via installing a fake program. I downloaded, installed, scanned, removed the viruses, and uninstalled a bunch of programs and that solved the biggest problems. But my desktop background is still disabled and solid blue, and I can't seem to get it right. Plus, I'd like to make sure I got it all. Here's the latest Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:15 PM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Atievxx.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.java.com/
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7C9BE3EE-53DB-4B13-BFC7-5642DB1C72DA} - C:\WINDOWS\system32\nnnkIyYs.dll (file missing)
O2 - BHO: (no name) - {FE27E908-4C06-4BAE-88A0-655D0CE752CB} - C:\WINDOWS\system32\geBtTNHY.dll (file missing)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [lphc72pj0e96j] C:\WINDOWS\system32\lphc72pj0e96j.exe
O4 - HKLM\..\Run: [SMshc12pj0e96j] C:\Program Files\shc12pj0e96j\shc12pj0e96j.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comcastonline.com/techtools/...%20Controls.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1224836721121
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O20 - Winlogon Notify: geBtTNHY - geBtTNHY.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

--
End of file - 3659 bytes

On another note, does anyone know of a good freeware registry cleaner/fixer?

Thnx.

BC AdBot (Login to Remove)

 


#2 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 06 July 2008 - 11:36 AM

Hello! Svorax and welcome to the Bleeping Computer forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.
As I am still training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts. While it shouldn't be too long, you can be assured you will get the best possible advice.
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.


#3 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 06 July 2008 - 05:33 PM

Hi Svorax,

You seem to have another HijackThis log open at Techguy:
http://forums.techguy.org/malware-removal-...s-problems.html
Please have that thread closed.

Researching a log takes a long time and by posting at multiple forums only wastes the time of different helpers who may be researching the same log. Also different helpers may use different techniques which individually are correct and safe, it may not be so if you follow the advice of both together.
I will help you with this log, so please make sure any others you may have open are closed.


On another note, does anyone know of a good freeware registry cleaner/fixer?

Automated registry cleaner/fixers in my opinion either freeware or proprietary are best to be avoided, rarely do these type of programs offer any real benefit and in some cases can even end up causing damage. Windows' registry is a lot more sturdy than people give it credit for and unless you have a good understanding on how it works, it's best to just leave it well alone.


Step 1:
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:

C:\Program Files\shc12pj0e96j\shc12pj0e96j.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Repeat the process for this file:

C:\WINDOWS\system32\lphc72pj0e96j.exe


If Jotti is busy you could try the same at Virustotal.


Step 2:
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.

Logs to Post:
Please copy and paste the following into your next reply:
  • The Jotti/Virustotal results
  • main.txt and extra.txt from the DSS scan


#4 Svorax

Svorax
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 08 July 2008 - 10:13 PM

Thanks Rodav. I tried uploading both files and came up with "0 bytes uploaded". No firewalls. They must not exist.
Here' the other scan results:


Deckard's System Scanner v20071014.68
Run by Rick on 2008-07-08 20:05:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
11: 2008-07-09 04:06:15 UTC - RP112 - Deckard's System Scanner Restore Point
10: 2008-07-09 01:40:37 UTC - RP111 - Software Distribution Service 3.0
9: 2008-07-08 06:03:32 UTC - RP110 - Software Distribution Service 3.0
8: 2008-07-07 13:23:11 UTC - RP109 - Software Distribution Service 3.0
7: 2008-07-07 10:00:30 UTC - RP108 - Removed MetalKid's Pokemon Program v4.00


-- First Restore Point --
1: 2008-07-05 18:46:19 UTC - RP102 - Removed AVG 8.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Rick.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:17 PM, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Atievxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Documents and Settings\Rick\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rick.exe


--
End of file - 742 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080705-201229-530 O4 - HKLM\..\Run: [lphc72pj0e96j] C:\WINDOWS\system32\lphc72pj0e96j.exe
backup-20080705-201255-848 O4 - HKLM\..\Run: [SMshc12pj0e96j] C:\Program Files\shc12pj0e96j\shc12pj0e96j.exe
backup-20080706-012552-259 O20 - Winlogon Notify: geBtTNHY - geBtTNHY.dll (file missing)
backup-20080706-012651-228 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
backup-20080706-012651-666 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
backup-20080706-012720-293 O2 - BHO: (no name) - {FE27E908-4C06-4BAE-88A0-655D0CE752CB} - C:\WINDOWS\system32\geBtTNHY.dll (file missing)
backup-20080706-012720-479 O2 - BHO: (no name) - {7C9BE3EE-53DB-4B13-BFC7-5642DB1C72DA} - C:\WINDOWS\system32\nnnkIyYs.dll (file missing)
backup-20080706-012851-292 O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
backup-20080706-012851-677 O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
backup-20080706-013859-828 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
backup-20080706-013902-279 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
backup-20080706-013902-298 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080706-013902-407 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
backup-20080706-013902-645 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080706-014134-361 O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
backup-20080706-014134-528 O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comcastonline.com/techtools/...%20Controls.cab
backup-20080706-014135-704 O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
backup-20080706-014135-935 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1224836721121
backup-20080706-014615-733 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.java.com/

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S3 BCM42RLY - c:\windows\system32\bcm42rly.sys (file missing)
S3 catchme - c:\docume~1\rick\locals~1\temp\catchme.sys (file missing)
S3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\windows\system32\cbtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 PPJoyBus (Parallel Port Joystick Bus device driver) - c:\windows\system32\drivers\ppjoybus.sys <Not Verified; Deon van der Westhuysen; Parallel Port Joystick Bus Enumerator>
S3 SymIM (Symantec Network Security Intermediate Filter Service) - c:\windows\system32\drivers\symim.sys (file missing)
S3 SymIMMP - c:\windows\system32\drivers\symim.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 3Com 10/100 Mini PCI Ethernet Adapter
Device ID: PCI\VEN_10B7&DEV_6055&SUBSYS_645610B7&REV_10\3&61AAA01&0&80
Manufacturer: 3Com
Name: 3Com 10/100 Mini PCI Ethernet Adapter
PNP Device ID: PCI\VEN_10B7&DEV_6055&SUBSYS_645610B7&REV_10\3&61AAA01&0&80
Service: EL556ND5


