Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rundll32.exe Malware In My Computer


  • This topic is locked This topic is locked
20 replies to this topic

#1 Robert789

Robert789

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 27 July 2008 - 12:31 PM

Hi, I am Robert. I am from Singapore.

I need help as my computer has been invaded by some malwares.
Now I can't open all the functions at the control panel, like add/remove programs, changing date/time
etc.
This Error message will always appear when I clicked on these functions:
" C:\Windows\system32\ rundll32.exe is not a valid win32 application. "

I tried to delete the rundll32 entry at the startup in the config.sys file. But it will re-appear
when I re-boot the systems.

below are the log file for the main.txt & extra-txt.
Anybody can help me fixing the problems?
Thank you very much.

Robert



"Main.txt":

Deckard's System Scanner v20071014.68
Run by hook on 2008-07-28 00:52:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
34: 2008-07-27 16:52:36 UTC - RP134 - Deckard's System Scanner Restore Point
33: 2008-07-25 12:04:27 UTC - RP133 - System Checkpoint
32: 2008-07-23 09:24:09 UTC - RP132 - System Checkpoint
31: 2008-07-15 14:48:33 UTC - RP131 - Installed DSL Family Firmware Upgrade Utility
30: 2008-07-12 17:07:28 UTC - RP130 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-04-28 11:10:57 UTC - RP101 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as hook.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:07 AM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\hook\Desktop\my download files\dss.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\hook.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 2512 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080706-150905-119 O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
backup-20080706-150905-126 O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
backup-20080706-150905-134 O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
backup-20080706-150905-251 O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
backup-20080706-150905-258 O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
backup-20080706-150905-342 O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
backup-20080706-150905-457 O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
backup-20080706-150905-518 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
backup-20080706-150905-552 O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = %SystemRoot%\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
backup-20080706-150905-564 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
backup-20080706-150905-611 O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
backup-20080706-150905-737 O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
backup-20080706-150905-806 O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\System32\SHDOCVW.DLL
backup-20080706-150905-874 O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
backup-20080706-150905-991 O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
backup-20080706-221949-476 O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
backup-20080706-221949-696 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080706-221949-874 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
backup-20080706-221950-162 O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
backup-20080706-221950-297 O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
backup-20080706-221950-320 O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
backup-20080706-222216-588 O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
backup-20080706-222216-739 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080706-222216-782 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080706-222216-788 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20080706-222216-983 O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
backup-20080706-222217-740 O9 - Extra button: Helpdesk - {96C8FF35-EEDB-410F-B0F8-65BE9581CEED} - C:\Program Files\StarHub\helpdesk.exe (file missing) (HKCU)
backup-20080706-223651-269 O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
backup-20080706-223652-848 O17 - HKLM\System\CCS\Services\Tcpip\..\{1D99DAFB-E4E4-4E23-976A-AC16BF1D71E6}: NameServer = 165.21.83.88 165.21.100.88
backup-20080706-223855-347 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
backup-20080706-225113-281 O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
backup-20080706-225113-368 O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
backup-20080706-225113-647 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080706-225113-721 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20080706-225113-815 O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
backup-20080706-225113-941 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20080706-225113-943 O4 - Global Startup: Digital Line Detect.lnk = ?
backup-20080706-225113-950 O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
backup-20080706-225113-993 O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
backup-20080706-225223-495 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
backup-20080706-225223-504 O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
backup-20080706-225223-698 O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
backup-20080706-225223-704 O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
backup-20080706-225223-925 O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
backup-20080706-225223-972 O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
backup-20080706-230037-469 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20080706-230309-438 O15 - ESC Trusted Zone: http://*.update.microsoft.com
backup-20080713-023855-515 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20080722-001348-291 O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
backup-20080727-084340-238 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20080727-084727-406 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080727-084727-627 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20080727-224226-303 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080727-224226-511 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
backup-20080727-224424-998 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S3 AmeAtmPc - c:\windows\system32\drivers\ameatmpc.sys <Not Verified; Alcatel Microelectronics; Alcatel Microelectronics ADSL USB MODEM>
S3 CSDriver - c:\windows\system32\drivers\csdriver.sys <Not Verified; Beijing Chinese Star Cyber Technology Limited; csdriver>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 NMSCFG (NIC Management Service Configuration Driver) - c:\windows\system32\drivers\nmscfg.sys <Not Verified; Intel Corporation; Intel® NMSCFG Driver>
S3 SQTECH905C (DualCamera) - c:\windows\system32\drivers\capt905c.sys <Not Verified; Service & Quality Technology.; SQ905c>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NMSSvc (Intel® NMS) - c:\windows\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-28 and 2008-07-28 -----------------------------

2008-07-27 22:49:49 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-27 22:49:49 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-27 22:49:49 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-27 22:49:49 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-27 22:49:49 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-27 22:49:49 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-27 22:49:49 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-07-27 22:49:49 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-27 22:49:49 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-07-27 22:49:49 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-27 22:49:49 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-27 22:49:49 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-27 22:49:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-27 22:49:49 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-27 22:49:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-07-27 22:49:48 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-06 15:04:18 0 d-------- C:\Program Files\Trend Micro
2008-07-06 14:11:53 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-06 14:11:33 0 d-------- C:\Program Files\1 Click PC Fix
2008-07-06 11:49:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-06 11:15:53 0 dr-h----- C:\Documents and Settings\hook\Recent
2008-07-04 19:19:02 0 d-------- C:\Downloads
2008-07-04 19:17:08 0 d-------- C:\Documents and Settings\hook\Application Data\Free Download Manager
2008-07-04 19:16:54 0 d-------- C:\Program Files\Free Download Manager


