Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Lop.


  • This topic is locked This topic is locked
9 replies to this topic

#1 Wassim

Wassim

  • Members
  • 376 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Byblos, Lebanon, Middle East.
  • Local time:10:25 PM

Posted 11 July 2008 - 02:53 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:40 PM, on 7/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\USB Disk Security\USBGuard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Folder Guard Pro\FGKey.exe
C:\Program Files\East-Tec Backup\etBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\IceChat7\IceChat7.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Data\Applications\Antivirus\HiJackThis.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files\USB Disk Security\USBGuard.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [FG_Monitor] C:\Program Files\Folder Guard Pro\FGKey.exe /Start
O4 - HKLM\..\Run: [Email Marketer Monitor] C:\Program Files\Email Marketer Business Edition\Monitor.exe
O4 - HKLM\..\Run: [default software style team] C:\Documents and Settings\All Users\Application Data\title 64 default software\Readme Meal.exe
O4 - HKCU\..\Run: [East-Tec Backup 2008] "C:\Program Files\East-Tec Backup\etBackup.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: BWMeter.lnk = C:\Program Files\BWMeter\BWMeter.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7410 bytes
"Stuffy Hall Admin of the Typing Skills Enhancing School Program"

BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:25 PM

Posted 13 July 2008 - 05:44 AM

Hello Wassim, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Thanks.



Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: Uninstallations
Please uninstall any of the following programs using Add or Remove Programs if they are present. To do this, go to Start > Control Panel and double-click on Add or Remove Programs. From within Add or Remove Programs, highlight each of the following programs if present and select Remove:
- BitRoll
- Bitgrabber
- CiD Help
- CiD Manager
- Download Plugin for Internet Explorer
- Netpumper
- Zone Media

I also see FlashGet installed on your computer.
Be aware that the unregistered version of FlashGet seems to serve up ads in Internet Explorer that are downloaded from Cydoor servers. The registered version supposedly does not. Please also see this link: FlashGet.
In case you did not buy Flashget, I recommend you uninstall it because of this program's reputation. If you agree, remove FlashGet from Add or Remove Programs as well.

Now be sure to reboot.

Step #2: NoLop
Please download NoLop from any of the links below and save it to your Desktop.
(1) Download NoLop (NoLop.exe)
(2) Download NoLop (NoLop.exe)
(3) Download NoLop (NoLop.exe)

When the file has finished downloading:
1. Close any other programs you have running as this will require a reboot.
2. Double-click NoLop.exe to run it.
3. Click the Search and Destroy button.
<< Your computer will now be scanned for infected files. >>
4. When scanning is finished you will be prompted to reboot only if infected. Click OK.
5. Now click the REBOOT button.
6. A message should popup from NoLop. If not, double-click the program again and it will finish.
7. Please post the entire contents of C:\NoLop.log in your next reply.

-- If you receive an error: "mscomctl.ocx or one of its dependencies are not correctly registered", please download mscomctl.ocx to your system32 folder, then rerun NoLop.
Download mscomctl.ocx --


Step #3: Deckard's System Scanner (DSS)
Please download Deckard's System Scanner (DSS) from any of the links below and save it to your Desktop.
(1) Download Deckard's System Scanner (dss.exe)
(2) Download Deckard's System Scanner (dss.exe)

DSS will do the following:
- Create a new System Restore point in Windows XP and Vista.
- Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
- Check some important areas of your system and produce a report for an analyst to review.
- Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your Desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer Yes.

You must be logged onto an account with administrator privileges when using DSS.

To run the program:
1. Close all applications and windows so that you have nothing open and are at your Desktop.
2. Double-click on dss.exe to run DSS, and follow the prompts.
3. If your antivirus or firewall complains, please allow this script to run as it is not malicious.
When the scan is complete, two text files will open in Notepad - main.txt <- this one will be maximized and extra.txt <-this one will be minimized. (If not, they both can be found in the C:\Deckard\System Scanner folder.)
4. Copy (Ctrl + A then Ctrl + C) and paste (Ctrl + V) the entire contents of main.txt and the extra.txt in your next reply.

NOTES:
-- When running DSS, some firewalls may warn that it is trying to access the Internet (especially if your asked to download the most current version of HijackThis); please ensure that you allow it permission to do so. --
-- If you get a warning from your antivirus while DSS is scanning, please allow DSS to continue as the scan is not harmful. --




So in your next reply, please post the entire contents of:
- C:\NoLop.log
- the entire contents of the DSS main.txt and extra.txt reports
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 Wassim

Wassim
  • Topic Starter

  • Members
  • 376 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Byblos, Lebanon, Middle East.
  • Local time:10:25 PM

Posted 13 July 2008 - 02:32 PM

NoLop! Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to NoLop!OLD.log

Fix running from: C:\Documents and Settings\Wassim\Desktop
[7/13/2008]
[10:03:51 PM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Adobe
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Acd Systems
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Avira
C:\Documents and Settings\All Users\Application Data\Bitdefender
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
C:\Documents and Settings\All Users\Application Data\Malwarebytes
C:\Documents and Settings\All Users\Application Data\Messenger Plus! -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Nch Swift Sound
C:\Documents and Settings\All Users\Application Data\Nero
C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Real -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Skype
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Title 64 Default Software
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Adobe
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Wassim\Application Data\Acd Systems
C:\Documents and Settings\Wassim\Application Data\Adobe
C:\Documents and Settings\Wassim\Application Data\Ahead
C:\Documents and Settings\Wassim\Application Data\Apple Computer
C:\Documents and Settings\Wassim\Application Data\Bitdefender
C:\Documents and Settings\Wassim\Application Data\Desksoft
C:\Documents and Settings\Wassim\Application Data\Divx
C:\Documents and Settings\Wassim\Application Data\Google -- EMPTY Directory
C:\Documents and Settings\Wassim\Application Data\Htnetmeter
C:\Documents and Settings\Wassim\Application Data\Icechat
C:\Documents and Settings\Wassim\Application Data\Identities
C:\Documents and Settings\Wassim\Application Data\Limewire
C:\Documents and Settings\Wassim\Application Data\Macromedia
C:\Documents and Settings\Wassim\Application Data\Malwarebytes
C:\Documents and Settings\Wassim\Application Data\Media Player Classic
C:\Documents and Settings\Wassim\Application Data\Microsoft
C:\Documents and Settings\Wassim\Application Data\Mozilla
C:\Documents and Settings\Wassim\Application Data\Nch Swift Sound
C:\Documents and Settings\Wassim\Application Data\Pointdev
C:\Documents and Settings\Wassim\Application Data\Real
C:\Documents and Settings\Wassim\Application Data\Skype
C:\Documents and Settings\Wassim\Application Data\Skypepm
C:\Documents and Settings\Wassim\Application Data\Steady Recorder -- EMPTY Directory
C:\Documents and Settings\Wassim\Application Data\Summitsoft
C:\Documents and Settings\Wassim\Application Data\Sun
C:\Documents and Settings\Wassim\Application Data\Thinstall
C:\Documents and Settings\Wassim\Application Data\Winamp

______________________________________________________________________

Deckard's System Scanner v20071014.68
Run by Wassim on 2008-07-13 22:24:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Wassim.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:53 PM, on 7/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\USB Disk Security\USBGuard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Folder Guard Pro\FGKey.exe
C:\Program Files\East-Tec Backup\etBackup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\HJTHotkey\HJTHotkey.exe
C:\Documents and Settings\Wassim\Desktop\dss.exe
C:\Data\APPLIC~1\ANTIVI~1\Wassim.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files\USB Disk Security\USBGuard.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [FG_Monitor] C:\Program Files\Folder Guard Pro\FGKey.exe /Start
O4 - HKLM\..\Run: [Email Marketer Monitor] C:\Program Files\Email Marketer Business Edition\Monitor.exe
O4 - HKLM\..\Run: [default software style team] C:\Documents and Settings\All Users\Application Data\title 64 default software\Readme Meal.exe
O4 - HKCU\..\Run: [East-Tec Backup 2008] "C:\Program Files\East-Tec Backup\etBackup.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: BWMeter.lnk = C:\Program Files\BWMeter\BWMeter.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6730 bytes