-- Files created between 2008-06-08 and 2008-07-08 -----------------------------

2008-10-24 00:30:29 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-10-24 00:24:23 0 d--hs---- C:\Documents and Settings\Darcy\UserData
2008-10-23 23:44:39 94208 --a----c- C:\WINDOWS\system32\W32N50CT.dll <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-10-23 23:44:39 17142 --a------ C:\WINDOWS\system32\CBTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-10-23 23:44:39 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-10-23 23:44:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-10-23 23:40:37 0 d-------- C:\Documents and Settings\Darcy\Application Data\Identities
2008-10-23 23:40:21 0 d--h----- C:\Documents and Settings\Darcy\Templates
2008-10-23 23:40:21 0 dr------- C:\Documents and Settings\Darcy\Start Menu
2008-10-23 23:40:21 0 dr-h----- C:\Documents and Settings\Darcy\SendTo
2008-10-23 23:40:21 0 d--h----- C:\Documents and Settings\Darcy\PrintHood
2008-10-23 23:40:21 2568192 --a------ C:\Documents and Settings\Darcy\NTUSER.DAT
2008-10-23 23:40:21 0 d--h----- C:\Documents and Settings\Darcy\NetHood
2008-10-23 23:40:21 0 dr------- C:\Documents and Settings\Darcy\My Documents
2008-10-23 23:40:21 0 d--h----- C:\Documents and Settings\Darcy\Local Settings
2008-10-23 23:40:21 0 dr------- C:\Documents and Settings\Darcy\Favorites
2008-10-23 23:40:21 0 d-------- C:\Documents and Settings\Darcy\Desktop
2008-10-23 23:40:21 0 d---s---- C:\Documents and Settings\Darcy\Cookies
2008-10-23 23:40:21 0 dr-h----- C:\Documents and Settings\Darcy\Application Data
2008-10-23 23:40:21 0 d---s---- C:\Documents and Settings\Darcy\Application Data\Microsoft
2008-10-23 23:32:21 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-10-23 23:32:16 0 d-------- C:\WINDOWS\Prefetch
2008-10-23 23:32:15 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-10-23 23:32:13 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-10-23 23:32:13 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-10-23 23:32:13 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-10-23 23:32:13 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-10-23 23:20:49 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-10-23 23:20:49 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-10-23 23:20:49 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-10-23 23:20:49 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-10-23 23:20:48 229376 --a------ C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-10-23 23:12:28 0 d-------- C:\WINDOWS\system32\xircom
2008-10-23 23:12:28 0 d-------- C:\Program Files\microsoft frontpage
2008-10-23 23:12:18 225280 ---h---c- C:\Documents and Settings\Default User\NTUSER.DAT
2008-10-23 23:12:12 0 d--h----- C:\WINDOWS\$hf_mig$
2008-10-23 23:08:48 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-10-23 23:08:17 0 dr------- C:\WINDOWS\Offline Web Pages
2008-10-23 23:08:17 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-10-23 23:07:47 0 d--h----- C:\Program Files\WindowsUpdate
2008-10-23 23:06:57 0 d-------- C:\WINDOWS\system32\DirectX
2008-10-23 23:06:12 0 d---s---- C:\WINDOWS\Tasks
2008-10-23 23:06:10 0 d-------- C:\Program Files\Common Files\MSSoap
2008-10-23 23:06:04 0 d-------- C:\WINDOWS\system32\Macromed
2008-10-23 23:06:04 0 d-------- C:\WINDOWS\srchasst
2008-10-23 23:05:53 0 d-------- C:\Program Files\Movie Maker
2008-10-23 23:05:42 0 d-------- C:\WINDOWS\system32\Restore
2008-10-23 23:05:08 21640 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2008-10-23 23:04:27 0 d-------- C:\WINDOWS\Registration
2008-10-23 23:03:08 0 d-------- C:\Program Files\Online Services
2008-10-23 23:02:50 0 d-------- C:\Program Files\MSN Gaming Zone
2008-10-23 23:01:55 0 d-------- C:\Program Files\Windows NT
2008-10-23 23:01:51 0 d-------- C:\WINDOWS\system32\MsDtc
2008-10-23 23:01:49 0 d-------- C:\WINDOWS\system32\Com
2008-10-23 15:38:16 0 d--hs---- C:\WINDOWS\Installer
2008-10-23 15:38:14 0 d-------- C:\Program Files\Common Files\ODBC
2008-10-23 15:38:08 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-10-23 15:38:07 0 dr------- C:\Program Files
2008-10-23 15:38:07 0 d-------- C:\Program Files\Common Files
2008-10-23 15:37:22 0 dr------- C:\Documents and Settings\All Users\Documents
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-10-23 15:37:21 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-10-23 15:37:21 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-10-23 15:37:21 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-10-23 15:37:21 0 d--hs---- C:\Documents and Settings\Default User\Cookies
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-10-23 15:37:21 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-10-23 15:36:47 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-10-23 15:36:47 0 d-------- C:\WINDOWS\system32\CatRoot
2008-10-23 15:36:41 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-10-23 15:36:41 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-10-23 15:36:40 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-10-23 15:36:40 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-10-23 15:19:42 0 d-------- C:\Documents and Settings
2008-10-23 15:15:29 0 d--hs---- C:\System Volume Information
2008-10-23 15:09:04 0 d-------- C:\WINDOWS
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\WinSxS
2008-10-23 15:09:04 0 dr------- C:\WINDOWS\Web
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\twain_32
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\wins
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\wbem
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\usmt
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\spool
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\ShellExt
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\Setup
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\ras
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\oobe
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\npp
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\mui
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\inetsrv
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\IME
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\icsxml
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\ias
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\export
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\drivers
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-10-23 15:09:04 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\dhcp
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\config
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\3076
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\2052
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1054
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1042
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1041
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1037
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1033
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1031
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1028
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1025
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\security
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Resources
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\repair
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Provisioning
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\PeerNet
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\pchealth
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\mui
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\msapps
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\msagent
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Media
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\java
2008-10-23 15:09:04 0 d--h----- C:\WINDOWS\inf
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\ime
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Help
2008-10-23 15:09:04 0 dr--s---- C:\WINDOWS\Fonts
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Driver Cache
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Debug
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Cursors
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Connection Wizard
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Config
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\AppPatch
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\addins
2008-07-08 20:04:21 0 d-------- C:\PC Cleaning
2008-07-07 21:08:46 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-07 20:36:46 0 d-------- C:\Documents and Settings\Rick\Application Data\Winamp
2008-07-07 20:36:45 0 d-------- C:\Program Files\Winamp
2008-07-07 19:38:16 0 d--h----- C:\$AVG8.VAULT$
2008-07-07 01:24:23 0 d-------- C:\Program Files\TweakNow RegCleaner Professional
2008-07-06 01:32:37 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-06 01:32:29 0 d-------- C:\Program Files\AVG
2008-07-05 15:21:34 0 d-------- C:\Program Files\Panda Security
2008-07-05 11:07:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-05 10:48:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-04 09:22:16 0 d-------- C:\Program Files\Trend Micro
2008-07-02 11:38:03 2621440 --a------ C:\Documents and Settings\Rick\ntuser.dat
2008-07-02 11:37:58 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-07-02 11:37:41 477 --ahs---- C:\WINDOWS\system32\sYyIknnn.ini2
2008-07-02 10:26:05 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-02 10:26:05 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-02 10:26:05 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-02 10:26:05 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-02 10:26:05 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-02 10:26:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-02 10:26:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-02 10:26:04 442368 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-02 10:26:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-02 10:22:25 0 d-------- C:\Documents and Settings\Rick\Application Data\shc12pj0e96j
2008-07-01 22:55:09 683341 --a------ C:\WINDOWS\system32\ChaNinja Style.scr <Not Verified; Axialis Software; Axialis Screen Saver Producer 3.5>
2008-07-01 22:53:02 0 d--h----- C:\Documents and Settings\All Users\Application Data\{A850D4D9-871B-4234-908D-21C457767270}
2008-07-01 22:52:56 0 d-------- C:\Program Files\Stardock
2008-06-23 01:24:56 0 d-------- C:\Documents and Settings\Rick\Application Data\Anvil Studio
2008-06-17 14:47:53 0 d-------- C:\Documents and Settings\Rick\Application Data\DivX
2008-06-17 14:46:15 0 d-------- C:\Program Files\virtualdub
2008-06-17 11:16:56 0 d-------- C:\Program Files\DivX
2008-06-17 01:45:44 0 d-------- C:\Documents and Settings\Rick\Application Data\Talkback
2008-06-17 01:45:25 0 d-------- C:\Documents and Settings\Rick\Application Data\Thunderbird
2008-06-13 21:50:42 0 d-------- C:\Program Files\HJSplit
2008-06-12 16:25:14 0 d-------- C:\PSFONTS
2008-06-11 21:18:42 0 d-------- C:\Documents and Settings\Rick\Application Data\SpinTop
2008-06-11 19:13:07 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-06-11 19:12:51 0 d-------- C:\Program Files\NCH Swift Sound
2008-06-11 19:12:51 0 d-------- C:\Documents and Settings\Rick\Application Data\NCH Swift Sound
2008-06-10 21:13:41 0 d-------- C:\Documents and Settings\Rick\Application Data\PlayFirst
2008-06-10 21:13:41 0 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-06-10 20:41:00 0 d-------- C:\Documents and Settings\Rick\Application Data\iWinArcade
2008-06-10 20:40:40 0 d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
2008-06-10 14:59:11 0 d-------- C:\Documents and Settings\Rick\Application Data\LimeWire
2008-06-09 09:50:34 0 d-------- C:\Documents and Settings\Rick\Application Data\GetRightToGo
2008-06-09 09:50:27 0 d-------- C:\Program Files\GlovePIE030
2008-06-08 22:30:30 0 d-------- C:\Program Files\Emulators
2008-06-08 18:35:44 0 d-------- C:\WINDOWS\system32\Adobe
2008-06-08 18:33:42 0 d-------- C:\Documents and Settings\Rick\Application Data\Adobe
2008-06-08 16:47:20 293087 --a------ C:\Documents and Settings\Rick\Desktop.exe <Not Verified; Your Company Name; DEMO Product Name(Created by J2E 1.8 Trial, RegExLab.com)>
2008-06-08 16:44:36 101 --a------ C:\WINDOWS\system32\cxcncwpejgtaaaaaedp
2008-06-08 16:44:36 100 --a------ C:\WINDOWS\javalauncheraaaaacbn


-- Find3M Report ---------------------------------------------------------------

2008-10-23 15:37:21 62 --ahs---- C:\Documents and Settings\Rick\Application Data\desktop.ini
2008-07-07 01:58:38 0 d-------- C:\Program Files\Audacity
2008-07-05 20:14:57 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-01 22:50:37 0 d-------- C:\Documents and Settings\Rick\Application Data\Orbit
2008-07-01 09:31:18 0 d-------- C:\Program Files\FLV Player
2008-06-17 10:46:46 0 d-------- C:\Program Files\Easy Video Downloader
2008-06-13 20:26:02 0 d-------- C:\Program Files\Java
2008-06-13 19:57:44 218624 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-08 19:08:25 78 --a------ C:\Documents and Settings\Rick\Application Data\mainhst.zgh
2008-06-07 18:07:17 0 d-------- C:\Documents and Settings\Rick\Application Data\Sun
2008-06-07 08:58:23 0 d-------- C:\Documents and Settings\Rick\Application Data\Macromedia
2008-06-07 08:52:26 0 d-------- C:\Documents and Settings\Rick\Application Data\Mozilla
2008-06-07 08:38:33 0 d-------- C:\Documents and Settings\Rick\Application Data\Identities
2008-06-07 07:32:58 0 d-------- C:\Program Files\n-game version 1.4
2008-06-07 07:12:33 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-06 17:29:38 0 d-------- C:\Program Files\UnH Solutions
2008-06-06 17:28:36 0 d-------- C:\Program Files\QuickTime Alternative
2008-06-06 17:27:22 0 d-------- C:\Program Files\Orbitdownloader
2008-06-06 17:20:59 0 d-------- C:\Program Files\Game Elements
2008-06-06 17:20:01 0 d-------- C:\Program Files\7-Zip
2008-06-06 17:19:45 0 d-------- C:\Program Files\ExtractNow
2008-06-06 16:27:30 0 d-------- C:\Program Files\SDFix
2008-05-30 09:22:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 09:18:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 09:18:56 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 09:18:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 09:18:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 09:18:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 09:18:48 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 09:18:48 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 09:18:00 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/06/2008 01:32 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorFX"="C:\Program Files\Stardock\CursorFX\CursorFX.exe" [02/19/2008 02:59 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)
"NoSimpleStartMenu"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"NoActiveDesktopChanges"=00000000
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"=0 (0x0)
"NoActiveDesktopChanges"=00000000
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\nnnkIyYs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"




-- End of Deckard's System Scanner: finished at 2008-07-08 20:09:30 ------------

____________________________________________________________________


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 511.4 MiB / 290.8 MiB
Pagefile Memory (total/avail): 866.17 MiB / 684.12 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.89 MiB

C: is Fixed (NTFS) - 9.36 GiB total, 3.49 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HITACHI_DK23CA-10 - 9.36 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 9.36 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.