-- Find3M Report ---------------------------------------------------------------

2008-07-15 22:48:59 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-06 22:19:57 0 d-------- C:\Program Files\Norton AntiVirus
2008-07-06 11:50:21 0 d-------- C:\Program Files\Lavasoft
2008-07-06 11:49:24 0 d-------- C:\Program Files\Common Files
2008-07-06 11:16:28 0 d-------- C:\Program Files\Prolink Hurricane 9000C
2008-06-23 12:14:38 0 d-------- C:\Program Files\MSBuild
2008-06-23 12:14:10 0 d-------- C:\Program Files\Reference Assemblies
2008-06-23 12:01:07 0 d-------- C:\Program Files\MSXML 6.0
2008-06-10 14:13:36 445 --a----c- C:\WINDOWS\EntPack.dat
2008-06-09 17:39:24 0 d-------- C:\Program Files\Google


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 03:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 PM]

C:\Documents and Settings\hook\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 9:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 9:00:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^iFinger 2.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iFinger 2.0.lnk
backup=C:\WINDOWS\pss\iFinger 2.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AME_CSA]
rundll32 amecsa.cpl,RUN_DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
"C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
"C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
"C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"SymWSC"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SBService"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Adobe LM Service"=3 (0x3)




-- End of Deckard's System Scanner: finished at 2008-07-28 00:57:20 ------------


"Extra-txt"

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 76%
Physical Memory (total/avail): 255 MiB / 59.32 MiB
Pagefile Memory (total/avail): 619.64 MiB / 340.38 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.23 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 27.91 GiB total, 17.28 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD300EB-75CPF0 - 27.95 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 27.91 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG 7.5.524 v7.5.524 (Grisoft)
AV: Norton AntiVirus v2003 (Symantec Corporation) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\PPLive\\PPLive.exe"="C:\\Program Files\\PPLive\\PPLive.exe:*:Disabled:PPLive"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\ppmate.exe:*:Disabled:PPMate"
"C:\\Program Files\\KWMUSIC\\KwMV.exe"="C:\\Program Files\\KWMUSIC\\KwMV.exe:*:Disabled:酷我MV传输引擎"
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"="C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\hook\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D34GW71S
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\hook
LOGONSERVER=\\D34GW71S
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Teleca Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\hook\LOCALS~1\Temp
TMP=C:\DOCUME~1\hook\LOCALS~1\Temp
USERDOMAIN=D34GW71S
USERNAME=hook
USERPROFILE=C:\Documents and Settings\hook
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

hook (admin)
my personal files (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S /R
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{4468EF97-A253-4699-9E1C-88CAE2C6832D}
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 7.0.5 Professional --> msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
ArcSoft Camera Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD708DF0-9F04-4CB3-821A-85804A833B4D}\setup.exe" -l0x9 -uninst
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Chinese Star XP --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5E550CD5-051A-421B-9E43-BD6FD9BFED6F}\setup.exe"
Conexant SmartHSFi V92 56K DF PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2702\HXFSETUP.EXE -U -IDel8d8xk.INF
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Digicert Digital Certificate Utilities Module --> MsiExec.exe /I{E13A3F52-7C1D-4E92-AC52-15AF3B26A180}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
DSL500U ADSL USB Modem --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEBED42E-0BF4-11D5-928C-0060677630C4}\Setup.exe"
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
EPSON Attach To Email --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Easy Photo Print --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BC69DDB8-4840-4D9B-BB31-0D4DB2BA1312}\SETUP.EXE" -l0x804 UNINST
EPSON File Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E86BC406-944E-41F6-ADE6-2C136734C96B}\Setup.exe" -l0x9 UNINST
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan Assistant --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x804 -u
EPSON Web-To-Page --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\SETUP.EXE" -l0x9 -anything
ESC58_59 User's Guide --> C:\Program Files\EPSON\TPMANUAL\ESC58_59\ENG\USE_G\DOCUNINS.EXE
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iFinger 2.0 --> C:\PROGRA~1\iFinger\UNWISE.EXE C:\PROGRA~1\iFinger\INSTALL.LOG
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
Intel® PROSet II --> MsiExec.exe /I{01A4AEDE-F219-49A2-B855-16A016EAF9A4}
Lexmark X5100 Series --> C:\WINDOWS\System32\spool\drivers\w32x86\3\LXBAUN5C.EXE -dLexmark X5100 Series
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MP3 Player Utilities 3.75 --> MsiExec.exe /I{7784A172-61F1-445E-8368-601607E0DD22}
Norton AntiVirus 2003 --> MsiExec.exe /I{EDCD4CE3-DE92-49A9-87F9-FE09B2FBA16C}
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
NVIDIA Display Driver --> C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvdd.inf
PIF DESIGNER --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B90450DF-E781-46FD-B1F1-0C86DA40E443}\SETUP.EXE" -l0x9 anything
Quick Start V1.3 --> "C:\Program Files\Prolink Hurricane 9000C\unins000.exe"
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sony Ericsson PC Suite --> MsiExec.exe /I{B56B1487-9A26-4AFD-A1FD-949C40F5F2BC}
Sound Blaster Live! --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}\setup.exe" -l0x9
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Typing Arcade --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\SOURCENEXT\Typing Arcade\Uninst.isu"
Windows Blaster Worm Removal Tool (KB833330) --> C:\WINDOWS\$NtUninstallKB833330$\spuninst\spuninst.exe
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WordPerfect Office 2002 --> C:\WINDOWS\Corel\uninst32.exe
WordPerfect Office 2002 --> C:\WINDOWS\Corel\Uninst32.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type20861 / Error
Event Submitted/Written: 07/24/2008 06:46:49 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type20860 / Error
Event Submitted/Written: 07/24/2008 06:46:47 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type20859 / Error
Event Submitted/Written: 07/24/2008 06:46:44 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type20762 / Error
Event Submitted/Written: 07/19/2008 00:06:18 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type20761 / Error
Event Submitted/Written: 07/19/2008 00:03:37 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type109906 / Error
Event Submitted/Written: 07/27/2008 11:13:07 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type109905 / Error
Event Submitted/Written: 07/27/2008 11:12:44 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type109897 / Error
Event Submitted/Written: 07/27/2008 10:54:49 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service ntmssvc with arguments "-Service"
in order to run the server:
{D61A27C6-8F53-11D0-BFA0-00A024151983}

