Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cpu Usage At 100%- Possible Malware?


  • This topic is locked This topic is locked
38 replies to this topic

#1 gezkc

gezkc

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 29 July 2008 - 12:05 PM

Hi,

Recently my computer has really slowed down, particularly after connecting to the internet. It's fine at first, but if I use it for an extended period (say an hour), it starts to really slow down. Checking in task manager, it shows that the CPU usage is 100% and explorer.exe is at over 90, even with no applications running. If I then shut down the computer and restart it, it seems ok again.

I've got a Celeron 2800MHz with 1504Mb RAM and Norton Internet Security 2005 (updated). I've run a virus scan using Norton and it's found nothing (by the way, if I deinstall Norton, the problem seems to disappear, but on re-installing it, the slowdown happens again).

I had a very similar problem about a year ago and SifuMike kindly solved the problem for me on here. I'm hoping you guys can find the source of the problem again, as this is driving me mad!

I've run DSS and the log file is shown below (I disabled Norton before running this btw):

Deckard's System Scanner v20071014.68
Run by Mrs Casey on 2008-07-29 17:47:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
15: 2008-07-29 16:47:45 UTC - RP231 - Deckard's System Scanner Restore Point
14: 2008-07-29 16:22:39 UTC - RP230 - Removed Java™ SE Development Kit 6 Update 1
13: 2008-07-29 16:21:16 UTC - RP229 - Removed Java™ 6 Update 7
12: 2008-07-26 14:19:14 UTC - RP228 - System Checkpoint
11: 2008-07-23 19:45:31 UTC - RP227 - Installed Java™ 6 Update 7


-- First Restore Point --
1: 2008-07-05 14:55:26 UTC - RP217 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Mrs Casey.exe) -------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-29 17:48:56
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
H:\WINDOWS\system32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
H:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
H:\Program Files\Norton Internet Security\ISSVC.exe
H:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
H:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
H:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
H:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
H:\WINDOWS\system32\CTSVCCDA.EXE
H:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
H:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
H:\WINDOWS\explorer.exe
H:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe
H:\WINDOWS\system32\rundll32.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\LiveUpdate\LiveUpdate.exe
H:\Documents and Settings\Start Menu\Desktop\dss.exe
H:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - H:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - H:\Program Files\Norton Internet Security\Norton AntiVirus\NAVSHEXT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - H:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - H:\Program Files\Norton Internet Security\Norton AntiVirus\NAVSHEXT.DLL
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "H:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "H:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [zzGBK] D:\setup.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "H:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] H:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BTCLiveUpdate] "H:\Program Files\LiveUpdate\LiveUpdate.exe" /autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://H:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://www.facebook.com (HKCU)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - H:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136645533382
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{7A4BDBD6-7695-43CD-B5A7-BC4E2C0E8901}: NameServer = 194.72.9.38 194.74.65.68
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - H:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - H:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - H:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - H:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - H:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\CCPWDSVC.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - H:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: EpsonBidirectionalService - Unknown owner - H:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - H:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISSVC - Symantec Corporation - H:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - H:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - H:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: SAVScan - Symantec Corporation - H:\Program Files\Norton Internet Security\Norton AntiVirus\SAVSCAN.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\Script Blocking\SBSERV.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - H:\WINDOWS\system32\YPcservice.exe


--
End of file - 10468 bytes

-- HijackThis Fixed Entries (H:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070501-183236-705 O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
backup-20070501-183236-725 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - h:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©>
R0 sisidex - h:\windows\system32\drivers\sisidex.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R0 sisperf (Add Performance Filter Driver) - h:\windows\system32\drivers\sisperf.sys <Not Verified; Silicon Integrated Systems Corp.; SiS Filer Driver>
R1 StarOpen - h:\windows\system32\drivers\staropen.sys
R2 MASPINT - h:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>

S3 BlueletAudio (Bluetooth Audio Service) - h:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
S3 BT (Bluetooth PAN Network Adapter) - h:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - h:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 BTHidEnum (Bluetooth HID Enumerator) - h:\windows\system32\drivers\vbtenum.sys
S3 BTNetFilter (Bluetooth Network Filter) - h:\windows\system32\drivers\btnetfilter.sys
S3 gdrv - h:\windows\gdrv.sys
S3 VComm (Virtual Serial port driver) - h:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 VcommMgr (Bluetooth VComm Manager Service) - h:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 EpsonBidirectionalService - h:\program files\common files\epson\ebapi\eebsvc.exe
R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - h:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>