FW: Norton AntiVirus v15.5.0.23 (Symantec Corporation)
AV: AVG Anti-Virus Free v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"="C:\\Program Files\\Orbitdownloader\\orbitdm.exe:*:Enabled:Orbit"
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"="C:\\Program Files\\Orbitdownloader\\orbitnet.exe:*:Enabled:Orbit"
"C:\\Documents and Settings\\Rick\\Desktop\\kaillerasrv-0.86-win32\\kaillerasrv.exe"="C:\\Documents and Settings\\Rick\\Desktop\\kaillerasrv-0.86-win32\\kaillerasrv.exe:*:Enabled:kaillerasrv"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Emulators\\zsnesw151\\zbattle.net\\zbattle.net.exe"="C:\\Program Files\\Emulators\\zsnesw151\\zbattle.net\\zbattle.net.exe:*:Enabled:zbattle.net"
"C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe:*:Enabled:SUPERAntiSpyware Free Edition"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Rick\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Rick
LOGONSERVER=\\LAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ZipGenius 6\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=080a
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Rick\LOCALS~1\Temp
TMP=C:\DOCUME~1\Rick\LOCALS~1\Temp
USERDOMAIN=LAPTOP
USERNAME=Rick
USERPROFILE=C:\Documents and Settings\Rick
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Darcy (admin)
Rick (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Applian FLV Player --> "C:\WINDOWS\Applian FLV Player\uninstall.exe" "/U:C:\Program Files\FLV Player\Uninstall\uninstall.xml"
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
CursorFX --> "C:\Documents and Settings\All Users\Application Data\{A850D4D9-871B-4234-908D-21C457767270}\CursorFX_public.exe" REMOVE=TRUE MODIFY=FALSE
CursorFX --> C:\Documents and Settings\All Users\Application Data\{A850D4D9-871B-4234-908D-21C457767270}\CursorFX_public.exe
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Easy Video Downloader v. 2.0 --> "C:\Program Files\Easy Video Downloader\unins000.exe"
ExtractNow --> "C:\Program Files\ExtractNow\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Orbit Downloader --> "C:\Program Files\Orbitdownloader\unins000.exe"
QuickTime Alternative 2.5.1 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
SWF Opener --> "C:\Program Files\UnH Solutions\SWF Opener\unins000.exe"
Switch Sound File Converter --> C:\Program Files\NCH Swift Sound\Switch\uninst.exe
TweakNow RegCleaner Professional --> "C:\Program Files\TweakNow RegCleaner Professional\unins000.exe"
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type7157 / Warning
Event Submitted/Written: 07/07/2008 09:13:26 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{91120409-6000-11D3-8CFE-0150048383C9}', feature 'OfficeUserData', component '{4A31E933-6F67-11D2-AAA2-00A0C90F57B0}' failed. The resource 'HKEY_CURRENT_USER\Software\ODBC\ODBC.INI\MS Access Database\' does not exist.

Event Record #/Type7155 / Warning
Event Submitted/Written: 07/07/2008 09:10:32 PM
Event ID/Source: 4440 / COM+
Event Description:
The CRM log file was originally created on a computer with a different name. It has been updated with the name of the current computer. If this warning appears when the computer name has been changed then no further action is required. USER-6BF91FD3A6

Server Application ID: {02D4B3F1-FD88-11D1-960D-00805FC79235}
Server Application Instance ID:
{14DDDAEE-703C-40F9-B99A-28B27C282C5C}
Server Application Name: System Application
Comsvcs.dll file version: ENU 2001.12.4414.308 shp

Event Record #/Type7149 / Warning
Event Submitted/Written: 07/07/2008 08:41:33 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{91120409-6000-11D3-8CFE-0150048383C9}', feature 'OfficeUserData', component '{4A31E933-6F67-11D2-AAA2-00A0C90F57B0}' failed. The resource 'HKEY_CURRENT_USER\Software\ODBC\ODBC.INI\MS Access Database\' does not exist.

Event Record #/Type7142 / Error
Event Submitted/Written: 07/07/2008 03:02:24 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application stella.exe, version 1.1.3.1, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x00009dea.
Processing media-specific event for [stella.exe!ws!]

Event Record #/Type7141 / Error
Event Submitted/Written: 07/07/2008 02:57:07 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application stella.exe, version 1.1.3.1, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x00009dea.
Processing media-specific event for [stella.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type19149 / Error
Event Submitted/Written: 07/07/2008 08:59:16 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Windows User Mode Driver Framework service failed to start due to the following error:
%%1053

Event Record #/Type19148 / Error
Event Submitted/Written: 07/07/2008 08:59:16 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Windows User Mode Driver Framework service to connect.

Event Record #/Type19077 / Error
Event Submitted/Written: 07/07/2008 02:01:56 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type19074 / Error
Event Submitted/Written: 07/07/2008 02:01:56 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type19071 / Error
Event Submitted/Written: 07/07/2008 02:01:56 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126



-- End of Deckard's System Scanner: finished at 2008-07-08 20:09:30 ------------

#5 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 09 July 2008 - 09:16 AM

Is there any particular reason you fixed all the entries in HijackThis? HijackThis is a diagnostic tool, much of what it finds is legit and some of which are absolutely necessary for your computer to run efficiently. Fortuneatly HijackThis creates backups so the legit entries can be restored. Again I have to reiterate, if you are receiving help elsewhere either tell me now and I can close this topic or continue to follow my advice alone.

I'm sorry if I sound a little harsh but either trying to fix things yourself if you unsure how to or receiving help from multiple sources at best delays matters, at worst make your computer unworkable.


P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Limewire

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you wish to keep them, please do not use them until your computer is cleaned.


Step 1:
  • Open HijackThis.
  • Open the Misc Tools section.
  • Click on backups tab.
  • Find the lines below.

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
    O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comcastonline.com/techtools/...%20Controls.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1224836721121
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.java.com/

  • Put a tick and click on Restore.

Step 2:
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:

C:\WINDOWS\system32\cxcncwpejgtaaaaaedp

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Repeat the process for this file:

C:\WINDOWS\javalauncheraaaaacbn


If Jotti is busy you could try the same at Virustotal.


Step 3:
  • Please download ERUNT and save it to your desktop.
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked which are System registry and Current user registry
  • Press OK
  • Press YES to create the folder.

Step 4:
Open Notepad (Go to Start > Run, type Notepad and click OK)
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the codebox to Notepad. Save it as "All Files" and name it Fix.reg Please save it on your desktop.
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Close Notepad, double click Fix.reg. When it asks if you want to merge the info to the registry, hit YES/OK. Then Reboot the computer.


Step 5:
Download OTMoveIt2 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.
C:\WINDOWS\system32\sYyIknnn.ini2
C:\Documents and Settings\Rick\Application Data\shc12pj0e96j
C:\WINDOWS\system32\lphc72pj0e96j.exe
  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2

Step 6:
Go to Start -> Run, copy and paste the following command and click OK:

CMD /C Dir "C:\PC Cleaning">"%Userprofile%\Desktop\look.txt"

That should produce a report on your desktop, look.txt. Post its contents in your next reply.


Step 7:
There seems to be some leftovers from Norton Antivirus, please follow the following advice to download and run the Norton removal tool:
http://service1.symantec.com/SUPPORT/tsgen...005033108162039


Step 8:
Run DSS (Deckard System Scanner) again, and in your next reply, please post:
  • The Jotti/Virustotal results
  • Look.txt created in Step 6
  • The OTMovit2 results
  • The new DSS log


#6 Svorax

Svorax
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 09 July 2008 - 09:59 PM

I promise this is the only thread. Sorry for fixing everything on HijackThis. I didn't know it picks up on legit items. I restored the items you said to restore. As for the P2P, I did already know the risks of it, but I removed it anyway. I never use it. Here's the file scans:

File: cxcncwpejgtaaaaaedp
Status: OK
MD5: e7502fdf221129eb75420155315c3f62
Packers detected: -

Scanner results
Scan taken on 10 Jul 2008 00:59:05 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

File: javalauncheraaaaacbn
Status: OK
MD5: 547f33ed4f9113968344da36e635663c
Packers detected: -

Scanner results
Scan taken on 10 Jul 2008 01:06:01 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Here's the OTMoveIt2 result:

C:\WINDOWS\system32\sYyIknnn.ini2 moved successfully.
C:\Documents and Settings\Rick\Application Data\shc12pj0e96j\Quarantine\Packages moved successfully.
C:\Documents and Settings\Rick\Application Data\shc12pj0e96j\Quarantine\BrowserObjects moved successfully.
C:\Documents and Settings\Rick\Application Data\shc12pj0e96j\Quarantine\Autorun\StartMenuCurrentUser moved successfully.
C:\Documents and Settings\Rick\Application Data\shc12pj0e96j\Quarantine\Autorun\StartMenuAllUsers moved successfully.
C:\Documents and Settings\Rick\Application Data\shc12pj0e96j\Quarantine\Autorun\HKLM\RunOnce moved successfully.
C:\Documents and Settings\Rick\Application Data\shc12pj0e96j\Quarantine\Autorun\HKLM moved successfully.
C:\Documents and Settings\Rick\Application Data\shc12pj0e96j\Quarantine\Autorun\HKCU\RunOnce moved successfully.
C:\Documents and Settings\Rick\Application Data\shc12pj0e96j\Quarantine\Autorun\HKCU moved successfully.
C:\Documents and Settings\Rick\Application Data\shc12pj0e96j\Quarantine\Autorun moved successfully.
C:\Documents and Settings\Rick\Application Data\shc12pj0e96j\Quarantine moved successfully.
C:\Documents and Settings\Rick\Application Data\shc12pj0e96j moved successfully.
File/Folder C:\WINDOWS\system32\lphc72pj0e96j.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07092008_180926