Event Record #/Type109893 / Error
Event Submitted/Written: 07/27/2008 10:51:42 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type109892 / Error
Event Submitted/Written: 07/27/2008 10:51:05 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Avg7Core
Avg7RsW
Avg7RsXP
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SYMTDI
Tcpip



-- End of Deckard's System Scanner: finished at 2008-07-28 00:57:20 ------------

BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:28 AM

Posted 08 August 2008 - 01:05 PM

Welcome to the BleepingComputer Forums. Since it has been a few days, please post a new Deckard's System Scanner Log which includes the HijackThis log. Please see Preparation Guide for use before posting about your potential Malware problem. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

The following entry shows that the Microsoft System Configuration Utility is in use and indicates you are using a Selective Startup:

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

This means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to enable those startup entries by doing the following:

Please go to:
  • Start > Run, and type: MSConfig . Press Enter
  • In the General tab, Startup Selection, choose: Normal Startup-load all device drivers and services
  • Press OK until you are out of the program.
  • Reboot and post a new HijackThis log.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 Robert789

Robert789
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 08 August 2008 - 09:23 PM

Dear Suebaby41:

First, let me say thank you for your help.

Let me elaborate more on my computer problems:

Now, most of my control panel functions, like "add/remove program", "add hardware", date & time"
and etc has been attacked by this "Rundll32.exe" malware. Everytime I clicked on these function,
the computer will reply " C:\ windows\system32\rundll32.exe is not a valid win32 application."
But I still can run internet and microsoft office on this computer.


I have followed your steps:

1. change msconfig to "normal start up"

2. Run the Deckard's system scanner log.
Below are the log.

Kindly help to see what I can do to fix the problems.
Thanks a lot .

Robert Kee/ Singapore




Deckard's System Scanner v20071014.68
Run by hook on 2008-08-09 10:20:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 87% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as hook.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:31 AM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\hook\Desktop\my download files\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\hook.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 4870 bytes

-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-04 22:43:14 0 d--hs---- C:\0019AB1B
2008-08-02 23:55:52 0 d-------- C:\Program Files\Windows Defender
2008-07-29 21:54:05 0 d-------- C:\Program Files\Kaspersky Lab
2008-07-29 21:45:29 0 d-------- C:\kav
2008-07-29 21:45:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-07-27 22:49:49 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-27 22:49:49 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-27 22:49:49 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-27 22:49:49 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-27 22:49:49 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-27 22:49:49 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-27 22:49:49 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-07-27 22:49:49 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-27 22:49:49 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-07-27 22:49:49 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-27 22:49:49 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-07-27 22:49:49 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-27 22:49:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-27 22:49:49 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-07-27 22:49:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-07-27 22:49:48 786432 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-08-09 10:12:26 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-09 10:11:52 0 d-------- C:\Program Files\Common Files
2008-07-28 17:52:35 445 --a----c- C:\WINDOWS\EntPack.dat
2008-07-15 22:48:59 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-06 22:19:57 0 d-------- C:\Program Files\Norton AntiVirus
2008-07-06 15:04:18 0 d-------- C:\Program Files\Trend Micro
2008-07-06 14:25:54 0 d-------- C:\Program Files\1 Click PC Fix
2008-07-06 11:50:21 0 d-------- C:\Program Files\Lavasoft
2008-07-06 11:49:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-06 11:16:28 0 d-------- C:\Program Files\Prolink Hurricane 9000C
2008-07-06 11:16:13 0 d-------- C:\Program Files\Free Download Manager
2008-07-05 20:56:10 0 d-------- C:\Documents and Settings\hook\Application Data\Free Download Manager
2008-06-23 12:14:38 0 d-------- C:\Program Files\MSBuild
2008-06-23 12:14:10 0 d-------- C:\Program Files\Reference Assemblies
2008-06-23 12:01:07 0 d-------- C:\Program Files\MSXML 6.0
2008-06-09 17:39:24 0 d-------- C:\Program Files\Google