S3 YPCService - h:\windows\system32\ypcser~1.exe <Not Verified; Yahoo! Inc.; YPCService Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-29 17:47:00 262 --a----c- H:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-07-28 19:47:47 556 --a----c- H:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Mrs Casey.job


-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-28 19:54:47 0 d------c- H:\Program Files\SymNetDrv
2008-07-28 19:25:45 0 d------c- H:\Program Files\Norton Internet Security
2008-07-28 19:24:52 0 d------c- H:\Documents and Settings\Mrs Casey\Application Data\Symantec
2008-07-28 19:24:10 0 d------c- H:\Program Files\Symantec
2008-07-28 19:24:05 0 d------c- H:\Documents and Settings\All Users\Application Data\Symantec
2008-07-23 21:39:43 0 dr-h---c- H:\Documents and Settings\Mrs Casey\Recent
2008-07-23 18:48:20 4608 --a----c- H:\WINDOWS\system32\drivers\symlcbrd.sys <Not Verified; Symantec Corporation; Symantec Core Component>
2008-07-20 16:03:15 40960 -------c- H:\WINDOWS\system32\ChCfg.exe
2008-07-20 16:03:04 294912 -------c- H:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Update driver Tool>
2008-07-20 16:03:04 200704 -------c- H:\WINDOWS\alcrmv.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Removing driver Tool>
2008-07-20 16:02:59 192512 -------c- H:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-07-20 16:01:06 266240 --a----c- H:\WINDOWS\CMIUninstall.exe <Not Verified; ; GeneralUninstall Application>
2008-07-20 16:01:06 225280 --a----c- H:\WINDOWS\CmiRmRedundDir.exe <Not Verified; ; CmiRmRedundDir Application>
2008-07-20 16:01:06 28672 --a----c- H:\WINDOWS\CMIRmDriver.dll
2008-07-20 16:01:06 0 d------c- H:\Program Files\C-Media 3D Audio
2008-07-20 16:00:17 0 d------c- H:\Program Files\Gigabyte
2008-07-20 15:51:31 0 d------c- H:\Documents and Settings\Mrs Casey\WINDOWS


-- Find3M Report ---------------------------------------------------------------

2008-07-29 17:37:35 0 d------c- H:\Program Files\Common Files\Symantec Shared
2008-07-29 17:33:06 0 d------c- H:\Program Files\Common Files
2008-07-20 16:06:02 4096 --a----c- H:\WINDOWS\gdrv.sys
2008-07-20 16:03:03 0 d--h---c- H:\Program Files\InstallShield Installation Information
2008-07-04 15:15:06 0 d------c- H:\Program Files\Common Files\Adobe
2008-07-04 15:08:01 0 d------c- H:\Documents and Settings\Mrs Casey\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="H:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [26/01/2004 12:38]
"TkBellExe"="H:\Program Files\Common Files\Real\Update_OB\realsched.exe" [17/03/2008 21:34]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 00:56 H:\WINDOWS\system32\bthprops.cpl]
"zzGBK"="D:\setup.exe" []
"Cmaudio"="cmicnfg.cpl" []
"SoundMan"="SOUNDMAN.EXE" [23/02/2005 11:13 H:\WINDOWS\SOUNDMAN.EXE]
"ccApp"="H:\Program Files\Common Files\Symantec Shared\ccApp.exe" [09/01/2007 17:32]
"Symantec NetDriver Monitor"="H:\PROGRA~1\SYMNET~1\SNDMon.exe" [28/07/2008 19:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [04/08/2004 13:00]
"BTCLiveUpdate"="H:\Program Files\LiveUpdate\LiveUpdate.exe" [08/03/2004 13:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=H:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Yahoo! Help.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Yahoo! Help.lnk
backup=H:\WINDOWS\pss\BT Yahoo! Help.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=H:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector U]
"H:\Program Files\Creative\MediaSource5\CTDetctu.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
H:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
"H:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
H:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
H:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
H:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
H:\WINDOWS\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"H:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
H:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"H:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzGBK]
G:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e1f45a9-5b80-11d9-999a-00148585cf61}]
AutoRun\command- C:\ie.exe
explore\Command- C:\ie.exe
open\Command- C:\ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77086658-12f3-11dd-9af1-000e5038b636}]
AutoRun\command- C:\fooool.exe
explore\Command- C:\fooool.exe
open\Command- C:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa9b70e-3e34-11dd-9b3e-000e5038b636}]
AutoRun\command- C:\fooool.exe
explore\Command- C:\fooool.exe
open\Command- C:\fooool.exe