I don't know if I'm fully comfortable posting my drive's serial number but I guess there's no harm. Here is that:

Volume in drive C has no label.
Volume Serial Number is XXXX-XXXX

Directory of C:\PC Cleaning

07/08/2008 08:18 PM <DIR> .
07/08/2008 08:18 PM <DIR> ..
07/08/2008 07:25 PM 50,688 ATF-Cleaner.exe
03/25/2002 09:52 AM 644,976 BootVis.exe
07/06/2008 09:33 AM <DIR> desktopclean
07/08/2008 07:59 PM 686,630 dss.exe
07/08/2008 08:03 PM <DIR> OTScanIt
07/02/2008 11:51 AM <DIR> SDFix
3 File(s) 1,382,294 bytes
5 Dir(s) 3,599,446,016 bytes free



When I ran DDS this time, an extras.txt didn't appear. Only a main.txt. Is that a problem? Here it is:



Deckard's System Scanner v20071014.68
Run by Rick on 2008-07-09 20:50:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rick.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:17 PM, on 7/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Atievxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PC Cleaning\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rick.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.java.com/
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202

--
End of file - 1438 bytes

-- Files created between 2008-06-09 and 2008-07-09 -----------------------------

2008-10-24 00:30:29 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-10-24 00:24:23 0 d--hs---- C:\Documents and Settings\Darcy\UserData
2008-10-23 23:44:39 94208 --a----c- C:\WINDOWS\system32\W32N50CT.dll <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-10-23 23:44:39 17142 --a------ C:\WINDOWS\system32\CBTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-10-23 23:44:39 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-10-23 23:44:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-10-23 23:40:37 0 d-------- C:\Documents and Settings\Darcy\Application Data\Identities
2008-10-23 23:40:21 0 d--h----- C:\Documents and Settings\Darcy\Templates
2008-10-23 23:40:21 0 dr------- C:\Documents and Settings\Darcy\Start Menu
2008-10-23 23:40:21 0 dr-h----- C:\Documents and Settings\Darcy\SendTo
2008-10-23 23:40:21 0 d--h----- C:\Documents and Settings\Darcy\PrintHood
2008-10-23 23:40:21 2568192 --a------ C:\Documents and Settings\Darcy\NTUSER.DAT
2008-10-23 23:40:21 0 d--h----- C:\Documents and Settings\Darcy\NetHood
2008-10-23 23:40:21 0 dr------- C:\Documents and Settings\Darcy\My Documents
2008-10-23 23:40:21 0 d--h----- C:\Documents and Settings\Darcy\Local Settings
2008-10-23 23:40:21 0 dr------- C:\Documents and Settings\Darcy\Favorites
2008-10-23 23:40:21 0 d-------- C:\Documents and Settings\Darcy\Desktop
2008-10-23 23:40:21 0 d---s---- C:\Documents and Settings\Darcy\Cookies
2008-10-23 23:40:21 0 dr-h----- C:\Documents and Settings\Darcy\Application Data
2008-10-23 23:40:21 0 d---s---- C:\Documents and Settings\Darcy\Application Data\Microsoft
2008-10-23 23:32:21 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-10-23 23:32:16 0 d-------- C:\WINDOWS\Prefetch
2008-10-23 23:32:15 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-10-23 23:32:13 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-10-23 23:32:13 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-10-23 23:32:13 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-10-23 23:32:13 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-10-23 23:20:49 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-10-23 23:20:49 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-10-23 23:20:49 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-10-23 23:20:49 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-10-23 23:20:48 229376 --a------ C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-10-23 23:12:28 0 d-------- C:\WINDOWS\system32\xircom
2008-10-23 23:12:28 0 d-------- C:\Program Files\microsoft frontpage
2008-10-23 23:12:18 225280 ---h---c- C:\Documents and Settings\Default User\NTUSER.DAT
2008-10-23 23:12:12 0 d--h----- C:\WINDOWS\$hf_mig$
2008-10-23 23:08:48 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-10-23 23:08:17 0 dr------- C:\WINDOWS\Offline Web Pages
2008-10-23 23:08:17 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-10-23 23:07:47 0 d--h----- C:\Program Files\WindowsUpdate
2008-10-23 23:06:57 0 d-------- C:\WINDOWS\system32\DirectX
2008-10-23 23:06:12 0 d---s---- C:\WINDOWS\Tasks
2008-10-23 23:06:10 0 d-------- C:\Program Files\Common Files\MSSoap
2008-10-23 23:06:04 0 d-------- C:\WINDOWS\system32\Macromed
2008-10-23 23:06:04 0 d-------- C:\WINDOWS\srchasst
2008-10-23 23:05:53 0 d-------- C:\Program Files\Movie Maker
2008-10-23 23:05:42 0 d-------- C:\WINDOWS\system32\Restore
2008-10-23 23:05:08 21640 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2008-10-23 23:04:27 0 d-------- C:\WINDOWS\Registration
2008-10-23 23:03:08 0 d-------- C:\Program Files\Online Services
2008-10-23 23:02:50 0 d-------- C:\Program Files\MSN Gaming Zone
2008-10-23 23:01:55 0 d-------- C:\Program Files\Windows NT
2008-10-23 23:01:51 0 d-------- C:\WINDOWS\system32\MsDtc
2008-10-23 23:01:49 0 d-------- C:\WINDOWS\system32\Com
2008-10-23 15:38:16 0 d--hs---- C:\WINDOWS\Installer
2008-10-23 15:38:14 0 d-------- C:\Program Files\Common Files\ODBC
2008-10-23 15:38:08 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-10-23 15:38:07 0 dr------- C:\Program Files
2008-10-23 15:38:07 0 d-------- C:\Program Files\Common Files
2008-10-23 15:37:22 0 dr------- C:\Documents and Settings\All Users\Documents
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-10-23 15:37:21 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-10-23 15:37:21 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-10-23 15:37:21 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-10-23 15:37:21 0 d--hs---- C:\Documents and Settings\Default User\Cookies
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-10-23 15:37:21 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-10-23 15:36:47 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-10-23 15:36:47 0 d-------- C:\WINDOWS\system32\CatRoot
2008-10-23 15:36:41 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-10-23 15:36:41 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-10-23 15:36:40 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-10-23 15:36:40 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-10-23 15:19:42 0 d-------- C:\Documents and Settings
2008-10-23 15:15:29 0 d--hs---- C:\System Volume Information
2008-10-23 15:09:04 0 d-------- C:\WINDOWS
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\WinSxS
2008-10-23 15:09:04 0 dr------- C:\WINDOWS\Web
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\twain_32
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\wins
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\wbem
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\usmt
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\spool
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\ShellExt
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\Setup
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\ras
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\oobe
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\npp
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\mui
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\inetsrv
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\IME
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\icsxml
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\ias
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\export
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\drivers
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-10-23 15:09:04 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\dhcp
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\config
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\3076
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\2052
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1054
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1042
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1041
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1037
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1033
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1031
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1028
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1025
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\security
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Resources
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\repair
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Provisioning
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\PeerNet
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\pchealth
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\mui
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\msapps
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\msagent
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Media
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\java
2008-10-23 15:09:04 0 d--h----- C:\WINDOWS\inf
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\ime
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Help
2008-10-23 15:09:04 0 dr--s---- C:\WINDOWS\Fonts
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Driver Cache
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Debug
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Cursors
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Connection Wizard
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Config
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\AppPatch
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\addins
2008-07-09 00:38:02 0 d-------- C:\Documents and Settings\Rick\Application Data\GrabPro
2008-07-08 20:04:21 0 d-------- C:\PC Cleaning
2008-07-07 21:08:46 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-07 20:36:46 0 d-------- C:\Documents and Settings\Rick\Application Data\Winamp
2008-07-07 20:36:45 0 d-------- C:\Program Files\Winamp
2008-07-07 19:38:16 0 d--h----- C:\$AVG8.VAULT$
2008-07-07 01:24:23 0 d-------- C:\Program Files\TweakNow RegCleaner Professional
2008-07-06 01:32:37 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-06 01:32:29 0 d-------- C:\Program Files\AVG
2008-07-05 15:21:34 0 d-------- C:\Program Files\Panda Security
2008-07-05 11:07:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-05 10:48:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-04 09:22:16 0 d-------- C:\Program Files\Trend Micro
2008-07-02 11:38:03 2883584 --a------ C:\Documents and Settings\Rick\ntuser.dat
2008-07-02 11:37:58 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-07-02 10:26:05 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-02 10:26:05 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-02 10:26:05 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-02 10:26:05 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-02 10:26:05 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-02 10:26:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-02 10:26:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-02 10:26:04 442368 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-02 10:26:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-01 22:55:09 683341 --a------ C:\WINDOWS\system32\ChaNinja Style.scr <Not Verified; Axialis Software; Axialis Screen Saver Producer 3.5>
2008-07-01 22:53:02 0 d--h----- C:\Documents and Settings\All Users\Application Data\{A850D4D9-871B-4234-908D-21C457767270}
2008-07-01 22:52:56 0 d-------- C:\Program Files\Stardock
2008-06-23 01:24:56 0 d-------- C:\Documents and Settings\Rick\Application Data\Anvil Studio
2008-06-17 14:47:53 0 d-------- C:\Documents and Settings\Rick\Application Data\DivX
2008-06-17 14:46:15 0 d-------- C:\Program Files\virtualdub
2008-06-17 11:16:56 0 d-------- C:\Program Files\DivX
2008-06-17 01:45:44 0 d-------- C:\Documents and Settings\Rick\Application Data\Talkback
2008-06-17 01:45:25 0 d-------- C:\Documents and Settings\Rick\Application Data\Thunderbird
2008-06-13 21:50:42 0 d-------- C:\Program Files\HJSplit
2008-06-12 16:25:14 0 d-------- C:\PSFONTS
2008-06-11 21:18:42 0 d-------- C:\Documents and Settings\Rick\Application Data\SpinTop
2008-06-11 19:13:07 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-06-11 19:12:51 0 d-------- C:\Program Files\NCH Swift Sound
2008-06-11 19:12:51 0 d-------- C:\Documents and Settings\Rick\Application Data\NCH Swift Sound
2008-06-10 21:13:41 0 d-------- C:\Documents and Settings\Rick\Application Data\PlayFirst
2008-06-10 21:13:41 0 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-06-10 20:41:00 0 d-------- C:\Documents and Settings\Rick\Application Data\iWinArcade
2008-06-10 20:40:40 0 d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
2008-06-10 14:59:11 0 d-------- C:\Documents and Settings\Rick\Application Data\LimeWire
2008-06-09 09:50:34 0 d-------- C:\Documents and Settings\Rick\Application Data\GetRightToGo
2008-06-09 09:50:27 0 d-------- C:\Program Files\GlovePIE030