-- Files created between 2008-06-13 and 2008-07-13 -----------------------------

2008-07-11 19:52:36 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-05 19:58:20 0 d-------- C:\Documents and Settings\Wassim\Application Data\DeskSoft
2008-07-05 19:57:51 16896 --a------ C:\WINDOWS\system32\drivers\dsnpfd.sys <Not Verified; DeskSoft; NDIS packet redirector driver>
2008-07-05 19:57:51 0 d-------- C:\Program Files\BWMeter
2008-07-03 13:29:26 614 --a------ C:\WINDOWS\eReg.dat
2008-07-03 02:05:46 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-07-03 02:05:46 0 d-------- C:\Documents and Settings\Wassim\Application Data\skypePM
2008-07-03 02:04:37 0 d-------- C:\Documents and Settings\Wassim\Application Data\Skype
2008-07-03 02:03:39 0 d-------- C:\Program Files\Skype
2008-07-03 02:03:38 0 d-------- C:\Program Files\Common Files\Skype
2008-07-03 02:03:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-07-02 20:25:40 212 --a------ C:\delete.bat
2008-06-29 23:50:19 0 d-------- C:\Program Files\Winamp
2008-06-29 23:50:19 0 d-------- C:\Documents and Settings\Wassim\Application Data\Winamp
2008-06-27 00:20:19 0 d-------- C:\NoLopBackups
2008-06-24 10:24:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-06-24 10:24:29 0 d-------- C:\Documents and Settings\All Users\Application Data\title 64 default software
2008-06-24 10:23:59 0 d-------- C:\Program Files\Book Blah Hold
2008-06-24 10:23:34 0 d-------- C:\Program Files\Circle Developement
2008-06-24 00:15:10 3 --a------ C:\WINDOWS\system32\krx280.dat
2008-06-24 00:14:35 0 d-------- C:\Program Files\Email Sender Deluxe
2008-06-23 23:17:08 0 d-------- C:\Program Files\Email Marketer Business Edition
2008-06-23 23:03:21 0 d-------- C:\Program Files\fec
2008-06-23 19:35:37 0 d-------- C:\Program Files\Folder Guard Pro
2008-06-17 00:08:36 0 d-------- C:\Documents and Settings\Wassim\Application Data\HTNetMeter
2008-06-17 00:08:35 0 d-------- C:\Program Files\HooTech
2008-06-17 00:05:55 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-17 00:04:23 0 d-------- C:\WINDOWS\system32\LogFiles
2008-06-17 00:04:23 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-16 16:08:22 0 d--h----- C:\WINDOWS\PIF
2008-06-16 01:14:51 0 d-------- C:\Documents and Settings\Wassim\Application Data\Bitdefender
2008-06-16 01:14:38 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-06-16 01:09:43 0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-06-13 20:34:08 441 --a------ C:\WINDOWS\system32\Infob.dat
2008-06-13 20:34:08 0 --a------ C:\WINDOWS\system32\Infoa.dat
2008-06-13 20:32:28 360 --a------ C:\WINDOWS\system32\treeinfo.dat
2008-06-13 20:32:27 0 d-------- C:\Y.D.T
2008-06-13 20:32:24 53299 --a------ C:\WINDOWS\system32\pthreadVC.dll
2008-06-13 20:32:17 0 d-------- C:\Program Files\E.M. Youtube Video Download Tool


-- Find3M Report ---------------------------------------------------------------

2008-07-13 21:56:53 0 d-------- C:\Program Files\FlashGet
2008-07-10 23:46:04 0 d-------- C:\Documents and Settings\Wassim\Application Data\LimeWire
2008-07-09 19:10:24 0 d-------- C:\Documents and Settings\Wassim\Application Data\IceChat
2008-07-03 17:33:50 0 d-------- C:\Documents and Settings\Wassim\Application Data\Steady Recorder
2008-07-03 14:23:30 0 d-------- C:\Documents and Settings\Wassim\Application Data\Apple Computer
2008-07-03 02:03:38 0 d-------- C:\Program Files\Common Files
2008-06-17 19:36:35 0 d-------- C:\Program Files\PingPlotter Pro
2008-06-17 19:33:50 0 d-------- C:\Documents and Settings\Wassim\Application Data\Pointdev
2008-06-17 19:33:49 0 d-------- C:\Program Files\Pointdev
2008-06-17 19:33:14 0 d-------- C:\Program Files\EasyPHP 2.0b1
2008-06-17 19:32:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-07 23:27:07 0 d-------- C:\Program Files\Apache Software Foundation
2008-06-01 21:22:12 4100 --a------ C:\WINDOWS\system32\hdvirffo.dll
2008-05-26 00:57:52 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-25 19:44:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-25 19:44:23 0 d-------- C:\Documents and Settings\Wassim\Application Data\Mozilla
2008-05-24 16:52:54 0 d-------- C:\Program Files\MessengerDiscovery
2008-05-24 16:40:44 0 d-------- C:\Program Files\MSN Messenger
2008-05-22 23:53:25 0 d-------- C:\Program Files\iTunes
2008-05-22 23:53:16 0 d-------- C:\Program Files\iPod
2008-05-22 23:52:58 0 d-------- C:\Program Files\Bonjour
2008-05-22 23:52:47 0 d-------- C:\Program Files\QuickTime
2008-05-22 23:51:52 0 d-------- C:\Program Files\Apple Software Update
2008-05-22 23:51:30 0 d-------- C:\Program Files\Common Files\Apple
2008-05-21 12:30:55 0 d-------- C:\Documents and Settings\Wassim\Application Data\ACD Systems
2008-05-21 12:30:31 0 d-------- C:\Program Files\Common Files\ACD Systems
2008-05-21 12:30:19 0 d-------- C:\Program Files\ACD Systems
2008-05-21 12:24:59 0 d-------- C:\Program Files\Nero
2008-05-21 12:24:51 0 d-------- C:\Program Files\Common Files\Nero
2008-05-20 01:44:03 0 d-------- C:\Documents and Settings\Wassim\Application Data\Media Player Classic
2008-05-20 01:37:20 0 d-------- C:\Program Files\XP Codec Pack
2008-05-20 01:35:54 0 d-------- C:\Program Files\DivX
2008-05-19 19:37:02 0 d-------- C:\Program Files\HJTHotkey
2008-05-17 01:15:31 0 d-------- C:\Program Files\Boson Software
2008-05-17 01:15:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-17 00:41:08 0 d-------- C:\Documents and Settings\Wassim\Application Data\Summitsoft
2008-05-14 23:37:04 0 d-------- C:\Documents and Settings\Wassim\Application Data\Malwarebytes
2008-05-13 22:51:21 0 d-------- C:\Program Files\IceChat7
2008-05-11 20:38:27 46 --a------ C:\WINDOWS\system32\winitn.dll
2008-05-11 20:38:27 237568 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-05-11 20:38:27 2535424 --a------ C:\WINDOWS\system32\agsaamj.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress3 Module>
2008-05-11 20:38:27 90112 --a------ C:\WINDOWS\system32\agsaami.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFormatSettings3 Module>
2008-05-11 20:38:27 987136 --a------ C:\WINDOWS\system32\agsaamh.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCDGrabber2.dll Module>
2008-05-11 20:38:27 610304 --a------ C:\WINDOWS\system32\agsaamg.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFile3 Module>
2008-05-11 20:38:27 372736 --a------ C:\WINDOWS\system32\agsaamc.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFileWMA3 Module>
2008-05-11 20:38:27 331776 --a------ C:\WINDOWS\system32\agsaama.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioPlayer3 Module>
2008-05-11 20:38:26 196608 --a------ C:\WINDOWS\system32\maag.dll <Not Verified; NCT Company Ltd.; NCTWMAFile2 ActiveX DLL>
2008-05-11 20:38:26 46 --a------ C:\WINDOWS\system32\kakle.dll
2008-05-11 20:38:26 1212416 --a------ C:\WINDOWS\system32\ckll.dll <Not Verified; NCT Company Ltd.; NCTAudioInformation2 ActiveX DLL>
2008-05-11 20:38:26 1245184 --a------ C:\WINDOWS\system32\bkll.dll <Not Verified; NCT Company Ltd.; NCTRMFile ActiveX DLL>
2008-05-11 20:38:26 1986560 --a------ C:\WINDOWS\system32\akll.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2008-04-26 22:43:31 62 --ahs---- C:\Documents and Settings\Wassim\Application Data\desktop.ini
2008-04-26 19:52:04 0 -rahs---- C:\MSDOS.SYS
2008-04-26 19:52:04 0 -rahs---- C:\IO.SYS
2008-04-26 19:52:04 0 --a------ C:\CONFIG.SYS
2008-04-26 19:52:04 0 --a------ C:\AUTOEXEC.BAT
2008-04-26 19:49:15 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 05:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [05/05/2005 03:28 AM C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [05/04/2005 04:43 AM C:\WINDOWS\ALCMTR.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/15/2005 12:20 PM]
"nwiz"="nwiz.exe" [06/15/2005 12:20 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/15/2005 12:20 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [01/21/2003 10:19 AM]
"USB Antivirus"="C:\Program Files\USB Disk Security\USBGuard.exe" [04/16/2008 01:53 AM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 12:56 AM C:\WINDOWS\system32\bthprops.cpl]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/12/2008 12:43 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [04/02/2007 04:48 PM]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [03/26/2007 03:49 PM]
"FG_Monitor"="C:\Program Files\Folder Guard Pro\FGKey.exe" [01/05/2008 12:00 AM]
"Email Marketer Monitor"="C:\Program Files\Email Marketer Business Edition\Monitor.exe" []
"default software style team"="C:\Documents and Settings\All Users\Application Data\title 64 default software\Readme Meal.exe" [07/13/2008 09:30 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"East-Tec Backup 2008"="C:\Program Files\East-Tec Backup\etBackup.exe" [04/07/2008 03:41 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [05/30/2008 03:54 PM]