-- End of Deckard's System Scanner: finished at 2008-07-29 17:50:17 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.80GHz
Percentage of Memory in Use: 26%
Physical Memory (total/avail): 1503.48 MiB / 1098.97 MiB
Pagefile Memory (total/avail): 2077.1 MiB / 1833.84 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.95 MiB

A: is Removable (No Media)
D: is CDROM (No Media)
H: is Fixed (NTFS) - 76.32 GiB total, 66.27 GiB free.

\\.\PHYSICALDRIVE0 - Maxtor 6Y080L0 - 76.33 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 76.32 GiB - H:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
AntivirusOverride is set.

FW: Norton Internet Security v2005 (Symantec Corporation) Disabled
AV: Norton Internet Security v2005 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"H:\\Program Files\\MSN Messenger\\msnmsgr.exe"="H:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"H:\\Program Files\\Internet Explorer\\iexplore.exe"="H:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"H:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="H:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=H:\Documents and Settings\All Users
APPDATA=H:\Documents and Settings\Mrs Casey\Application Data
CLIENTNAME=Console
CommonProgramFiles=H:\Program Files\Common Files
COMPUTERNAME=CASEY-E39D8EAFA
ComSpec=H:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=H:
HOMEPATH=\Documents and Settings\Mrs Casey
LOGONSERVER=\\CASEY-E39D8EAFA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=H:\WINDOWS\system32;H:\WINDOWS;H:\WINDOWS\System32\Wbem;H:\Program Files\Samsung\Samsung PC Studio 3\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=H:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=H:
SystemRoot=H:\WINDOWS
TEMP=H:\DOCUME~1\MRSCAS~1\LOCALS~1\Temp
TMP=H:\DOCUME~1\MRSCAS~1\LOCALS~1\Temp
USERDOMAIN=CASEY-E39D8EAFA
USERNAME=Mrs Casey
USERPROFILE=H:\Documents and Settings\Mrs Casey
windir=H:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Mrs Casey (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "H:\Program Files\Creative Installation Information\CREATIVE_MEDIASOURCE_U\Setup.exe" /remove /l0x0009
--> "H:\Program Files\Creative Installation Information\E-CENTER_NET_CONTENT_U\Setup.exe" /remove /l0x0009
--> "H:\Program Files\Creative Installation Information\E-CENTER_PLUGIN_CDBURNER_U\Setup.exe" /remove /l0x0009
--> "H:\Program Files\Creative Installation Information\E-CENTER_PLUGIN_MTP_U\Setup.exe" /remove /l0x0009
--> "H:\Program Files\Creative Installation Information\E-CENTER_PLUGIN_ONLINESTORE_U\Setup.exe" /remove /l0x0009
--> "H:\Program Files\Creative Installation Information\MEDIASOURCE_PLAYER_SKINPACK_U\Setup.exe" /remove /l0x0009
--> H:\PROGRA~1\BTYAHO~3\Uninstall.exe btbb
--> H:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> H:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> H:\WINDOWS\NuNInst.exe /UNINSTALL
--> H:\WINDOWS\unmrw.exe /UNINSTALL
--> H:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> H:\WINDOWS\UNNMP.exe /UNINSTALL
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{11E83B33-972B-4512-A447-FF0FD0246EE9}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{21B6F79B-2286-4BB0-B1E3-BA6B9498D110}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{23EFDB58-0874-4883-9810-EDA510B19FAE}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{2BB79C8D-9DCC-4861-8A23-AE1B0B45E2B6}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{2BFBC62A-3353-443D-93BE-7AC641D9F342}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{775FFF70-4A8C-4500-908D-3C34DBEB11D5}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{B100B05B-E290-41EF-9366-8BC4C76D7769}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{B14F9B26-D695-4C4A-8B11-0FE6CDCC797B}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{D3568156-59C3-42DF-A520-2C25B6706C91}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{E213C271-AEFA-481D-A9B4-914D88925B8D}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{FAD9402A-1A9B-4ABE-A410-393A3622FA5A}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9 /remove