-- Find3M Report ---------------------------------------------------------------

2008-10-23 15:37:21 62 --ahs---- C:\Documents and Settings\Rick\Application Data\desktop.ini
2008-07-09 20:48:57 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-09 16:06:02 0 d-------- C:\Program Files\Emulators
2008-07-09 15:54:36 0 d-------- C:\Documents and Settings\Rick\Application Data\Orbit
2008-07-09 00:38:26 0 d-------- C:\Program Files\Orbitdownloader
2008-07-07 01:58:38 0 d-------- C:\Program Files\Audacity
2008-07-01 09:31:18 0 d-------- C:\Program Files\FLV Player
2008-06-17 10:46:46 0 d-------- C:\Program Files\Easy Video Downloader
2008-06-13 20:26:02 0 d-------- C:\Program Files\Java
2008-06-13 19:57:44 218624 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-08 19:08:25 78 --a------ C:\Documents and Settings\Rick\Application Data\mainhst.zgh
2008-06-08 18:33:42 0 d-------- C:\Documents and Settings\Rick\Application Data\Adobe
2008-06-08 16:59:25 101 --a------ C:\WINDOWS\system32\cxcncwpejgtaaaaaedp
2008-06-08 16:59:25 100 --a------ C:\WINDOWS\javalauncheraaaaacbn
2008-06-07 18:07:17 0 d-------- C:\Documents and Settings\Rick\Application Data\Sun
2008-06-07 08:58:23 0 d-------- C:\Documents and Settings\Rick\Application Data\Macromedia
2008-06-07 08:52:26 0 d-------- C:\Documents and Settings\Rick\Application Data\Mozilla
2008-06-07 08:38:33 0 d-------- C:\Documents and Settings\Rick\Application Data\Identities
2008-06-07 07:32:58 0 d-------- C:\Program Files\n-game version 1.4
2008-06-07 07:12:33 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-06 17:29:38 0 d-------- C:\Program Files\UnH Solutions
2008-06-06 17:28:36 0 d-------- C:\Program Files\QuickTime Alternative
2008-06-06 17:20:59 0 d-------- C:\Program Files\Game Elements
2008-06-06 17:20:01 0 d-------- C:\Program Files\7-Zip
2008-06-06 17:19:45 0 d-------- C:\Program Files\ExtractNow
2008-06-06 16:27:30 0 d-------- C:\Program Files\SDFix
2008-05-30 09:22:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 09:18:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 09:18:56 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 09:18:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 09:18:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 09:18:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 09:18:48 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 09:18:48 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 09:18:00 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{C55BBCD6-41AD-48AD-9953-3609C48EACC7}"= C:\Program Files\Orbitdownloader\GrabPro.dll [06/10/2008 10:47 AM 457848]

[-HKEY_CLASSES_ROOT\CLSID\{C55BBCD6-41AD-48AD-9953-3609C48EACC7}]
[HKEY_CLASSES_ROOT\GrabPro.FindBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{8091D09E-B01D-4D32-AC66-BBF8916BB1CF}]
[HKEY_CLASSES_ROOT\GrabPro.FindBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/06/2008 01:32 AM]

C:\Documents and Settings\Rick\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)
"NoSimpleStartMenu"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"NoActiveDesktopChanges"=00000000
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"=0 (0x0)
"NoActiveDesktopChanges"=00000000
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"




-- End of Deckard's System Scanner: finished at 2008-07-09 20:51:42 ------------

Edited by Svorax, 10 July 2008 - 02:12 PM.


#7 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 10 July 2008 - 08:37 AM

The 2 files I asked you to upload C:\WINDOWS\system32\cxcncwpejgtaaaaaedp and C:\WINDOWS\javalauncheraaaaacbn came back clean. They look a bit peculiar to me though, do you know anything about them?

I don't know if I'm fully comfortable posting my drive's serial number but I guess there's no harm.

It's ok, I only wanted to see the contents of that folder, you can edit out the serial number if you want.

When I ran DDS this time, an extras.txt didn't appear. Only a main.txt. Is that a problem?

extras.txt is produced only the first time DSS is run. If it's needed again, it can be produced using a command from Run, by just double clicking DSS from now on will produce only 1 log.


Step 1:
Update your Java.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
  • Close any programs you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel > Add/Remove Programs.
  • Check any item with Java Runtime Environment, JRE, J2SE, or Java Webstart in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all installed versions of Java.
  • Reboot your computer once all Java components are removed.
Then download the latest version of Java Runtime Environment(JRE) and install it to your computer.
The latest update is Java Runtime Environment (JRE) 6 Update 7.


Step 2:
Please download ATF cleaner
Make sure that all browser windows are closed.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Deselect Cookies
Click the Empty Selected button.
You can select cookies but you will have to re enter your login details to websites you frequent.
If you use Firefox browserClick Firefox at the top and choose: Select All
Deselect Firefox Cookies
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Deselect Opera Cookies
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


Step 3:
Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply.

Step 4:
Run DSS again and in your next reply please post:
  • The online Kaspersky scan results
  • The new DSS log
Also please let me know if you know anything about the 2 files I asked you about and how your computer is running, if you have anymore problems.

#8 Svorax

Svorax
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 10 July 2008 - 02:31 PM

I have a few questions. There's a program on here called MSXML Parser. What is it for and is it worth having? Also, since the cleaning, there was one point when the touchpad started acting very odd and was hard to control at first. But, after I used it for a little while, it just slowly fixed itself. Was this just calibration?

Now for the files your wondering about. C:\WINDOWS\system32\cxcncwpejgtaaaaaedp is completely unknown to me. I might know something about C:\WINDOWS\javalauncheraaaaacbn though. I once had a 3rd party program called java launcher. It was related to development. It wasn't long after that I found it very useless and removed it. I'm assuming it is a leftover file that can be removed. Should I delete it?

When I try to go to any page on Kaspersky's website, it doesn't open. My browser just says it's not a domain. Kaspersky still exists right? Why is it not opening?

Here's the DDS:

Deckard's System Scanner v20071014.68
Run by Rick on 2008-07-10 12:55:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rick.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:47 PM, on 7/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Atievxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\msiexec.exe
C:\PC Cleaning\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rick.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.java.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202