C:\Documents and Settings\Wassim\Start Menu\Programs\Startup\
BWMeter.lnk - C:\Program Files\BWMeter\BWMeter.exe [7/5/2008 7:57:51 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f9234b6-358c-11dd-8ceb-000acd0e6c77}]
AutoRun\command- E:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-07-13 22:25:37 ------------


The extra.txt log did not open nor i was able to find it in the Deckards folder on C:
"Stuffy Hall Admin of the Typing Skills Enhancing School Program"

#4 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:25 PM

Posted 13 July 2008 - 05:27 PM

Hello again, Wassim.



Please try the following:
  • Click Start and then Run to bring up the Run box.
  • Copy and paste the contents of this quote box into the Open: field:

    "%userprofile%\Desktop\dss.exe" /config

  • Close all other open windows.
  • Click OK.
  • A window will now open. Click Check All and then click Scan!.

    When the scan is complete, two text files will open in Notepad: main.txt <- this one will be maximized and extra.txt <-this one will be minimized. (If not, they both can be found in the C:\Deckard\System Scanner folder.)
  • Copy (Ctrl + A then Ctrl + C) and paste (Ctrl + V) the entire contents of main.txt and the extra.txt in your next reply.
Performing the above instructions should provide both logs this time. :thumbsup:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#5 Wassim

Wassim
  • Topic Starter

  • Members
  • 376 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Byblos, Lebanon, Middle East.
  • Local time:10:25 PM

Posted 13 July 2008 - 05:31 PM

Deckard's System Scanner v20071014.68
Run by Wassim on 2008-07-14 01:25:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
84: 2008-07-13 22:25:51 UTC - RP84 - Deckard's System Scanner Restore Point
83: 2008-07-13 09:18:53 UTC - RP83 - System Checkpoint
82: 2008-07-11 17:12:16 UTC - RP82 - System Checkpoint
81: 2008-07-10 11:50:18 UTC - RP81 - System Checkpoint
80: 2008-07-09 10:40:20 UTC - RP80 - System Checkpoint


-- First Restore Point --
1: 2008-04-26 17:00:28 UTC - RP1 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Wassim.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:18 AM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\USB Disk Security\USBGuard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Folder Guard Pro\FGKey.exe
C:\Program Files\East-Tec Backup\etBackup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\IceChat7\IceChat7.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Wassim\Desktop\dss.exe
C:\Data\APPLIC~1\ANTIVI~1\Wassim.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files\USB Disk Security\USBGuard.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [FG_Monitor] C:\Program Files\Folder Guard Pro\FGKey.exe /Start
O4 - HKLM\..\Run: [Email Marketer Monitor] C:\Program Files\Email Marketer Business Edition\Monitor.exe
O4 - HKLM\..\Run: [default software style team] C:\Documents and Settings\All Users\Application Data\title 64 default software\Readme Meal.exe
O4 - HKCU\..\Run: [East-Tec Backup 2008] "C:\Program Files\East-Tec Backup\etBackup.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: BWMeter.lnk = C:\Program Files\BWMeter\BWMeter.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6764 bytes

-- HijackThis Fixed Entries (C:\Data\APPLIC~1\ANTIVI~1\backups\) ---------------

backup-20080414-225856-665 O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
backup-20080414-225856-886 O4 - HKLM\..\Run: [Barsaka] explorer.exe
backup-20080414-225856-969 O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
backup-20080414-225947-643 O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
backup-20080420-214103-364 O2 - BHO: (no name) - {037C7B8A-151A-49E6-BAED-CC05FCB50328} - (no file)
backup-20080420-214103-522 F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
backup-20080420-214103-605 F3 - REG:win.ini: load=
backup-20080420-214103-760 O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
backup-20080506-184651-924 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080626-002225-198 O4 - HKCU\..\Run: [Cornfor] C:\DOCUME~1\Wassim\APPLIC~1\BOOKBL~1\mp3flaw.exe
backup-20080627-003645-380 O4 - HKCU\..\Run: [Cornfor] C:\DOCUME~1\Wassim\APPLIC~1\BOOKBL~1\mp3flaw.exe

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 dsnpfd (DeskSoft Service) - c:\windows\system32\drivers\dsnpfd.sys <Not Verified; DeskSoft; NDIS packet redirector driver>
R3 SMBios (Intel ® System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel ® System Management BIOS Driver>

S3 bdfdll - c:\program files\softwin\bitdefender10\bdfdll.sys (file missing)
S3 BDFsDrv - c:\program files\softwin\bitdefender10\bdfsdrv.sys (file missing)
S3 BDRsDrv - c:\program files\softwin\bitdefender10\bdrsdrv.sys (file missing)
S3 ZSMC301b (VIMICRO USB PC Camera 301x) - c:\windows\system32\drivers\usbvm31b.sys <Not Verified; VM; >


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 656)
2006-01-26 20:19:52 73728 --a------ C:\WINDOWS\system32\sockspy.dll
2005-09-23 07:28:38 83456 --a------ C:\WINDOWS\system32\dfshim.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2005-09-23 07:28:52 270848 --a------ C:\WINDOWS\system32\mscoree.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2006-05-15 18:02:16 58368 --a------ C:\Program Files\Softwin\BitDefender10\bdshelxt.dll <Not Verified; ; BDShellExt Module>
2004-12-27 11:56:08 121344 --a------ C:\Program Files\WinRAR\RarExt.dll

C:\WINDOWS\system32\rundll32.exe (pid 1152)
2006-01-26 20:19:52 73728 --a------ C:\WINDOWS\system32\sockspy.dll


-- Files created between 2008-06-14 and 2008-07-14 -----------------------------

2008-07-13 22:45:05 0 d-------- C:\Program Files\AIRC
2008-07-11 19:52:36 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-05 19:58:20 0 d-------- C:\Documents and Settings\Wassim\Application Data\DeskSoft
2008-07-05 19:57:51 16896 --a------ C:\WINDOWS\system32\drivers\dsnpfd.sys <Not Verified; DeskSoft; NDIS packet redirector driver>
2008-07-05 19:57:51 0 d-------- C:\Program Files\BWMeter
2008-07-03 13:29:26 614 --a------ C:\WINDOWS\eReg.dat
2008-07-03 02:05:46 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-07-03 02:05:46 0 d-------- C:\Documents and Settings\Wassim\Application Data\skypePM
2008-07-03 02:04:37 0 d-------- C:\Documents and Settings\Wassim\Application Data\Skype
2008-07-03 02:03:39 0 d-------- C:\Program Files\Skype
2008-07-03 02:03:38 0 d-------- C:\Program Files\Common Files\Skype
2008-07-03 02:03:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-07-02 20:25:40 212 --a------ C:\delete.bat
2008-06-29 23:50:19 0 d-------- C:\Program Files\Winamp
2008-06-29 23:50:19 0 d-------- C:\Documents and Settings\Wassim\Application Data\Winamp
2008-06-27 00:20:19 0 d-------- C:\NoLopBackups
2008-06-24 10:24:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-06-24 10:24:29 0 d-------- C:\Documents and Settings\All Users\Application Data\title 64 default software
2008-06-24 10:23:34 0 d-------- C:\Program Files\Circle Developement
2008-06-24 00:15:10 3 --a------ C:\WINDOWS\system32\krx280.dat
2008-06-24 00:14:35 0 d-------- C:\Program Files\Email Sender Deluxe
2008-06-23 23:17:08 0 d-------- C:\Program Files\Email Marketer Business Edition
2008-06-23 23:03:21 0 d-------- C:\Program Files\fec
2008-06-23 19:35:37 0 d-------- C:\Program Files\Folder Guard Pro
2008-06-17 00:08:36 0 d-------- C:\Documents and Settings\Wassim\Application Data\HTNetMeter
2008-06-17 00:08:35 0 d-------- C:\Program Files\HooTech
2008-06-17 00:05:55 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-17 00:04:23 0 d-------- C:\WINDOWS\system32\LogFiles
2008-06-17 00:04:23 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-16 16:08:22 0 d--h----- C:\WINDOWS\PIF
2008-06-16 01:14:51 0 d-------- C:\Documents and Settings\Wassim\Application Data\Bitdefender
2008-06-16 01:14:38 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-06-16 01:09:43 0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender