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/06/2003 02:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/11/2007 10:56 AM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [05/04/2005 09:18 PM]
"nwiz"="nwiz.exe" [10/06/2003 02:16 PM C:\WINDOWS\SYSTEM32\nwiz.exe]
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [12/16/2002 07:10 PM]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [04/03/2002 01:01 AM]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [12/02/2003 04:11 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/02/2003 04:11 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" []
"AME_CSA"="amecsa.cpl" [01/29/2003 02:16 PM C:\WINDOWS\SYSTEM32\AmeCSA.cpl]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/17/2002 12:28 PM]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [09/24/2005 01:30 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 PM]
"MsnMsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 12:54 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/14/2004 12:24 AM]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [09/19/2005 04:18 PM]

C:\Documents and Settings\hook\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 9:00:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"





-- End of Deckard's System Scanner: finished at 2008-08-09 10:21:06 ------------

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:28 AM

Posted 09 August 2008 - 01:20 PM

A few things you may do prior to cleaning:During the cleaning process, if any other issues appear, please let us know. Please do not make any changes on your computer during the cleaning process or download and add programs on your computer unless instructed to do so. Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:28 AM

Posted 09 August 2008 - 01:39 PM

Now, most of my control panel functions, like "add/remove program", "add hardware", date & time"
and etc has been attacked by this "Rundll32.exe" malware. Everytime I clicked on these function,
the computer will reply " C:\ windows\system32\rundll32.exe is not a valid win32 application."

The rundll32.exe file is located in the folder C:\Windows\System32. In other cases, rundll32.exe is a virus, spyware, trojan or worm!
Please do a search for rundll32.exe. If you find it located in another place than C:\Windows\System32, write down the location and post it in your next reply.
  • Click Start > Search > All Files and Folders.
  • Under Search by any or all of the criteria below, in the All or part of the file name: dialog box, type rundll32.exe.
  • At this point, you can click Search or scroll down until you see More Advanced Options.
  • Under More Advanced Options, click to place a check mark by
    • Search system folders.
    • Search hidden files and folders.
    • Search subfolders.
  • Click Search. In the right pane, you will see the file(s) listed if any are found.
  • If any of these files are found. please write down the location of the file(s).
  • Right click them and select Properties. Please record:
    • the date created
    • date modified
    • vendor
    • revision #
    • all other pertinent information
  • Post this information in your next reply.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#6 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:28 AM

Posted 09 August 2008 - 01:53 PM

The entries below indicate that you may have two antivirus programs on your computer.

Kaspersky Anti-Virus 7.0

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

Norton AntiVirus

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Multiple antivirus programs can interfere with one another and actually allow MORE viruses to get through. Running two antivirus programs at the same time could lead to both of them trying to scan the same file at the same time, scan the same email at the same time and so on which could lead to conflicts.

Most of the popular antivirus products, when running together, will "fight for control" over the user's machine. It is this conflict that will slow down the system speed and cause various serious compatibility problems. This can also create registry conflicts as well as causing false virus alerts - or worse, missing alerts entirely! Having more than one antivirus program running and "active in memory" will use more resources which will adversely affect your access to files and cause overall system slowdowns.

Symantec strongly recommends that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

See Should you run more than one antivirus program at the same time?

Kaspersky Lab experts do not recommend using more that one antivirus package on the computer as the co-work of two different Antivirus programs may lead to computer productivity and operating system fall. And to solve the problem of Antivirus applications you will need to reinstall the operating system.

See Co-use of Kaspersky AntiVirus 5.0 and Antivirus packages of other vendors

Ask Leo said:

Real time monitoring, on the other hand, is another story. When you install most anti-virus programs they often automatically install and enable their real-time monitors. Running two or more real-time anti-virus monitors at the same time is very likely to cause a conflict. That conflict could result in error messages, crashes of the anti-virus programs, or other types of failure.

See Can I run more than one anti-virus program? Anti-spyware program? Firewall? Should I?

Types Of Antivirus Programs:

There are basically two types of antivirus programs: On-Access and On-Demand

On-Access Scanners, as the name implies, run in the background all the time the PC is turned on and running. The main function of an on-access scanner is to monitor activity on your machine.

On-Demand Scanners, such as Online Scans and scanners that run on your machine but are not actively scanning your machine, as the name implies, are scanners that only run when you ask them to run.

Antivirus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two antivirus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. I notice that you are using more than one antivirus program. This is very dangerous, as multiple antivirus programs can interfere with one another and actually allow MORE viruses to get through. Running two antivirus programs at the same time could lead to both of them trying to scan the same file at the same time, scan the same email at the same time and so on which could lead to conflicts.
I strongly suggest you do one of the following:
  • Configure only one antivirus program to enable automatic realtime scanning and leave the rest disabled most of the time.
  • Go to "Start -> Control Panel -> Add/Remove Programs" and uninstall all but one antivirus program.
Please post a new HijackThis log.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#7 Robert789

Robert789
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 10 August 2008 - 04:25 AM

Dear Suebaby41 :

Following are actions I have taken as per your instructions in your
3 replies:

1. Why I have two anti-virus software in my computer – Reason being my Norton anti-virus has been expired long time ago. By installing the Kaspersky anti-virus 7.0 recently, I hoped it can detect the Rundll32.exe virus. However after installation, my system becomes very slow and hang frequently.
Also, after scanning, it still cannot fix the virus problem. I have no choice but to un-install it by click the start-all programs- Kaspersky – uninstall. Now the Kaspersky icon is not in the all programs list, but it remained in my computer. ( Please note I can’t use the control panel- add/remove program to do the uninstall as it has been taken over by the “Rundll32.exe” virus and I cannot open it at all. )

2. I have backed up some of my files and start the windows in Safe Mode. Also, the window explorer has been configured to show all hidden files and folders.