--
End of file - 1523 bytes

-- Files created between 2008-06-10 and 2008-07-10 -----------------------------

2008-10-24 00:30:29 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-10-24 00:24:23 0 d--hs---- C:\Documents and Settings\Darcy\UserData
2008-10-23 23:44:39 94208 --a----c- C:\WINDOWS\system32\W32N50CT.dll <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-10-23 23:44:39 17142 --a------ C:\WINDOWS\system32\CBTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-10-23 23:44:39 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-10-23 23:44:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-10-23 23:40:37 0 d-------- C:\Documents and Settings\Darcy\Application Data\Identities
2008-10-23 23:40:21 0 d--h----- C:\Documents and Settings\Darcy\Templates
2008-10-23 23:40:21 0 dr------- C:\Documents and Settings\Darcy\Start Menu
2008-10-23 23:40:21 0 dr-h----- C:\Documents and Settings\Darcy\SendTo
2008-10-23 23:40:21 0 d--h----- C:\Documents and Settings\Darcy\PrintHood
2008-10-23 23:40:21 2568192 --a------ C:\Documents and Settings\Darcy\NTUSER.DAT
2008-10-23 23:40:21 0 d--h----- C:\Documents and Settings\Darcy\NetHood
2008-10-23 23:40:21 0 dr------- C:\Documents and Settings\Darcy\My Documents
2008-10-23 23:40:21 0 d--h----- C:\Documents and Settings\Darcy\Local Settings
2008-10-23 23:40:21 0 dr------- C:\Documents and Settings\Darcy\Favorites
2008-10-23 23:40:21 0 d-------- C:\Documents and Settings\Darcy\Desktop
2008-10-23 23:40:21 0 d---s---- C:\Documents and Settings\Darcy\Cookies
2008-10-23 23:40:21 0 dr-h----- C:\Documents and Settings\Darcy\Application Data
2008-10-23 23:40:21 0 d---s---- C:\Documents and Settings\Darcy\Application Data\Microsoft
2008-10-23 23:32:21 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-10-23 23:32:16 0 d-------- C:\WINDOWS\Prefetch
2008-10-23 23:32:15 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-10-23 23:32:13 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-10-23 23:32:13 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-10-23 23:32:13 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-10-23 23:32:13 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-10-23 23:20:49 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-10-23 23:20:49 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-10-23 23:20:49 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-10-23 23:20:49 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-10-23 23:20:48 229376 --a------ C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-10-23 23:12:28 0 d-------- C:\WINDOWS\system32\xircom
2008-10-23 23:12:28 0 d-------- C:\Program Files\microsoft frontpage
2008-10-23 23:12:18 225280 ---h---c- C:\Documents and Settings\Default User\NTUSER.DAT
2008-10-23 23:12:12 0 d--h----- C:\WINDOWS\$hf_mig$
2008-10-23 23:08:48 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-10-23 23:08:17 0 dr------- C:\WINDOWS\Offline Web Pages
2008-10-23 23:08:17 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-10-23 23:07:47 0 d--h----- C:\Program Files\WindowsUpdate
2008-10-23 23:06:57 0 d-------- C:\WINDOWS\system32\DirectX
2008-10-23 23:06:12 0 d---s---- C:\WINDOWS\Tasks
2008-10-23 23:06:10 0 d-------- C:\Program Files\Common Files\MSSoap
2008-10-23 23:06:04 0 d-------- C:\WINDOWS\system32\Macromed
2008-10-23 23:06:04 0 d-------- C:\WINDOWS\srchasst
2008-10-23 23:05:53 0 d-------- C:\Program Files\Movie Maker
2008-10-23 23:05:42 0 d-------- C:\WINDOWS\system32\Restore
2008-10-23 23:05:08 21640 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2008-10-23 23:04:27 0 d-------- C:\WINDOWS\Registration
2008-10-23 23:03:08 0 d-------- C:\Program Files\Online Services
2008-10-23 23:02:50 0 d-------- C:\Program Files\MSN Gaming Zone
2008-10-23 23:01:55 0 d-------- C:\Program Files\Windows NT
2008-10-23 23:01:51 0 d-------- C:\WINDOWS\system32\MsDtc
2008-10-23 23:01:49 0 d-------- C:\WINDOWS\system32\Com
2008-10-23 15:38:16 0 d--hs---- C:\WINDOWS\Installer
2008-10-23 15:38:14 0 d-------- C:\Program Files\Common Files\ODBC
2008-10-23 15:38:08 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-10-23 15:38:07 0 dr------- C:\Program Files
2008-10-23 15:38:07 0 d-------- C:\Program Files\Common Files
2008-10-23 15:37:22 0 dr------- C:\Documents and Settings\All Users\Documents
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-10-23 15:37:21 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-10-23 15:37:21 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-10-23 15:37:21 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-10-23 15:37:21 0 d--hs---- C:\Documents and Settings\Default User\Cookies
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-10-23 15:37:21 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-10-23 15:36:47 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-10-23 15:36:47 0 d-------- C:\WINDOWS\system32\CatRoot
2008-10-23 15:36:41 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-10-23 15:36:41 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-10-23 15:36:40 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-10-23 15:36:40 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-10-23 15:19:42 0 d-------- C:\Documents and Settings
2008-10-23 15:15:29 0 d--hs---- C:\System Volume Information
2008-10-23 15:09:04 0 d-------- C:\WINDOWS
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\WinSxS
2008-10-23 15:09:04 0 dr------- C:\WINDOWS\Web
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\twain_32
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\wins
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\wbem
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\usmt
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\spool
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\ShellExt
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\Setup
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\ras
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\oobe
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\npp
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\mui
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\inetsrv
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\IME
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\icsxml
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\ias
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\export
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\drivers
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-10-23 15:09:04 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\dhcp
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\config
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\3076
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\2052
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1054
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1042
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1041
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1037
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1033
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1031
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1028
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1025
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\security
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Resources
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\repair
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Provisioning
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\PeerNet
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\pchealth
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\mui
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\msapps
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\msagent
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Media
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\java
2008-10-23 15:09:04 0 d--h----- C:\WINDOWS\inf
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\ime
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Help
2008-10-23 15:09:04 0 dr--s---- C:\WINDOWS\Fonts
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Driver Cache
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Debug
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Cursors
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Connection Wizard
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Config
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\AppPatch
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\addins
2008-07-10 12:42:37 0 d-------- C:\Program Files\Java
2008-07-10 12:42:24 0 d-------- C:\Program Files\Common Files\Java
2008-07-09 00:38:02 0 d-------- C:\Documents and Settings\Rick\Application Data\GrabPro
2008-07-08 20:04:21 0 d-------- C:\PC Cleaning
2008-07-07 21:08:46 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-07 20:36:46 0 d-------- C:\Documents and Settings\Rick\Application Data\Winamp
2008-07-07 20:36:45 0 d-------- C:\Program Files\Winamp
2008-07-07 19:38:16 0 d--h----- C:\$AVG8.VAULT$
2008-07-06 01:32:37 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-06 01:32:29 0 d-------- C:\Program Files\AVG
2008-07-05 15:21:34 0 d-------- C:\Program Files\Panda Security
2008-07-05 11:07:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-05 10:48:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-04 09:22:16 0 d-------- C:\Program Files\Trend Micro
2008-07-02 11:38:03 2883584 --a------ C:\Documents and Settings\Rick\ntuser.dat
2008-07-02 11:37:58 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-07-02 10:26:05 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-02 10:26:05 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-02 10:26:05 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-02 10:26:05 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-02 10:26:05 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-02 10:26:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-02 10:26:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-02 10:26:04 442368 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-02 10:26:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-01 22:55:09 683341 --a------ C:\WINDOWS\system32\ChaNinja Style.scr <Not Verified; Axialis Software; Axialis Screen Saver Producer 3.5>
2008-07-01 22:53:02 0 d--h----- C:\Documents and Settings\All Users\Application Data\{A850D4D9-871B-4234-908D-21C457767270}
2008-07-01 22:52:56 0 d-------- C:\Program Files\Stardock
2008-06-23 01:24:56 0 d-------- C:\Documents and Settings\Rick\Application Data\Anvil Studio
2008-06-17 14:47:53 0 d-------- C:\Documents and Settings\Rick\Application Data\DivX
2008-06-17 14:46:15 0 d-------- C:\Program Files\virtualdub
2008-06-17 11:16:56 0 d-------- C:\Program Files\DivX
2008-06-17 01:45:44 0 d-------- C:\Documents and Settings\Rick\Application Data\Talkback
2008-06-17 01:45:25 0 d-------- C:\Documents and Settings\Rick\Application Data\Thunderbird
2008-06-13 21:50:42 0 d-------- C:\Program Files\HJSplit
2008-06-12 16:25:14 0 d-------- C:\PSFONTS
2008-06-11 21:18:42 0 d-------- C:\Documents and Settings\Rick\Application Data\SpinTop
2008-06-11 19:13:07 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-06-11 19:12:51 0 d-------- C:\Program Files\NCH Swift Sound
2008-06-11 19:12:51 0 d-------- C:\Documents and Settings\Rick\Application Data\NCH Swift Sound
2008-06-10 21:13:41 0 d-------- C:\Documents and Settings\Rick\Application Data\PlayFirst
2008-06-10 21:13:41 0 d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-06-10 20:41:00 0 d-------- C:\Documents and Settings\Rick\Application Data\iWinArcade
2008-06-10 20:40:40 0 d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
2008-06-10 14:59:11 0 d-------- C:\Documents and Settings\Rick\Application Data\LimeWire


-- Find3M Report ---------------------------------------------------------------

2008-10-23 15:37:21 62 --ahs---- C:\Documents and Settings\Rick\Application Data\desktop.ini
2008-07-10 12:33:55 0 d-------- C:\Program Files\Orbitdownloader
2008-07-09 20:48:57 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-09 16:06:02 0 d-------- C:\Program Files\Emulators
2008-07-09 15:54:36 0 d-------- C:\Documents and Settings\Rick\Application Data\Orbit
2008-07-07 01:58:38 0 d-------- C:\Program Files\Audacity
2008-07-01 09:31:18 0 d-------- C:\Program Files\FLV Player
2008-06-17 10:46:46 0 d-------- C:\Program Files\Easy Video Downloader
2008-06-13 19:57:44 218624 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-12 18:26:57 0 d-------- C:\Program Files\GlovePIE030
2008-06-09 09:51:11 0 d-------- C:\Documents and Settings\Rick\Application Data\GetRightToGo
2008-06-08 19:08:25 78 --a------ C:\Documents and Settings\Rick\Application Data\mainhst.zgh
2008-06-08 18:33:42 0 d-------- C:\Documents and Settings\Rick\Application Data\Adobe
2008-06-08 16:59:25 101 --a------ C:\WINDOWS\system32\cxcncwpejgtaaaaaedp
2008-06-08 16:59:25 100 --a------ C:\WINDOWS\javalauncheraaaaacbn
2008-06-07 18:07:17 0 d-------- C:\Documents and Settings\Rick\Application Data\Sun
2008-06-07 08:58:23 0 d-------- C:\Documents and Settings\Rick\Application Data\Macromedia
2008-06-07 08:52:26 0 d-------- C:\Documents and Settings\Rick\Application Data\Mozilla
2008-06-07 08:38:33 0 d-------- C:\Documents and Settings\Rick\Application Data\Identities
2008-06-07 07:32:58 0 d-------- C:\Program Files\n-game version 1.4
2008-06-07 07:12:33 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-06 17:29:38 0 d-------- C:\Program Files\UnH Solutions
2008-06-06 17:28:36 0 d-------- C:\Program Files\QuickTime Alternative
2008-06-06 17:20:59 0 d-------- C:\Program Files\Game Elements
2008-06-06 17:20:01 0 d-------- C:\Program Files\7-Zip
2008-06-06 17:19:45 0 d-------- C:\Program Files\ExtractNow
2008-06-06 16:27:30 0 d-------- C:\Program Files\SDFix
2008-05-30 09:22:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 09:18:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 09:18:56 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 09:18:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 09:18:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 09:18:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 09:18:48 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 09:18:48 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 09:18:00 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/06/2008 01:32 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