-- Find3M Report ---------------------------------------------------------------

2008-07-13 23:34:08 0 d-------- C:\Documents and Settings\Wassim\Application Data\LimeWire
2008-07-13 21:56:53 0 d-------- C:\Program Files\FlashGet
2008-07-09 19:10:24 0 d-------- C:\Documents and Settings\Wassim\Application Data\IceChat
2008-07-03 17:33:50 0 d-------- C:\Documents and Settings\Wassim\Application Data\Steady Recorder
2008-07-03 14:23:30 0 d-------- C:\Documents and Settings\Wassim\Application Data\Apple Computer
2008-07-03 02:03:38 0 d-------- C:\Program Files\Common Files
2008-06-24 20:42:57 0 d-------- C:\Program Files\E.M. Youtube Video Download Tool
2008-06-17 19:36:35 0 d-------- C:\Program Files\PingPlotter Pro
2008-06-17 19:33:50 0 d-------- C:\Documents and Settings\Wassim\Application Data\Pointdev
2008-06-17 19:33:49 0 d-------- C:\Program Files\Pointdev
2008-06-17 19:33:14 0 d-------- C:\Program Files\EasyPHP 2.0b1
2008-06-17 19:32:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-13 23:24:24 441 --a------ C:\WINDOWS\system32\Infob.dat
2008-06-13 23:24:24 0 --a------ C:\WINDOWS\system32\Infoa.dat
2008-06-13 23:21:15 360 --a------ C:\WINDOWS\system32\treeinfo.dat
2008-06-07 23:27:07 0 d-------- C:\Program Files\Apache Software Foundation
2008-06-01 21:22:12 4100 --a------ C:\WINDOWS\system32\hdvirffo.dll
2008-05-26 00:57:52 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-25 19:44:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-25 19:44:23 0 d-------- C:\Documents and Settings\Wassim\Application Data\Mozilla
2008-05-24 16:52:54 0 d-------- C:\Program Files\MessengerDiscovery
2008-05-24 16:40:44 0 d-------- C:\Program Files\MSN Messenger
2008-05-22 23:53:25 0 d-------- C:\Program Files\iTunes
2008-05-22 23:53:16 0 d-------- C:\Program Files\iPod
2008-05-22 23:52:58 0 d-------- C:\Program Files\Bonjour
2008-05-22 23:52:47 0 d-------- C:\Program Files\QuickTime
2008-05-22 23:51:52 0 d-------- C:\Program Files\Apple Software Update
2008-05-22 23:51:30 0 d-------- C:\Program Files\Common Files\Apple
2008-05-21 12:30:55 0 d-------- C:\Documents and Settings\Wassim\Application Data\ACD Systems
2008-05-21 12:30:31 0 d-------- C:\Program Files\Common Files\ACD Systems
2008-05-21 12:30:19 0 d-------- C:\Program Files\ACD Systems
2008-05-21 12:24:59 0 d-------- C:\Program Files\Nero
2008-05-21 12:24:51 0 d-------- C:\Program Files\Common Files\Nero
2008-05-20 01:44:03 0 d-------- C:\Documents and Settings\Wassim\Application Data\Media Player Classic
2008-05-20 01:37:20 0 d-------- C:\Program Files\XP Codec Pack
2008-05-20 01:35:54 0 d-------- C:\Program Files\DivX
2008-05-19 19:37:02 0 d-------- C:\Program Files\HJTHotkey
2008-05-17 01:15:31 0 d-------- C:\Program Files\Boson Software
2008-05-17 01:15:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-17 00:41:08 0 d-------- C:\Documents and Settings\Wassim\Application Data\Summitsoft
2008-05-14 23:37:04 0 d-------- C:\Documents and Settings\Wassim\Application Data\Malwarebytes
2008-05-11 20:38:27 46 --a------ C:\WINDOWS\system32\winitn.dll
2008-05-11 20:38:27 237568 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-05-11 20:38:27 2535424 --a------ C:\WINDOWS\system32\agsaamj.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress3 Module>
2008-05-11 20:38:27 90112 --a------ C:\WINDOWS\system32\agsaami.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFormatSettings3 Module>
2008-05-11 20:38:27 987136 --a------ C:\WINDOWS\system32\agsaamh.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCDGrabber2.dll Module>
2008-05-11 20:38:27 610304 --a------ C:\WINDOWS\system32\agsaamg.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFile3 Module>
2008-05-11 20:38:27 372736 --a------ C:\WINDOWS\system32\agsaamc.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFileWMA3 Module>
2008-05-11 20:38:27 331776 --a------ C:\WINDOWS\system32\agsaama.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioPlayer3 Module>
2008-05-11 20:38:26 196608 --a------ C:\WINDOWS\system32\maag.dll <Not Verified; NCT Company Ltd.; NCTWMAFile2 ActiveX DLL>
2008-05-11 20:38:26 46 --a------ C:\WINDOWS\system32\kakle.dll
2008-05-11 20:38:26 1212416 --a------ C:\WINDOWS\system32\ckll.dll <Not Verified; NCT Company Ltd.; NCTAudioInformation2 ActiveX DLL>
2008-05-11 20:38:26 1245184 --a------ C:\WINDOWS\system32\bkll.dll <Not Verified; NCT Company Ltd.; NCTRMFile ActiveX DLL>
2008-05-11 20:38:26 1986560 --a------ C:\WINDOWS\system32\akll.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2008-04-26 22:43:31 62 --ahs---- C:\Documents and Settings\Wassim\Application Data\desktop.ini
2008-04-26 19:52:04 0 -rahs---- C:\MSDOS.SYS
2008-04-26 19:52:04 0 -rahs---- C:\IO.SYS
2008-04-26 19:52:04 0 --a------ C:\CONFIG.SYS
2008-04-26 19:52:04 0 --a------ C:\AUTOEXEC.BAT
2008-04-26 19:49:15 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 05:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [05/05/2005 03:28 AM C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [05/04/2005 04:43 AM C:\WINDOWS\ALCMTR.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/15/2005 12:20 PM]
"nwiz"="nwiz.exe" [06/15/2005 12:20 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/15/2005 12:20 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [01/21/2003 10:19 AM]
"USB Antivirus"="C:\Program Files\USB Disk Security\USBGuard.exe" [04/16/2008 01:53 AM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 12:56 AM C:\WINDOWS\system32\bthprops.cpl]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/12/2008 12:43 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [04/02/2007 04:48 PM]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [03/26/2007 03:49 PM]
"FG_Monitor"="C:\Program Files\Folder Guard Pro\FGKey.exe" [01/05/2008 12:00 AM]
"Email Marketer Monitor"="C:\Program Files\Email Marketer Business Edition\Monitor.exe" []
"default software style team"="C:\Documents and Settings\All Users\Application Data\title 64 default software\Readme Meal.exe" [07/13/2008 09:30 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"East-Tec Backup 2008"="C:\Program Files\East-Tec Backup\etBackup.exe" [04/07/2008 03:41 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [05/30/2008 03:54 PM]

C:\Documents and Settings\Wassim\Start Menu\Programs\Startup\
BWMeter.lnk - C:\Program Files\BWMeter\BWMeter.exe [7/5/2008 7:57:51 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f9234b6-358c-11dd-8ceb-000acd0e6c77}]
AutoRun\command- E:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-07-14 01:27:04 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.20GHz
CPU 1: Intel® Pentium® 4 CPU 3.20GHz
Percentage of Memory in Use: 34%
Physical Memory (total/avail): 1534.73 MiB / 1003.19 MiB
Pagefile Memory (total/avail): 3431.22 MiB / 2903.4 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1904.3 MiB