Please note : I have just installed the Java version 6, update 7 in my computer as the back up software “Xdrive” need the java.

As you have not provide any instruction to clean up my computer in your reply, hence I did not know
what software to use for cleaning up.

3. I have do a search of rundll32.exe on my computer and found these 5 files :
a) rundll32.exe at C:\I386
created on May 13, 2003, modified on Aug 29, 2002.
File version : 5.1.2600.0
File size: 31744 bytes
Company: Microsoft Corporation

:thumbsup: rundll32.exe at C:\Windows\$NtServicepack Uninstall$
created on Oct 30, 2004, modified on Aug 29, 2002.
File version : 5.1.2600.0
File size: 31744 bytes
Company: Microsoft Corporation

c) rundll32.exe –73C8210F.pf at C:\Windows\Prefetch
created on Oct 30, 2004, modified on May 13, 2008.
File version : not stated
File size: 20872 bytes

d) rundll32.exe at C:\Windows\System32
created on Aug 29, 2002, modified on Aug 4, 2004.
File version : not stated
File size: 0 bytes


e) rundll32.exe at C:\Windows\servicepackFiles\i386
created on Aug 4, 2004, modified on Aug 4, 2004.
File version : 5.1.2600.2180
File size: 33280 bytes
Company: Microsoft Corporation


That’s all. Hope these info will help you.
Please advice how to clean up these virus from my computer.
Thanks a lot.

Robert Kee
Singapore

#8 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:28 AM

Posted 10 August 2008 - 03:24 PM

3. I have do a search of rundll32.exe on my computer and found these 5 files :
a) rundll32.exe at C:\I386
created on May 13, 2003, modified on Aug 29, 2002.
File version : 5.1.2600.0
File size: 31744 bytes
Company: Microsoft Corporation

rundll32.exe at C:\Windows\$NtServicepack Uninstall$
created on Oct 30, 2004, modified on Aug 29, 2002.
File version : 5.1.2600.0
File size: 31744 bytes
Company: Microsoft Corporation

c) rundll32.exe –73C8210F.pf at C:\Windows\Prefetch
created on Oct 30, 2004, modified on May 13, 2008.
File version : not stated
File size: 20872 bytes

d) rundll32.exe at C:\Windows\System32
created on Aug 29, 2002, modified on Aug 4, 2004.
File version : not stated
File size: 0 bytes


e) rundll32.exe at C:\Windows\servicepackFiles\i386
created on Aug 4, 2004, modified on Aug 4, 2004.
File version : 5.1.2600.2180
File size: 33280 bytes
Company: Microsoft Corporation

Locations are OK - backup copies of system files are held in i386 and memory usage is OK.

Step 1

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 2

Older versions of Java Runtime Environment have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove the older versions of Java Runtime Environment..
  • Close any programs you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel.
  • Click Add/Remove Programs.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer after all Java components are removed.
Step 3

Your "Adobe Reader" is out of date.
You may want to download the latest version, Adobe® Reader® 9.

Step 4

In normal mode, run an online antivirus check from at least two and preferably three of the following sites
BitDefender
Computer Associates Online Virus Scan
Panda's ActiveScan
Trend Micro Housecall
Windows Live Safety Center Free Online Scan
This scanner from Trend does not require an Active X to run.
  • Detects and removes malware ( viruses, worms, trojans, etc. )
  • Detects and removes grayware and spyware
  • Restores damage caused by malware to your system.
  • Notifies about vulnerabilities in installed programs and connected network services.
  • Multi-platform support for: Windows, Linux, Solaris.
  • Easy-to-use with the Microsoft Internet Explorer and Mozilla Firefox.
When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, make a note of the file location of anything that cannot be deleted so you can delete it yourself. Please post that list in your next reply.

Step 5

Please download Spybot-S&D.
Please check this link, Using Spybot- Search and Destroy To Remove Spyware From Your Computer, for instructions on how to download, install and use Spybot-S&D. Run this program as soon as possible.

Step 6

I recommend using Spyware Blaster.
Please download SpywareBlaster. SpywareBlaster helps to:
  • Prevent the installation of Active X-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restrict the actions of potentially unwanted sites in Internet Explorer.
Please see Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware for instructions on how to download, install, and use SpywareBlaster.

Step 7

Windows Defender is a free program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. It features Real-Time Protection, a monitoring system that recommends actions against spyware when it is detected and minimizes interruptions and helps you stay productive.

Please download and install Windows Defender.
  • Confirm that your computer meets the minimum system requirements to install Windows Defender.
  • Visit the Windows Defender page in the Microsoft Download Center. Click the Continue button and follow the directions on the succeeding pages to download the program and start the Installation Wizard.
  • Follow the steps in the Installation Wizard. You will be asked if you want to participate in the Microsoft SpyNet online community. We suggest you choose the first option,
  • Use recommended settings.
  • Click Next to continue.
  • Click Install to begin installing Windows Defender.
  • When installation is complete, click Finish. Windows Defender will begin to scan your computer.
  • For more information, See How to install and set up Windows Defender
Step 8

ATF-Cleaner features include:
  • Cleaning of all user temp folders, administrator only can use this feature.
  • Cleaning of the Java cache, which seems to be harboring more and more malware.
  • Cleaning the cache, cookies, history, download history, visited links and saved passwords. You have the option of checking no if you want to save your passwords.
Please download the ATF-Cleaner by Atribune.
Instructions:
  • Double-click ATF-Cleaner.exe to run the program.
  • Check the boxes to the left of:
    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Temporary Internet Files
    • Prefetch (Windows XP) only
    • Java Cache
  • The rest are optional - if you want to remove them all, check Select All.
  • Click the Empty Selected button.
  • When you get the Done Cleaning message, click OK.
If you use the Firefox browser:
  • Click Firefox at the top and choose: Select All.
  • Click the Empty Selected button.
  • When you get the Done Cleaning message, click OK.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use the Opera browser:
  • Click Opera at the top and choose: Select All.
  • Click the Empty Selected button.
  • When you get the Done Cleaning message, click OK.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
If needed, Tutorial on ATF Cleaner with pictures.
Do not run it yet.