C:\Documents and Settings\Rick\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)
"NoSimpleStartMenu"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"NoActiveDesktopChanges"=00000000
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"=0 (0x0)
"NoActiveDesktopChanges"=00000000
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"




-- End of Deckard's System Scanner: finished at 2008-07-10 12:57:55 ------------

Edited by Svorax, 10 July 2008 - 05:52 PM.


#9 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 11 July 2008 - 09:14 AM

There's a program on here called MSXML Parser. What is it for and is it worth having?

It's from Microsoft and included in some of its products like Internet explorer for dealing with XML. It's probably best to keep it.

since the cleaning, there was one point when the touchpad started acting very odd and was hard to control at first. But, after I used it for a little while, it just slowly fixed itself. Was this just calibration?

I have no idea what that is about, it may have been calibration but I'm fairly certain it's not malware related. If it is working OK now, it should be fine.

Now for the files your wondering about. C:\WINDOWS\system32\cxcncwpejgtaaaaaedp is completely unknown to me. I might know something about C:\WINDOWS\javalauncheraaaaacbn though. I once had a 3rd party program called java launcher. It was related to development. It wasn't long after that I found it very useless and removed it. I'm assuming it is a leftover file that can be removed. Should I delete it?

They both may be leftovers from java launcher, they are both almost certainly related to each other. I'll move them with OTmovit2 which effectively quarantines them from there if no issues arise from removing them we can delete them completely from your computer.

When I try to go to any page on Kaspersky's website, it doesn't open. My browser just says it's not a domain. Kaspersky still exists right? Why is it not opening?

That's strange Kaspersky still exists and the link works fine for me, I'll check your hosts file to see if it's blocked. What browser are you using?


Step 1:
Go to Start>Run and highlight the contents of the box below then use CTRL+C to copy them and CTRL+V to paste them into the run dialogue box.

cmd /c copy C:\WINDOWS\system32\drivers\etc\hosts "%userprofile%\desktop\hosts.txt"

Click OK, notepad will then open with your host file. Copy and paste the whole Hosts file in your next reply.


Step 2:
Run Eset NOD32 Online AntiVirus
http://www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Step 3:
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.
C:\WINDOWS\system32\cxcncwpejgtaaaaaedp
C:\WINDOWS\javalauncheraaaaacbn
  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2

Step 4:
Run DSS again and in your next reply please post:
  • The hosts file from step 1
  • The Eset NOD32 results
  • The OTmovit2 results
  • A new DSS log
Also please let me know how your computer is running

#10 Svorax

Svorax
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 11 July 2008 - 12:39 PM

I only use Firefox. Here's the host file:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

Looks like I got a trojan:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3263 (20080711)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=4abeb8991da5cf40b203714cdb94e5d0
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-07-11 06:30:21
# local_time=2008-07-11 10:30:21 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=96788
# found=1
# scan_time=2036
C:\WINDOWS\Web\def.htm Win32/TrojanDownloader.FakeAlert.AV trojan 3ECEB4349DA62463A5ABC737B3644A3B

The OTMoveIt2 result:

C:\WINDOWS\system32\cxcncwpejgtaaaaaedp moved successfully.
C:\WINDOWS\javalauncheraaaaacbn moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07112008_103304

And the latest DDS:

Deckard's System Scanner v20071014.68
Run by Rick on 2008-07-11 10:34:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rick.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:59 AM, on 7/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Atievxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PC Cleaning\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rick.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.java.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab

--
End of file - 1734 bytes

-- Files created between 2008-06-11 and 2008-07-11 -----------------------------

2008-10-24 00:30:29 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-10-24 00:24:23 0 d--hs---- C:\Documents and Settings\Darcy\UserData
2008-10-23 23:44:39 94208 --a----c- C:\WINDOWS\system32\W32N50CT.dll <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-10-23 23:44:39 17142 --a------ C:\WINDOWS\system32\CBTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-10-23 23:44:39 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-10-23 23:44:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-10-23 23:40:37 0 d-------- C:\Documents and Settings\Darcy\Application Data\Identities
2008-10-23 23:40:21 0 d--h----- C:\Documents and Settings\Darcy\Templates
2008-10-23 23:40:21 0 dr------- C:\Documents and Settings\Darcy\Start Menu
2008-10-23 23:40:21 0 dr-h----- C:\Documents and Settings\Darcy\SendTo
2008-10-23 23:40:21 0 d--h----- C:\Documents and Settings\Darcy\PrintHood
2008-10-23 23:40:21 2568192 --a------ C:\Documents and Settings\Darcy\NTUSER.DAT
2008-10-23 23:40:21 0 d--h----- C:\Documents and Settings\Darcy\NetHood
2008-10-23 23:40:21 0 dr------- C:\Documents and Settings\Darcy\My Documents
2008-10-23 23:40:21 0 d--h----- C:\Documents and Settings\Darcy\Local Settings
2008-10-23 23:40:21 0 dr------- C:\Documents and Settings\Darcy\Favorites
2008-10-23 23:40:21 0 d-------- C:\Documents and Settings\Darcy\Desktop
2008-10-23 23:40:21 0 d---s---- C:\Documents and Settings\Darcy\Cookies
2008-10-23 23:40:21 0 dr-h----- C:\Documents and Settings\Darcy\Application Data
2008-10-23 23:40:21 0 d---s---- C:\Documents and Settings\Darcy\Application Data\Microsoft
2008-10-23 23:32:21 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-10-23 23:32:16 0 d-------- C:\WINDOWS\Prefetch
2008-10-23 23:32:15 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-10-23 23:32:13 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-10-23 23:32:13 0 d---s---- C:\Documents and Settings\LocalService\Cookies
2008-10-23 23:32:13 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-10-23 23:32:13 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-10-23 23:20:49 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-10-23 23:20:49 0 d---s---- C:\Documents and Settings\NetworkService\Cookies
2008-10-23 23:20:49 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-10-23 23:20:49 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-10-23 23:20:48 229376 --a------ C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-10-23 23:12:28 0 d-------- C:\WINDOWS\system32\xircom
2008-10-23 23:12:28 0 d-------- C:\Program Files\microsoft frontpage
2008-10-23 23:12:18 225280 ---h---c- C:\Documents and Settings\Default User\NTUSER.DAT
2008-10-23 23:12:12 0 d--h----- C:\WINDOWS\$hf_mig$
2008-10-23 23:08:48 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-10-23 23:08:17 0 dr------- C:\WINDOWS\Offline Web Pages
2008-10-23 23:08:17 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-10-23 23:07:47 0 d--h----- C:\Program Files\WindowsUpdate
2008-10-23 23:06:57 0 d-------- C:\WINDOWS\system32\DirectX
2008-10-23 23:06:12 0 d---s---- C:\WINDOWS\Tasks
2008-10-23 23:06:10 0 d-------- C:\Program Files\Common Files\MSSoap
2008-10-23 23:06:04 0 d-------- C:\WINDOWS\system32\Macromed
2008-10-23 23:06:04 0 d-------- C:\WINDOWS\srchasst
2008-10-23 23:05:53 0 d-------- C:\Program Files\Movie Maker
2008-10-23 23:05:42 0 d-------- C:\WINDOWS\system32\Restore
2008-10-23 23:05:08 21640 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2008-10-23 23:04:27 0 d-------- C:\WINDOWS\Registration
2008-10-23 23:03:08 0 d-------- C:\Program Files\Online Services
2008-10-23 23:02:50 0 d-------- C:\Program Files\MSN Gaming Zone
2008-10-23 23:01:55 0 d-------- C:\Program Files\Windows NT
2008-10-23 23:01:51 0 d-------- C:\WINDOWS\system32\MsDtc
2008-10-23 23:01:49 0 d-------- C:\WINDOWS\system32\Com
2008-10-23 15:38:16 0 d--hs---- C:\WINDOWS\Installer
2008-10-23 15:38:14 0 d-------- C:\Program Files\Common Files\ODBC
2008-10-23 15:38:08 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-10-23 15:38:07 0 dr------- C:\Program Files
2008-10-23 15:38:07 0 d-------- C:\Program Files\Common Files
2008-10-23 15:37:22 0 dr------- C:\Documents and Settings\All Users\Documents
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-10-23 15:37:21 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-10-23 15:37:21 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-10-23 15:37:21 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-10-23 15:37:21 0 d--hs---- C:\Documents and Settings\Default User\Cookies
2008-10-23 15:37:21 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-10-23 15:37:21 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-10-23 15:37:21 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-10-23 15:36:47 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-10-23 15:36:47 0 d-------- C:\WINDOWS\system32\CatRoot
2008-10-23 15:36:41 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-10-23 15:36:41 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-10-23 15:36:40 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-10-23 15:36:40 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-10-23 15:19:42 0 d-------- C:\Documents and Settings
2008-10-23 15:15:29 0 d--hs---- C:\System Volume Information
2008-10-23 15:09:04 0 d-------- C:\WINDOWS
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\WinSxS
2008-10-23 15:09:04 0 dr------- C:\WINDOWS\Web
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\twain_32
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\wins
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\wbem
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\usmt
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\spool
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\ShellExt
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\Setup
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\ras
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\oobe
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\npp
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\mui
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\inetsrv
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\IME
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\icsxml
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\ias
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\export
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\drivers
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-10-23 15:09:04 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\dhcp
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\config
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\3076
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\2052
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1054
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1042
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1041
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1037
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1033
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1031
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1028
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system32\1025
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\system
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\security
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Resources
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\repair
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Provisioning
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\PeerNet
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\pchealth
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\mui
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\msapps
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\msagent
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Media
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\java
2008-10-23 15:09:04 0 d--h----- C:\WINDOWS\inf
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\ime
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Help
2008-10-23 15:09:04 0 dr--s---- C:\WINDOWS\Fonts
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Driver Cache
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Debug
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Cursors
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Connection Wizard
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\Config
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\AppPatch
2008-10-23 15:09:04 0 d-------- C:\WINDOWS\addins
2008-07-11 09:54:55 0 d-------- C:\WINDOWS\LastGood
2008-07-11 09:49:53 0 d-------- C:\Program Files\EsetOnlineScanner
2008-07-10 12:42:37 0 d-------- C:\Program Files\Java
2008-07-10 12:42:24 0 d-------- C:\Program Files\Common Files\Java
2008-07-09 00:38:02 0 d-------- C:\Documents and Settings\Rick\Application Data\GrabPro
2008-07-08 20:04:21 0 d-------- C:\PC Cleaning
2008-07-07 21:08:46 0 d-------- C:\WINDOWS\system32\NtmsData
2008-07-07 20:36:46 0 d-------- C:\Documents and Settings\Rick\Application Data\Winamp
2008-07-07 20:36:45 0 d-------- C:\Program Files\Winamp
2008-07-07 19:38:16 0 d--h----- C:\$AVG8.VAULT$
2008-07-06 01:32:37 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-06 01:32:29 0 d-------- C:\Program Files\AVG
2008-07-05 15:21:34 0 d-------- C:\Program Files\Panda Security
2008-07-05 11:07:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-05 10:48:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-07-04 09:22:16 0 d-------- C:\Program Files\Trend Micro
2008-07-02 11:38:03 2883584 --a------ C:\Documents and Settings\Rick\ntuser.dat
2008-07-02 11:37:58 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-07-02 10:26:05 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-02 10:26:05 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-02 10:26:05 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-02 10:26:05 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-02 10:26:05 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-02 10:26:04 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-02 10:26:04 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-02 10:26:04 442368 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-02 10:26:04 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-02 10:26:04 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-01 22:55:09 683341 --a------ C:\WINDOWS\system32\ChaNinja Style.scr <Not Verified; Axialis Software; Axialis Screen Saver Producer 3.5>
2008-07-01 22:53:02 0 d--h----- C:\Documents and Settings\All Users\Application Data\{A850D4D9-871B-4234-908D-21C457767270}
2008-07-01 22:52:56 0 d-------- C:\Program Files\Stardock
2008-06-23 01:24:56 0 d-------- C:\Documents and Settings\Rick\Application Data\Anvil Studio
2008-06-17 14:47:53 0 d-------- C:\Documents and Settings\Rick\Application Data\DivX
2008-06-17 14:46:15 0 d-------- C:\Program Files\virtualdub
2008-06-17 11:16:56 0 d-------- C:\Program Files\DivX
2008-06-17 01:45:44 0 d-------- C:\Documents and Settings\Rick\Application Data\Talkback
2008-06-17 01:45:25 0 d-------- C:\Documents and Settings\Rick\Application Data\Thunderbird
2008-06-13 21:50:42 0 d-------- C:\Program Files\HJSplit
2008-06-12 16:25:14 0 d-------- C:\PSFONTS
2008-06-11 21:18:42 0 d-------- C:\Documents and Settings\Rick\Application Data\SpinTop
2008-06-11 19:13:07 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-06-11 19:12:51 0 d-------- C:\Program Files\NCH Swift Sound
2008-06-11 19:12:51 0 d-------- C:\Documents and Settings\Rick\Application Data\NCH Swift Sound


-- Find3M Report ---------------------------------------------------------------

2008-10-23 15:37:21 62 --ahs---- C:\Documents and Settings\Rick\Application Data\desktop.ini
2008-07-10 13:48:51 0 d-------- C:\Program Files\Emulators
2008-07-10 12:33:55 0 d-------- C:\Program Files\Orbitdownloader
2008-07-09 20:48:57 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-09 15:54:36 0 d-------- C:\Documents and Settings\Rick\Application Data\Orbit
2008-07-07 01:58:38 0 d-------- C:\Program Files\Audacity
2008-07-06 21:04:20 0 d-------- C:\Documents and Settings\Rick\Application Data\LimeWire
2008-07-01 09:31:18 0 d-------- C:\Program Files\FLV Player
2008-06-17 10:46:46 0 d-------- C:\Program Files\Easy Video Downloader
2008-06-13 19:57:44 218624 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-12 18:26:57 0 d-------- C:\Program Files\GlovePIE030
2008-06-10 21:13:41 0 d-------- C:\Documents and Settings\Rick\Application Data\PlayFirst
2008-06-10 20:41:00 0 d-------- C:\Documents and Settings\Rick\Application Data\iWinArcade
2008-06-09 09:51:11 0 d-------- C:\Documents and Settings\Rick\Application Data\GetRightToGo
2008-06-08 19:08:25 78 --a------ C:\Documents and Settings\Rick\Application Data\mainhst.zgh
2008-06-08 18:33:42 0 d-------- C:\Documents and Settings\Rick\Application Data\Adobe
2008-06-07 18:07:17 0 d-------- C:\Documents and Settings\Rick\Application Data\Sun
2008-06-07 08:58:23 0 d-------- C:\Documents and Settings\Rick\Application Data\Macromedia
2008-06-07 08:52:26 0 d-------- C:\Documents and Settings\Rick\Application Data\Mozilla
2008-06-07 08:38:33 0 d-------- C:\Documents and Settings\Rick\Application Data\Identities
2008-06-07 07:32:58 0 d-------- C:\Program Files\n-game version 1.4
2008-06-07 07:12:33 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-06 17:29:38 0 d-------- C:\Program Files\UnH Solutions
2008-06-06 17:28:36 0 d-------- C:\Program Files\QuickTime Alternative
2008-06-06 17:20:59 0 d-------- C:\Program Files\Game Elements
2008-06-06 17:20:01 0 d-------- C:\Program Files\7-Zip
2008-06-06 17:19:45 0 d-------- C:\Program Files\ExtractNow
2008-06-06 16:27:30 0 d-------- C:\Program Files\SDFix
2008-05-30 09:22:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 09:18:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 09:18:56 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 09:18:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 09:18:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 09:18:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 09:18:48 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 09:18:48 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 09:18:00 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/06/2008 01:32 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

C:\Documents and Settings\Rick\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)
"NoSimpleStartMenu"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"NoActiveDesktopChanges"=00000000
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"=0 (0x0)
"NoActiveDesktopChanges"=00000000
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"




-- End of Deckard's System Scanner: finished at 2008-07-11 10:36:35 ------------

The computer seems to be running very well now - smoothly. I haven't had any errors like I used to and is back to normal speed. It's definitely better.

Edited by Svorax, 11 July 2008 - 12:46 PM.


#11 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 12 July 2008 - 12:03 PM

Looks like I got a trojan:

That's just a leftover from your original infection, on its own it's harmless enough but I'll get rid of it now.

Step 1:
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.
C:\WINDOWS\Web\def.htm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt2

Your logs are now clean. :D :D
If you still feel you are having any issues please let me know now, otherwise read through and proceed with the following:


Step 1:
Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
  • Double-click OTMoveIt2.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
You can also delete any logs we produced.

You can keep ATF cleaner and Erunt if you find them useful.


Step 2:
Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm.


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install a Hosts File
    I recommend MVPS Hosts File
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Install Malwarebytes & update and scan with it regularly
    Malwarebytes is a free for personal use on demand scanner which is developed by active members of the Malware Removal community. It detects and removes many modern infections. The paid version offers realtime protection.
  • Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.
  • The last and most important thing I can tell you is UPDATE, UPDATE, UPDATE.
    If you don't update your security programs (Antivirus, Antispyware, even Windows) then you are at risk.
    Malware changes on a day to day basis. You should update every week at the very least.
Miekiemoes an expert in malware removal has a fantastic article on how to prevent Malware for further tips, it's well worth a read. http://users.telenet.be/bluepatchy/miekiem...prevention.html

Please reply to this topic one more time so I know you have read through it or with any questions you may have.

#12 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 14 July 2008 - 02:45 PM

Glad we could be of some assistance. :thumbsup:

Since this issue appears resolved ... this Topic is now closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users