C: is Fixed (NTFS) - 69.43 GiB total, 46.22 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380811AS - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 69.43 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: Bitdefender Antivirus v8.0 (Softwin)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\IceChat7\\IceChat7.exe"="C:\\Program Files\\IceChat7\\IceChat7.exe:*:Enabled:Internet Relay Chat Client"
"C:\\Program Files\\FlashGet\\FlashGet.exe"="C:\\Program Files\\FlashGet\\FlashGet.exe:*:Enabled:Flashget"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Wassim\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WASSIM-2CAAAE03
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Wassim
LOGONSERVER=\\WASSIM-2CAAAE03
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Wassim\LOCALS~1\Temp
TMP=C:\DOCUME~1\Wassim\LOCALS~1\Temp
USERDOMAIN=WASSIM-2CAAAE03
USERNAME=Wassim
USERPROFILE=C:\Documents and Settings\Wassim
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Wassim (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACDSee 10 Photo Manager --> MsiExec.exe /I{F8B98EB6-FC06-45BF-87D4-9784E0408611}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AIRC® --> C:\Program Files\AIRC\Uninstal.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
BitDefender Free Edition v10 --> MsiExec.exe /I{CEFC581D-BEAE-4F75-989E-BD931970D8AD}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
BWMeter V3.1.0 --> C:\Program Files\BWMeter\Uninstall.exe
Command & Conquer Generals --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{06F80017-8F98-4C94-B868-52358569FC32}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
East-Tec Backup 2008 2.0 --> "C:\Program Files\East-Tec Backup\unins000.exe"
Folder Guard --> "C:\Program Files\Folder Guard Pro\Setup.exe" /U
Guitar Pro 5.2 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Data\Applications\Antivirus\HijackThis.exe" /uninstall
HJTHotkey 3.056 --> "C:\Program Files\HJTHotkey\unins000.exe"
IceChat 7.63 (Build 20080417) --> "C:\Program Files\IceChat7\unins000.exe"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LimeWire PRO 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MessengerDiscovery Live 1.4.5408 --> "C:\Program Files\MessengerDiscovery\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIRC --> "C:\Program Files\AIRC\mirc.exe" -uninstall
Mozilla Firefox (2.0.0.15) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 7 Micro 7.9.6.0 --> "C:\Program Files\Nero\unins000.exe"
Nero 8 Lite 8.2.8.0 --> "C:\Program Files\Nero\unins001.exe"
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Pawsoft Fass --> C:\Program Files\Pawsoft\Fass\uninst.exe
PIXresizer 2.0.3 --> "C:\Program Files\PIXresizer\unins000.exe"
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RapidShare Manager --> rundll32.exe dfshim.dll,ShArpMaintain RapidShareManager.application, Culture=neutral, PublicKeyToken=c14d24c3c9280019, processorArchitecture=msil
Real Alternative 1.60 Lite --> "C:\Program Files\Real Alternative\unins000.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
Skype™ 3.8 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Steady Recorder 2.4.2 --> "C:\Program Files\Steady Recorder\unins000.exe"
Switch Sound File Converter --> C:\Program Files\NCH Swift Sound\Switch\uninst.exe
USB Disk Security 5.0.0.48 --> "C:\Program Files\USB Disk Security\unins000.exe"
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XMLinst --> MsiExec.exe /I{EA23971F-2CEE-48FC-B64D-7F74A6EF90F0}
XP Codec Pack --> C:\Program Files\XP Codec Pack\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type5922 / Error
Event Submitted/Written: 07/13/2008 10:32:47 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application icechat7.exe, version 7.6.0.3, faulting module mswinsck.ocx, version 6.1.97.82, fault address 0x0000fa61.
Processing media-specific event for [icechat7.exe!ws!]

Event Record #/Type5921 / Error
Event Submitted/Written: 07/13/2008 10:32:40 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application icechat7.exe, version 7.6.0.3, faulting module mswinsck.ocx, version 6.1.97.82, fault address 0x0000fa61.
Processing media-specific event for [icechat7.exe!ws!]

Event Record #/Type5913 / Success
Event Submitted/Written: 07/13/2008 09:30:51 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type5892 / Success
Event Submitted/Written: 07/12/2008 09:33:19 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type5861 / Success
Event Submitted/Written: 07/11/2008 07:45:46 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9148 / Error
Event Submitted/Written: 07/13/2008 11:36:38 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The BDRsDrv service failed to start due to the following error:
%%2

Event Record #/Type9147 / Error
Event Submitted/Written: 07/13/2008 11:36:38 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The BDFsDrv service failed to start due to the following error:
%%2

Event Record #/Type9146 / Error
Event Submitted/Written: 07/13/2008 11:36:38 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The bdfdll service failed to start due to the following error:
%%2

Event Record #/Type9137 / Error
Event Submitted/Written: 07/13/2008 10:36:31 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The BDRsDrv service failed to start due to the following error:
%%2

Event Record #/Type9136 / Error
Event Submitted/Written: 07/13/2008 10:36:31 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The BDFsDrv service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-07-14 01:27:04 ------------
"Stuffy Hall Admin of the Typing Skills Enhancing School Program"

#6 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:25 PM

Posted 14 July 2008 - 07:19 PM

Hello again.

First of all: I see that some HijackThis entries have been fixed before we started (dating back to around April this year). Have you fixed these entries all on your own, or under guidance and supervision of an expert?



IMPORTANT
Your BitDefender antivirus program probably does not do its job effectively anymore as some important files belonging to BitDefender services appear to be missing. The best remedy to solve this issue is to reinstall the Bitdefender Free Edition v10 application. Alternatively, if you do not want to use BitDefender as your antivirus anymore, uninstall the program and then install another antivirus program like one of these good (and free) products:
- Avira AntiVir
- Avast Free
- AVG Free
NOTE: Never install more than one antivirus program on your system. Several together can give problems and decrease the reliability of it seriously.



Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is NOT available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


You most likely got infected through file sharing. I see LimeWire PRO installed on your computer: a P2P/File Sharing (related) program. Aside from the obvious legal issues, file sharing is one of the primary ways through which people become infected with malware. Anytime you are running any type of P2P application, you are more prone to infection.
I suggest to remove this program. If you agree, go to Start > Control Panel > Add/Remove Programs and remove LimeWire PRO 4.16.6.
If you do not want to uninstall the program, please at least refrain from using any peer-to-peer programs for the remainder of my fix.

Step #1: HijackThis fix & files/folders deletion
First enable the viewing of hidden files in Windows XP by following these steps:
  • Close all programs so that you are at your Desktop.
  • Go to Start > My Computer.
  • Select the Tools menu and then click on the Folder Options menu option.
  • After the new window appears select the View tab.
  • Remove the checkmark from the checkbox labelled "Hide extensions for known file types".
  • Remove the checkmark from the checkbox labelled "Hide protected operating system files (Recommended)"; you will get a message warning you about showing protected operating system files, click Yes.
  • Select the radio button labelled "Show hidden files and folders".
  • Press the Apply button and then press the OK button and close My Computer.
Your computer is now configured to show all hidden system files and folders.

Go to Start > Run. In the Open: field copy/paste the entire contents inside the CODE box below and press the OK button after it:
regsvr32 /u C:\WINDOWS\system32\hdvirffo.dll
If you get an error doing this, it's OK to continue.

Scan again with HijackThis. Put a checkmark by these entries if they are present, double-checking to be sure that only these entries are checked:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [default software style team] C:\Documents and Settings\All Users\Application Data\title 64 default software\Readme Meal.exe

Close all other windows - you should only see HijackThis on your Desktop - and then click the Fix checked button.

Reboot your computer into SAFE MODE. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.


Using Windows Explorer (to get there, press Windows KEY + E), please delete these folders (if present):
C:\Documents and Settings\All Users\Application Data\Messenger Plus! <-- this folder
C:\Documents and Settings\All Users\Application Data\title 64 default software <-- this folder
C:\NoLopBackups <-- this folder
C:\Program Files\Book Blah Hold <-- this folder
C:\Program Files\Circle Developement <-- this folder
C:\Program Files\FlashGet <-- this folder

Only if you uninstalled LimeWire PRO 4.16.6 as recommended, please delete these folders as well if they are present:
C:\Documents and Settings\Wassim\Application Data\LimeWire <-- this folder
C:\Program Files\LimeWire <-- this folder

Using Windows Explorer, please delete these files (if present):
C:\delete.bat
C:\WINDOWS\system32\hdvirffo.dll

Now reboot your computer to boot back into NORMAL MODE.