Step 9

Please disconnect from the Internet. Please close ALL browser windows (including this one).

Now we will address the HijackThis fixes.

Please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any):

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Step 10

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow_Computer_Check_here_first_it_may_not_be_malware.
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself.


Step 11

If you did not add the listed domain to the Trusted Zones yourself, have HijackThis fix it.

O15 - ESC Trusted Zone: http://*.update.microsoft.com

Step 12

Let’s run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 13

Please run HijackThis in Normal Mode and post a new HijackThis log so I can make sure that all the malware was deleted according to plan.

Please post the list of file names and locations for any files that can’t be cleaned / deleted that were reported after you completed the online scans.

Please advise me of any problems you still have.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#9 Robert789

Robert789
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 11 August 2008 - 12:13 PM

Dear Suebaby41 :

I have problems in some of the steps that you instructed :

1. printed the instructions.

2. I can't perform step 2 as my Add/remove programs function is not working.
when I click on it, error message " c:\windows\system32\rundll32.exe is not a
valid win32 application. "

is there any other way I can use to remove the Java runtime environment or
can I skip step 2 ?

3. I skip step 3 as I seldom use Adobe Reader.

4. I can only run Trend Micro Housecall & This scanner from Trend. (looks like these 2 are the same
software) After finished running,
the scanner just closed by itself without any message . Is it work this way for these scanner ?

The other 4 antivirus software I have problem running on my system.

5. have downloaded Spybot-S&D.
It is running bot-check now. But it take very long time in running the bot-check especially
at the last part of the scan. Finally the scan finished and it fixed 16 checked areas.




some doubts on step 9. ( I have not run step 9 yet)
you stated : " place checks next to the following entries (make sure not to miss any):

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

Question :
Do you mean that I only fix checked this entry only or I have to fix checked all the 04 entries or any other entries ??


It's getting late now. Our time 1.15 am. I have to go and sleep now as I need to
wake up early tomorrow morning for works.

I'll continue working on the steps tomorrow night.

Thanks a lot.


Robert Kee/ Singapore

#10 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:28 AM

Posted 11 August 2008 - 06:51 PM

Let's see if this will repair your Add or Remove Programs.

  • Locate your Windows XP installation CD. If you do not have one, you will need to locate a directory on your system that is named i386. This directory may be on a hidden partition on your hard drive.
  • Go to Start > Run, and type in SFC /SCANNOW (with a space between the SFC and the /SCANNOW).
  • Cllick Enter. (For VISTA, go to Start and type in the above information, then go to the top of the box and right click on SFC /SCANNOW and select Run As Administrator.)
  • This command will immediately initiate the Windows File Protection service  to scan all protected files and verify their integrity, replacing any file(s) that is identified as a problem(s).
  • The program may (or it may not) ask you for your Windows XP installation CD - please insert it at the prompt. If it does not ask you for the CD, this means that it was not necessary to replace any files.
  • In the event the the system asks you for the CD, you must visit Windows Update immediately after the scan is completed (Please note that there will not be any confirmation dialog - the program will just exit without telling you anything).
  • If this does not repair the problem with your system, other troubleshooting procedures are required.
  • For more information, see
  • Description of Windows XP and Windows Server 2003 System File Checker (Sfc.exe)
  • How to Use SFC.EXE Resource Checker to Fix and Recover Incorrect or Corrupted System Files
  • How to Use SFC.EXE to Repair System Files

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#11 Robert789

Robert789
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 13 August 2008 - 11:11 AM

Dear Suebaby41 :

a) I use SFC /scanow to restore my system files and it worked.
Now I can use the add/remove programs functions on the control panel.

:thumbsup: I have uninstall the norton anti-virus program from my computer as it is
long over due and not updated. Now I use Kasperky 7.0 as the only anti-virus software in my
system. However after install Kasperky 7.0, now the system slow down a lot. is this program
need a lot of memory ?? My system has only 512K Ram.

c) below are what happen when I follow your 13 steps.
Step 1. printed out the instructions.

2. There were no JRE or J2SE in the programs list. Hence I did not remove any Java programs.

3. as I seldom use Adobe reader, hence I skip this step.

4. I have run Trend micro housecall and this scanner from trend. These two programs looks
the same. It just close the window itself without any message when finished scanning.

5. Run Spybot-S&D. Remove some spywares.

6. downloaded and installed spywareBlaster.

7. Run window defender.

8. Run ATF-Cleaner. select all and remove.

9. after running Hijackthis, see below for the log :
I do not know which entries need to be fixed. is it all 04 ??? kindly advice.

10. use Spybot-S&D advance option to uncheck most of the start up programs. However some
programs will still automatically run in the start up after re-start even I have unchecked them in the start up menu.