Step #2: Jotti's malware/VirusTotal.com scans
Please go to http://virusscan.jotti.org/ and follow these steps to upload a file and scan it with Jotti's malware scan:
1. Click the Browse... button at the top of the page.
2. Navigate to this file if it is present: C:\WINDOWS\eReg.dat
3. Click Open.
4. Now click the Submit button (positioned next to the Browse... button) to upload the file.
5. Please be patient as the file will be scanned.
6. Once scanned, copy and paste the results in your next reply.
NOTE: In case Jotti is busy, try VirusTotal.com.

Please do the same for these two files:
C:\WINDOWS\system32\Infob.dat
C:\WINDOWS\system32\pthreadVC.dll

I could find not sufficient information regarding these files and they make me suspicious.

Step #3: DirLook
I would like to see the contents of a directory.
  • Please go to Start > Run, and type Notepad into the box provided.
  • Press OK.
  • Copy (Ctrl + C) and paste (Ctrl + V) the entire contents inside the CODE box below into Notepad.
    set FILEPATH="C:\Program Files\fec"
    dir %FILEPATH% /C /N /O:-D /S  /4 > "%USERPROFILE%\Desktop\DirectoryList.txt"
    "%USERPROFILE%\Desktop\DirectoryList.txt"
    del "%USERPROFILE%\Desktop\DirectoryList.txt"
    del DirLook.bat
  • Go to File > Save.
  • To the right of "Save as type:" in the bottom of the window, change the combobox to "All Files".
  • Enter "DirLook.bat" (without the quotation marks) into the "File name:" box just above the "Save as type:" box.
  • Double-click DirLook.bat on your Desktop.
  • Copy and paste the log file that opens back here.
Step #4: file associations fix
To repair file associations, please do the following:
  • Make sure dss.exe (Deckard's System Scanner) is located on your Desktop.
  • Click on Start > Run to bring up the Run box.
  • In the Open: field, copy/paste the entire contents inside the CODE box below and press the OK button.
    "%userprofile%\desktop\dss.exe" /daft
    This will start DSS in a different way. A small window will appear.
  • Click on the Scan button.
  • If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question.
  • Click the Fix button.
Step #5: DSS
Please run dss.exe again using the /config switch:
  • Click on Start > Run to bring up the Run box.
  • In the Open: field copy/paste the entire contents inside the CODE box below and press the OK button.
    "%userprofile%\Desktop\dss.exe" /config
  • Close all other open windows.
  • Click OK. A window will now open.
  • Click Check All and then click Scan!.

    When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <-this one will be minimized
    (If not, they both can be found in the C:\Deckard\System Scanner folder.)
  • Copy (Ctrl + A then Ctrl + C) and paste (Ctrl + V) the entire contents of main.txt and the extra.txt in your next reply.


So in your next reply, please post the entire contents of:
- the Jotti's malware/VirusTotal.com reports
- the DirLook.bat execution results
- DSS main.txt & extra.txt
NOTE: Use several posts if necessary to include everything in the requested logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#7 Wassim

Wassim
  • Topic Starter

  • Members
  • 376 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Byblos, Lebanon, Middle East.
  • Local time:10:25 PM

Posted 15 July 2008 - 02:23 PM

DirLook.bat Log

Volume in drive C has no label.
Volume Serial Number is F820-192B

Directory of C:\Program Files\fec

06/28/2008 11:24 PM <DIR> Super Email Sender
06/23/2008 11:03 PM <DIR> ..
06/23/2008 11:03 PM <DIR> .
0 File(s) 0 bytes

Directory of C:\Program Files\fec\Super Email Sender

06/28/2008 11:24 PM <DIR> ..
06/28/2008 11:24 PM <DIR> .
06/23/2008 11:15 PM 68,685 XMailer.elf
06/23/2008 11:15 PM 1,280 auto.xeml
06/23/2008 11:15 PM 0 excludeemails.txt
3 File(s) 69,965 bytes

Total Files Listed:
3 File(s) 69,965 bytes
5 Dir(s) 49,222,930,432 bytes free



main.txt Log
Deckard's System Scanner v20071014.68
Run by Wassim on 2008-07-15 22:15:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
87: 2008-07-15 19:15:32 UTC - RP87 - Deckard's System Scanner Restore Point
86: 2008-07-15 18:49:12 UTC - RP86 - Avira AntiVir Premium - 7/15/2008 21:49
85: 2008-07-15 18:45:18 UTC - RP85 - Removed BitDefender Free Edition v10
84: 2008-07-13 22:25:51 UTC - RP84 - Deckard's System Scanner Restore Point
83: 2008-07-13 09:18:53 UTC - RP83 - System Checkpoint


-- First Restore Point --
1: 2008-04-26 17:00:28 UTC - RP1 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Wassim.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:39 PM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\USB Disk Security\USBGuard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Folder Guard Pro\FGKey.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\East-Tec Backup\etBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Wassim\Desktop\dss.exe
C:\Data\APPLIC~1\ANTIVI~1\Wassim.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files\USB Disk Security\USBGuard.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FG_Monitor] C:\Program Files\Folder Guard Pro\FGKey.exe /Start
O4 - HKLM\..\Run: [Email Marketer Monitor] C:\Program Files\Email Marketer Business Edition\Monitor.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKCU\..\Run: [East-Tec Backup 2008] "C:\Program Files\East-Tec Backup\etBackup.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: BWMeter.lnk = C:\Program Files\BWMeter\BWMeter.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6567 bytes

-- HijackThis Fixed Entries (C:\Data\APPLIC~1\ANTIVI~1\backups\) ---------------

backup-20080414-225856-665 O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
backup-20080414-225856-886 O4 - HKLM\..\Run: [Barsaka] explorer.exe
backup-20080414-225856-969 O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
backup-20080414-225947-643 O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
backup-20080420-214103-364 O2 - BHO: (no name) - {037C7B8A-151A-49E6-BAED-CC05FCB50328} - (no file)
backup-20080420-214103-522 F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
backup-20080420-214103-605 F3 - REG:win.ini: load=
backup-20080420-214103-760 O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
backup-20080506-184651-924 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080626-002225-198 O4 - HKCU\..\Run: [Cornfor] C:\DOCUME~1\Wassim\APPLIC~1\BOOKBL~1\mp3flaw.exe
backup-20080627-003645-380 O4 - HKCU\..\Run: [Cornfor] C:\DOCUME~1\Wassim\APPLIC~1\BOOKBL~1\mp3flaw.exe
backup-20080715-215529-463 O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
backup-20080715-215529-974 O4 - HKLM\..\Run: [default software style team] C:\Documents and Settings\All Users\Application Data\title 64 default software\Readme Meal.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 dsnpfd (DeskSoft Service) - c:\windows\system32\drivers\dsnpfd.sys <Not Verified; DeskSoft; NDIS packet redirector driver>
R3 SMBios (Intel ® System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel ® System Management BIOS Driver>

S3 bdfdll - c:\program files\softwin\bitdefender10\bdfdll.sys (file missing)
S3 BDFsDrv - c:\program files\softwin\bitdefender10\bdfsdrv.sys (file missing)
S3 BDRsDrv - c:\program files\softwin\bitdefender10\bdrsdrv.sys (file missing)
S3 ZSMC301b (VIMICRO USB PC Camera 301x) - c:\windows\system32\drivers\usbvm31b.sys <Not Verified; VM; >


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirMailService (Avira AntiVir Premium MailGuard) - "c:\program files\avira\antivir personaledition premium\avmailc.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 AntiVirScheduler (Avira AntiVir Premium Scheduler) - "c:\program files\avira\antivir personaledition premium\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 antivirwebservice (Avira AntiVir Premium WebGuard) - "c:\program files\avira\antivir personaledition premium\avwebgrd.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 AVEService (Avira AntiVir Premium MailGuard helper service) - "c:\program files\avira\antivir personaledition premium\avesvc.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\svchost.exe (pid 1128)
2008-03-12 12:29:14 94465 --a------ C:\WINDOWS\system32\avsda.dll <Not Verified; Avira GmbH; AntiVir Workstation>

C:\WINDOWS\explorer.exe (pid 1828)
2005-09-23 07:28:38 83456 --a------ C:\WINDOWS\system32\dfshim.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2005-09-23 07:28:52 270848 --a------ C:\WINDOWS\system32\mscoree.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>