11. 015 ESC Trusted .....update.microsoft.com were in the log.

12. Run ATF cleaner again.

13. run Hijack this in normal mode and the log is same as step 9. see below for the log.

Pls help to check whether my system is it now free of virus ??? also, how to improve the
system performance to make it run faster with 512k Ram.

Thanks a lot.
Robert Kee/ Singapore

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:34 PM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 3706 bytes

#12 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:28 AM

Posted 13 August 2008 - 03:38 PM

Step 1

some doubts on step 9. ( I have not run step 9 yet)
you stated : " place checks next to the following entries (make sure not to miss any):
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
Question :
Do you mean that I only fix checked this entry only or I have to fix checked all the 04 entries or any other entries ??

Only "fix checked" the entry I gave you. Do NOT "fix checked" all the O4's.

cool.gif I have uninstall the norton anti-virus program from my computer as it is
long over due and not updated. Now I use Kasperky 7.0 as the only anti-virus software in my
system. However after install Kasperky 7.0, now the system slow down a lot. is this program
need a lot of memory ?? My system has only 512K Ram.

I use AVAST4 and highly recommend it.
There are a few available for free that have excellent reputations.

AVG 8 Anti-Virus Free Edition

AntiVir Personal

Avast! 4 Home Edition
If needed, see How to Install, Configure, and Use Avast Antivirus

Step 2

You have remnants of Norton AntiVirus in your system..Please run the Norton Removal Tool to clean all the leftovers of your Norton Antivirus.
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Step 3

During the process of removing malware from your computer, there are times you may need to use specialized fix tools. Certain embedded files that are part of these specialized fix tools may be detected by your antivirus or anti-malware scanner as a RiskTool, Hacking tool, Potentially unwanted tool, a virus or a Trojan when that is not the case.
These tools have been carefully created and tested by security experts so if your antivirus or anti-malware program flags them as malware, then it is a False Positive. Antivirus scanners cannot distinguish between good and malicious use of such programs; therefore, they may alert you or even automatically remove them. In these cases, the removal of these files can have unpredictable results and unintentional results.
To avoid any problems while using a specialized fix tool, it is very important that you temporarily disable your antivirus and/or anti-malware programs before using the specialized fix tool.
When your system has been cleaned, it is important that you enable your security programs to avoid reinfection.

Please disable the following programs:
  • Please disable Spybot - Search and Destroy TeaTimer, as it will prevent HijackThis from fixing the infection. You can enable it after you're clean. To disable Spybot - Search and Destroy TeaTimer:
  • Open Spybot - Search and Destroy.
  • Click Mode in the toolbar.
  • Select Advance Mode.
  • Click Tools.
  • ClickResident.
  • Uncheck the box next to Resident Tea-Timer.
  • Close Spybot - Search and Destroy.
  • Reboot your machine.
    Don't forget to restart Spybot - Search and Destroy's Teatimer when your machine is clean and undo the changes above.
  • If needed, How To Disable Spybot Search and Destroy TeaTimer.
  • Please disable Windows Defender.
  • Click Start > Programs > Windows Defender or launch from the system tray icon.
  • Click on Tools
  • Click on General Settings
  • Scroll down to Real-time protection options
  • Uncheck Turn on Real-time protection (recommended)
  • Click Save
  • Go to Start > Control Panel > Security > Windows Defender, at the bottom of the Window Defender's page, uncheck under Administrator Options, use Windows Defender and then Save.
  • Exit the program.
Note: After all of the fixes are complete, it is very important that you enable Real-time Protection again.

Step 4

You did a good job of cleaning your startup. Just a few more need to be removed from your startup. Remember you are not removing the program(s) itself; you are just removing it/them from startup.

Please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any):

nwiz.exe is a part of NVidia's Nview features installable alongside its graphics hardware products. This application will give the user access to additional features which allow the configuration of up to 32 monitors on a host or to expand the desktop across many monitors. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

NvCpl.dll,NvStartup initializes the clock and memory settings on nVidia based graphics cards. Enable if you overclock your card. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

Ctsvccda.exe (Creative's PlayCenter-- Soundblaster Audigy sound cards) process can be removed to free up resources without compromising system performance. Resident program for Creative's PlayCenter included with Soundblaster Audigy sound cards - speeds up detection of some media CDs if the system doesn't natively support them. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. To change the service to Manual.
  • Right-click on My Computer and choose Manage.
  • Expand the Services and Applications section and click on Services.
  • On the right-side of the screen, find the entry for name of O23 service identified in HijackThis and double-click on it.
  • Change the Startup Type: to Manual.
  • Hit the OK button and close the Computer Management screen.
It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd – C:\WINDOWS\System32\CTsvcCDA.exe

Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

How is your computer running now?
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#13 Robert789

Robert789
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 16 August 2008 - 09:22 AM

Dear Suebaby41:

Very busy last two night, sorry for the late response.

have performed thsee steps as your instructions :

Step 1. Remove Kaspersky software. Install Avast! anti-virus software.

step 2: run the Norton Removal tool.

step 3. a) Disable Spybot S&D Teatimer, Re-boot.

:thumbsup: Uncheck Turn on Real-time protection for Window Defender. and re-start.

step 4. run ijack this and scan. tick the "O4 - HKLM\..\Run: [nwiz] nwiz.exe /install " and "O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup"
and click fix-checked.