-- Files created between 2008-06-15 and 2008-07-15 -----------------------------

2008-07-15 21:49:45 0 d-------- C:\Program Files\Avira
2008-07-13 22:45:05 0 d-------- C:\Program Files\AIRC
2008-07-11 19:52:36 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-05 19:58:20 0 d-------- C:\Documents and Settings\Wassim\Application Data\DeskSoft
2008-07-05 19:57:51 16896 --a------ C:\WINDOWS\system32\drivers\dsnpfd.sys <Not Verified; DeskSoft; NDIS packet redirector driver>
2008-07-05 19:57:51 0 d-------- C:\Program Files\BWMeter
2008-07-03 13:29:26 614 --a------ C:\WINDOWS\eReg.dat
2008-07-03 02:05:46 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-07-03 02:05:46 0 d-------- C:\Documents and Settings\Wassim\Application Data\skypePM
2008-07-03 02:04:37 0 d-------- C:\Documents and Settings\Wassim\Application Data\Skype
2008-07-03 02:03:39 0 d-------- C:\Program Files\Skype
2008-07-03 02:03:38 0 d-------- C:\Program Files\Common Files\Skype
2008-07-03 02:03:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-06-29 23:50:19 0 d-------- C:\Program Files\Winamp
2008-06-29 23:50:19 0 d-------- C:\Documents and Settings\Wassim\Application Data\Winamp
2008-06-24 00:15:10 3 --a------ C:\WINDOWS\system32\krx280.dat
2008-06-24 00:14:35 0 d-------- C:\Program Files\Email Sender Deluxe
2008-06-23 23:17:08 0 d-------- C:\Program Files\Email Marketer Business Edition
2008-06-23 23:03:21 0 d-------- C:\Program Files\fec
2008-06-23 19:35:37 0 d-------- C:\Program Files\Folder Guard Pro
2008-06-17 00:08:36 0 d-------- C:\Documents and Settings\Wassim\Application Data\HTNetMeter
2008-06-17 00:08:35 0 d-------- C:\Program Files\HooTech
2008-06-17 00:05:55 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-17 00:04:23 0 d-------- C:\WINDOWS\system32\LogFiles
2008-06-17 00:04:23 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-16 16:08:22 0 d--h----- C:\WINDOWS\PIF
2008-06-16 01:14:38 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-06-16 01:09:43 0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender


-- Find3M Report ---------------------------------------------------------------

2008-07-15 00:06:06 0 d-------- C:\Documents and Settings\Wassim\Application Data\LimeWire
2008-07-09 19:10:24 0 d-------- C:\Documents and Settings\Wassim\Application Data\IceChat
2008-07-03 17:33:50 0 d-------- C:\Documents and Settings\Wassim\Application Data\Steady Recorder
2008-07-03 14:23:30 0 d-------- C:\Documents and Settings\Wassim\Application Data\Apple Computer
2008-07-03 02:03:38 0 d-------- C:\Program Files\Common Files
2008-06-24 20:42:57 0 d-------- C:\Program Files\E.M. Youtube Video Download Tool
2008-06-17 19:36:35 0 d-------- C:\Program Files\PingPlotter Pro
2008-06-17 19:33:50 0 d-------- C:\Documents and Settings\Wassim\Application Data\Pointdev
2008-06-17 19:33:49 0 d-------- C:\Program Files\Pointdev
2008-06-17 19:33:14 0 d-------- C:\Program Files\EasyPHP 2.0b1
2008-06-17 19:32:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-13 23:24:24 441 --a------ C:\WINDOWS\system32\Infob.dat
2008-06-13 23:24:24 0 --a------ C:\WINDOWS\system32\Infoa.dat
2008-06-13 23:21:15 360 --a------ C:\WINDOWS\system32\treeinfo.dat
2008-06-07 23:27:07 0 d-------- C:\Program Files\Apache Software Foundation
2008-05-26 00:57:52 1160 --a------ C:\WINDOWS\mozver.dat
2008-05-25 19:44:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-25 19:44:23 0 d-------- C:\Documents and Settings\Wassim\Application Data\Mozilla
2008-05-24 16:52:54 0 d-------- C:\Program Files\MessengerDiscovery
2008-05-24 16:40:44 0 d-------- C:\Program Files\MSN Messenger
2008-05-22 23:53:25 0 d-------- C:\Program Files\iTunes
2008-05-22 23:53:16 0 d-------- C:\Program Files\iPod
2008-05-22 23:52:58 0 d-------- C:\Program Files\Bonjour
2008-05-22 23:52:47 0 d-------- C:\Program Files\QuickTime
2008-05-22 23:51:52 0 d-------- C:\Program Files\Apple Software Update
2008-05-22 23:51:30 0 d-------- C:\Program Files\Common Files\Apple
2008-05-21 12:30:55 0 d-------- C:\Documents and Settings\Wassim\Application Data\ACD Systems
2008-05-21 12:30:31 0 d-------- C:\Program Files\Common Files\ACD Systems
2008-05-21 12:30:19 0 d-------- C:\Program Files\ACD Systems
2008-05-21 12:24:59 0 d-------- C:\Program Files\Nero
2008-05-21 12:24:51 0 d-------- C:\Program Files\Common Files\Nero
2008-05-20 01:44:03 0 d-------- C:\Documents and Settings\Wassim\Application Data\Media Player Classic
2008-05-20 01:37:20 0 d-------- C:\Program Files\XP Codec Pack
2008-05-20 01:35:54 0 d-------- C:\Program Files\DivX
2008-05-19 19:37:02 0 d-------- C:\Program Files\HJTHotkey
2008-05-17 01:15:31 0 d-------- C:\Program Files\Boson Software
2008-05-17 01:15:14 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-17 00:41:08 0 d-------- C:\Documents and Settings\Wassim\Application Data\Summitsoft
2008-05-11 20:38:27 46 --a------ C:\WINDOWS\system32\winitn.dll
2008-05-11 20:38:27 237568 --a------ C:\WINDOWS\system32\lame_enc.dll
2008-05-11 20:38:27 2535424 --a------ C:\WINDOWS\system32\agsaamj.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress3 Module>
2008-05-11 20:38:27 90112 --a------ C:\WINDOWS\system32\agsaami.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFormatSettings3 Module>
2008-05-11 20:38:27 987136 --a------ C:\WINDOWS\system32\agsaamh.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCDGrabber2.dll Module>
2008-05-11 20:38:27 610304 --a------ C:\WINDOWS\system32\agsaamg.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFile3 Module>
2008-05-11 20:38:27 372736 --a------ C:\WINDOWS\system32\agsaamc.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFileWMA3 Module>
2008-05-11 20:38:27 331776 --a------ C:\WINDOWS\system32\agsaama.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioPlayer3 Module>
2008-05-11 20:38:26 196608 --a------ C:\WINDOWS\system32\maag.dll <Not Verified; NCT Company Ltd.; NCTWMAFile2 ActiveX DLL>
2008-05-11 20:38:26 46 --a------ C:\WINDOWS\system32\kakle.dll
2008-05-11 20:38:26 1212416 --a------ C:\WINDOWS\system32\ckll.dll <Not Verified; NCT Company Ltd.; NCTAudioInformation2 ActiveX DLL>
2008-05-11 20:38:26 1245184 --a------ C:\WINDOWS\system32\bkll.dll <Not Verified; NCT Company Ltd.; NCTRMFile ActiveX DLL>
2008-05-11 20:38:26 1986560 --a------ C:\WINDOWS\system32\akll.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2008-04-26 22:43:31 62 --ahs---- C:\Documents and Settings\Wassim\Application Data\desktop.ini
2008-04-26 19:52:04 0 -rahs---- C:\MSDOS.SYS
2008-04-26 19:52:04 0 -rahs---- C:\IO.SYS
2008-04-26 19:52:04 0 --a------ C:\CONFIG.SYS
2008-04-26 19:52:04 0 --a------ C:\AUTOEXEC.BAT
2008-04-26 19:49:15 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 05:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [05/05/2005 03:28 AM C:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/15/2005 12:20 PM]
"nwiz"="nwiz.exe" [06/15/2005 12:20 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/15/2005 12:20 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [01/21/2003 10:19 AM]
"USB Antivirus"="C:\Program Files\USB Disk Security\USBGuard.exe" [04/16/2008 01:53 AM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 12:56 AM C:\WINDOWS\system32\bthprops.cpl]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/12/2008 12:43 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"FG_Monitor"="C:\Program Files\Folder Guard Pro\FGKey.exe" [01/05/2008 12:00 AM]
"Email Marketer Monitor"="C:\Program Files\Email Marketer Business Edition\Monitor.exe" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [02/12/2008 10:06 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"East-Tec Backup 2008"="C:\Program Files\East-Tec Backup\etBackup.exe" [04/07/2008 03:41 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [05/30/2008 03:54 PM]