Notice that the second item re-apprear after re-boot. Only item 1 has been removed.

c) run my computer - manage - services and applications - services .
set some of the 023 services to " manual".


Some problems :

1. Now system take more than 5 minutes to start up. Beginning system response very slow.
but it turns better after sometimes.

2. Notice that there are some new start-up items when viewing using Spy-bot S&D advance - tools- startup. when unchecked these items, but they checked by themselves after re-start the system.
these are the items :
Key value command line
-------- --------- -----------------
a) Winlogin (Current system ) Crypt32 chain crypt32.dll
:) Winlogin (Current system ) cryptnet cryptnet.dll
c) Winlogin (Current system ) cscdll cscdll.dll
d) Winlogin (Current system ) ScCertProp Wlnotify.dll
e) Winlogin (Current system ) Schedule Wlnotify.dll
description for this item : schedule for mercury Ez view TV Tuner Card
Source : Paul Collins startup list
f) Winlogin (Current system ) Sclgnyfy sclgntfy.dll
g) Winlogin (Current system ) Senslogn Wlnotify.dll
h) Winlogin (Current system ) termsrv Wlnotify.dll
i) Winlogin (Current system ) wgaLogon wgalogon.dll
j) Winlogin (Current system ) slballon slnotify.dll


Please help to identify what caused the system to take such a long time to boot
and why it response so slow at beginning ?

Thanks a lot.

Robert Kee


Last run the Hijack This again. below are the log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:22 PM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 3802 bytes

#14 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:28 AM

Posted 17 August 2008 - 11:02 PM

Your HijackThis log looks good. Let's see if we can find out which programs are starting up on your computer.

Step 1

Please download Silent Runners.
There is also a zipped version of Silent Runners.
  • If you used the zipped version, unzip/extract the file to its own folder:
    C:\Silent Runners.
  • Double-click the SilentRunners.vbs inside the folder or on your desktop
    to start.
  • A message box will appear asking if you want to skip the supplemental
    searches. Press Yes to skip [default] or No to include them.
  • Another message box will appear saying: Silent Runners has started. A
    message box like this will appear when it's done.
    The tool will scan your
    system and create a log by default, in the same directory as the script or
    on your desktop. The log is named Startup Programs (ComputerName)
    date/timestamp.txt.
  • When finished, the next message to appear will say: All Done! the
    results are in the file...
    (it will provide the full path location of the
    log.
  • Copy & paste the log in your next reply.
Note: If you have a script blocking program you may get a warning asking if you want to allow the script to run. Some will say "malicious script warning" or something to that effect. There is nothing malicious about this
script, you can click to allow it to execute.


Step 2

We need to do a search for the following files/folders:
  • Click Start > Search > All Files and Folders.
  • Under Search by any or all of the criteria below, in the All or part of the file name: dialog box, type slnotify.dll.
  • At this point, you can click Search or scroll down until you see More Advanced Options.
  • Under More Advanced Options, click to place a check mark by
    • Search system folders.
    • Search hidden files and folders.
    • Search subfolders.
  • Click Search. In the right pane, you will see the file(s) listed if any are found.
  • If any of these files are found. please right click them and select Properties. Please record:
    • the date created
    • date modified
    • vendor
    • revision #
  • Post this information in your next reply.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#15 Robert789

Robert789
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 20 August 2008 - 08:48 AM

Dear Suebaby41 :

Sorry for late reply.
1. I have run the "silent runners" and below are the log file.

2. Did a search for the "slnotify.dll", but can't find any file.


Now my computer is in much better shape except the slow start up problem. Thanks a million
for your help.

Robert Kee/ Singapore


"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"
-> {HKLM...CLSID} = "Sony Ericsson File Manager"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
<<!>> ("zwebauth.dll" [MS]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
EPPShellEx\(Default) = "{509FE1AF-ADD5-49EC-BC55-7CF81FD16E78}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\EPSON\Creativity Suite\Easy Photo Print\EPPShell.dll" ["SEIKO EPSON CORPORATION"]
VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}"
-> {HKLM...CLSID} = "AmvTransform Class"
\InProcServer32\(Default) = "C:\Program Files\MP3 Player Utilities 3.75\AMVConverter\AmvTransform.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\hook\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssflwbox.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

EpsonCreativitySuite\
"Provider" = "FileManager"
"InvokeProgID" = "EpsonCreativitySuite"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\EpsonCreativitySuite\shell\Play\DropTarget\CLSID = "{7720BCC1-4F11-4f17-A80F-0BB69EF9788F}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = "C:\Program Files\EPSON\Creativity Suite\File Manager\eppqcom.exe" [null data]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

RoxioSelectOnArrival\
"Provider" = "Roxio Easy CD Creator"
"InvokeProgID" = "CreateCD50"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CreateCD50\shell\open\Command\(Default) = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -x" ["Roxio"]


Enabled Scheduled Tasks:
------------------------

"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}"
-> {HKLM...CLSID} = "EPSON Web-To-Page"
\InProcServer32\(Default) = "C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" [file not found]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{0CBD5120-990B-11D3-8ABD-00C04FA95EE0}\(Default) = "iFinger"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\System32\SHDOCVW.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
EPSON Stylus C59 Series 32MonitorBP\Driver = "E_FLBBHP.DLL" ["SEIKO EPSON CORPORATION"]
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]


---------- (launch time: 2008-08-20 21:20:22)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 81 seconds, including 14 seconds for message boxes)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users