C:\Documents and Settings\Wassim\Start Menu\Programs\Startup\
BWMeter.lnk - C:\Program Files\BWMeter\BWMeter.exe [7/5/2008 7:57:51 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f9234b6-358c-11dd-8ceb-000acd0e6c77}]
AutoRun\command- E:\LaunchU3.exe -a

*Newly Created Service* - SSMDRV



-- End of Deckard's System Scanner: finished at 2008-07-15 22:16:26 ------------


Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.20GHz
CPU 1: Intel® Pentium® 4 CPU 3.20GHz
Percentage of Memory in Use: 30%
Physical Memory (total/avail): 1534.73 MiB / 1062.64 MiB
Pagefile Memory (total/avail): 3431.22 MiB / 2981.36 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.35 MiB

C: is Fixed (NTFS) - 69.43 GiB total, 45.82 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380811AS - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 69.43 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: Avira AntiVir PersonalEdition v8.0.1.18 (Avira GmbH)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\IceChat7\\IceChat7.exe"="C:\\Program Files\\IceChat7\\IceChat7.exe:*:Enabled:Internet Relay Chat Client"
"C:\\Program Files\\FlashGet\\FlashGet.exe"="C:\\Program Files\\FlashGet\\FlashGet.exe:*:Enabled:Flashget"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Wassim\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WASSIM-2CAAAE03
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Wassim
LOGONSERVER=\\WASSIM-2CAAAE03
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Wassim\LOCALS~1\Temp
TMP=C:\DOCUME~1\Wassim\LOCALS~1\Temp
USERDOMAIN=WASSIM-2CAAAE03
USERNAME=Wassim
USERPROFILE=C:\Documents and Settings\Wassim
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Wassim (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACDSee 10 Photo Manager --> MsiExec.exe /I{F8B98EB6-FC06-45BF-87D4-9784E0408611}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Avira AntiVir Premium --> C:\Program Files\Avira\AntiVir PersonalEdition Premium\SETUP.EXE /REMOVE
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
BWMeter V3.1.0 --> C:\Program Files\BWMeter\Uninstall.exe
Command & Conquer Generals --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{06F80017-8F98-4C94-B868-52358569FC32}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
East-Tec Backup 2008 2.0 --> "C:\Program Files\East-Tec Backup\unins000.exe"
Folder Guard --> "C:\Program Files\Folder Guard Pro\Setup.exe" /U
Guitar Pro 5.2 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Data\Applications\Antivirus\HijackThis.exe" /uninstall
HJTHotkey 3.056 --> "C:\Program Files\HJTHotkey\unins000.exe"
IceChat 7.63 (Build 20080417) --> "C:\Program Files\IceChat7\unins000.exe"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LimeWire PRO 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MessengerDiscovery Live 1.4.5408 --> "C:\Program Files\MessengerDiscovery\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.15) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 7 Micro 7.9.6.0 --> "C:\Program Files\Nero\unins000.exe"
Nero 8 Lite 8.2.8.0 --> "C:\Program Files\Nero\unins001.exe"
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Pawsoft Fass --> C:\Program Files\Pawsoft\Fass\uninst.exe
PIXresizer 2.0.3 --> "C:\Program Files\PIXresizer\unins000.exe"
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RapidShare Manager --> rundll32.exe dfshim.dll,ShArpMaintain RapidShareManager.application, Culture=neutral, PublicKeyToken=c14d24c3c9280019, processorArchitecture=msil
Real Alternative 1.60 Lite --> "C:\Program Files\Real Alternative\unins000.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
Skype™ 3.8 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Steady Recorder 2.4.2 --> "C:\Program Files\Steady Recorder\unins000.exe"
Switch Sound File Converter --> C:\Program Files\NCH Swift Sound\Switch\uninst.exe
USB Disk Security 5.0.0.48 --> "C:\Program Files\USB Disk Security\unins000.exe"
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XMLinst --> MsiExec.exe /I{EA23971F-2CEE-48FC-B64D-7F74A6EF90F0}
XP Codec Pack --> C:\Program Files\XP Codec Pack\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type6064 / Success
Event Submitted/Written: 07/15/2008 10:03:21 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type6046 / Success
Event Submitted/Written: 07/15/2008 09:48:13 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type6024 / Success
Event Submitted/Written: 07/15/2008 09:34:34 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type6014 / Error
Event Submitted/Written: 07/14/2008 10:58:50 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type6007 / Error
Event Submitted/Written: 07/14/2008 10:06:32 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application mbam.exe, version 1.20.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9421 / Error
Event Submitted/Written: 07/15/2008 10:01:15 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type9420 / Error
Event Submitted/Written: 07/15/2008 09:59:02 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type9419 / Error
Event Submitted/Written: 07/15/2008 09:58:27 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
avgio
avipbb
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip
WS2IFSL

Event Record #/Type9418 / Error
Event Submitted/Written: 07/15/2008 09:58:27 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type9417 / Error
Event Submitted/Written: 07/15/2008 09:58:27 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-07-15 22:16:26 ------------



as for Jotti's malware scan i forgot to paste the result, but for the 3 files the status returned OK and all the scanners Found Nothing.
"Stuffy Hall Admin of the Typing Skills Enhancing School Program"

#8 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:25 PM

Posted 16 July 2008 - 07:52 AM

Hello again, Wassim.

Can you please answer this question:

[...] I see that some HijackThis entries have been fixed before we started (dating back to around April this year). Have you fixed these entries all on your own, or under guidance and supervision of an expert?

Thanks. :thumbsup:



Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: Java SE Runtime Environment (JRE) update
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them.

Please follow these steps to remove older version Java components:
  • Close all programs - especially your web browser - so that you have nothing open and are at your Desktop.
  • Go to Start > Control Panel > Add or Remove Programs and click the Remove or Change/Remove button next to Java™ 6 Update 5 to remove the outdated Java version.
  • Reboot your computer.
Once rebooted, download and install the latest version of Java Runtime Environment (JRE) 6 by following these steps:
  • Go to http://java.sun.com/javase/downloads/index.jsp.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7 … The Java SE Runtime Environment (JRE) allows end-users to run Java applications.".
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Review the License Agreement, and if you agree check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download the Windows Offline Installation and save the file to your Desktop.
  • Close all programs - especially your web browser - so that you have nothing open and are at your Desktop.
  • From your Desktop, double-click the jre-6u7-windows-i586-p.exe file to install the newest version.
Step #2: cleanup with ATF Cleaner
Click the download link below to download ATF Cleaner by Atribune.
Download ATF Cleaner

Perform a cleanup as follows:
  • Double-click ATF-Cleaner.exe to run the program.
  • Click once on the Main tab at the top of the screen and put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button.

    If you use the Mozilla Firefox browser, please follow these instructions as well:
  • Click once on the Firefox tab at the top of the screen and put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use the Opera browser, please follow these instructions as well:
  • Click once on the Opera tab at the top of the screen and put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.

  • Click the Exit button on the Main tab to exit the program.
For technical support, double-click the e-mail address located at the bottom of each menu.

Step #3: Kaspersky Online Scanner scan
Please do an online scan with Kaspersky Online Scanner:
  • Please visit the Kaspersky Online Scanner website.
    NOTE: ** If you are using Windows Vista, open your browser by right-clicking on its icon and select "Run as administrator" to perform this scan. **
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer .
    << This will start the program and scan your system. >>
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report.
  • Now, click on the Save Report as button.
  • Change the "Files of Type" dropdown box to "Text Files".
  • Enter a memorable filename.
  • Save the file to your Desktop.
  • Copy (Ctrl + A then Ctrl + C) and paste (Ctrl + V) that information in your next post.
Also please let me know how the computer is running.

Reason for edit: lay-out (BBCode) mistake.

Edited by htv8, 16 July 2008 - 08:04 AM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#9 Wassim

Wassim
  • Topic Starter

  • Members
  • 376 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Byblos, Lebanon, Middle East.
  • Local time:10:25 PM

Posted 24 July 2008 - 12:05 PM

Problem solved.
You may close this thread htv8 :thumbsup: .
"Stuffy Hall Admin of the Typing Skills Enhancing School Program"

#10 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:25 PM

Posted 25 July 2008 - 04:13 AM

OK.
It is a good thing, though, to click on this tutorial and follow each step listed to prevent infection in the future:

Simple and easy ways to keep your computer safe and secure on the Internet



As the problem here seems to be resolved, this topic is now closed.
To get it reopened, PM a staff member with the address of this thread. This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.

Glad we could help. :thumbsup:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users