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{7C9F6AF4-E9D9-47FE-BE4B-E637C2FCB410}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{7C9F6AF4-E9D9-47FE-BE4B-E637C2FCB410}\setup.exe" -l0x9 /remove
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9 /remove
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9 /remove
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9 /remove
--> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{C029DB0E-C59F-417A-90F8-88FD5B2C4AE7}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 H:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> H:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
All To MP3 Converter 2.15 --> "H:\Program Files\LitexMedia\All To MP3 Converter\unins000.exe"
ArcSoft Panorama Maker 4 --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{B69E3422-A3AB-42CE-8817-6C970328A1CD}\Setup.exe" -l0x9
ArcSoft PhotoImpression --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{6C5D7191-140A-11D6-B5A0-0050DA208A93}\setup.exe" -l0x9 -uninst
AudibleManager --> H:\Program Files\Audible\Bin\Upgrade.exe /Uninstall
BT Yahoo! Broadband Internet Connection Manager 4.2 --> H:\WINDOWS\UnsetupBT Yahoo! Broadband4.2.exe /B:h:\program files\bt yahoo! broadband\dialbbicm4.2.dll
BT Yahoo! Help --> H:\WINDOWS\Motive\btbb\MCCUninst.exe
C-Media 3D Audio --> H:\WINDOWS\CMIUnInstall.exe
CC_ccProxyExt --> MsiExec.exe /I{DA42FDCA-7C5A-43EF-9A05-CCE148ADF919}
ccCommon --> MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
CCleaner (remove only) --> "H:\Program Files\CCleaner\uninst.exe"
ccPxyCore --> MsiExec.exe /I{FC08587A-4F01-4188-819F-F55880022917}
Creative MediaSource 5 --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}\SETUP.EXE" -l0x9 /remove
Creative Removable Disk Manager --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative ZEN V Series (R2) --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{9862E0CB-4727-4FFC-963A-E22A9E9EC10C}\SETUP.EXE" -l0x9 /remove
EasyGPRS --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{56108448-9B38-4FF8-BE61-2ED13C19D0FE}\Setup.exe" -l0x9
Enable S3 for USB Device --> H:\WINDOWS\IsUninst.exe -f"H:\Program Files\Gigabyte\Enable S3 for USB Device\Uninst.isu"
EPSON Copy Utility --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{B69CC1A5-0404-11D6-ABCB-005004C21D30}\setup.exe" -l0x9 ADDREMOVEDLG
EPSON Photo Print --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{9391F2BC-B6F3-4AAC-82CC-5A74A4ED388E}\setup.exe" -l0x9 MyUninstall
EPSON PhotoQuicker3.2 --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{B2EFE303-A594-11D5-95EB-005004BC1C65}\setup.exe" uninst
EPSON Printer Software --> H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /r
EPSON Smart Panel --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{6C11D561-620B-47DA-A693-4C597F3CDF40}\setup.exe" -l0x9 Uninstall
EPSON TWAIN 5 --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{9A3EABC0-CA06-11D4-BF77-00104B130C19}\setup.exe" -l0x9 UNINSTALL
EVEREST Home Edition v2.20 --> "H:\Program Files\Lavalys\EVEREST Home Edition\unins000.exe"
HijackThis 1.99.1 --> H:\PROGRA~1\HIJACK~1\HijackThis.exe /uninstall
Internet Access --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{75AECBC5-B17D-424B-B847-D7B72B6CB97C}\Setup.exe" -l0x9
LiveReg (Symantec Corporation) --> H:\Program Files\Common Files\Symantec Shared\LiveReg\VCSetup.exe /REMOVE
LiveUpdate --> H:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BAFA84F8-5A33-4ACD-AD10-58356B27A0F1}
LiveUpdate 3.0 (Symantec Corporation) --> "H:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Medi@Show --> H:\WINDOWS\IsUninst.exe -f"H:\Program Files\CyberLink\MediaShow\Uninst.isu"
Microsoft Base Smart Card Cryptographic Service Provider Package --> "H:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "H:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Express 2.0 --> H:\Program Files\Microsoft Picture It! Express\Setup\setup.exe
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "H:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MicroStaff WINASPI --> H:\MWASPI\uninst.exe
MSN --> H:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
Nero Suite --> H:\Program Files\Common Files\Ahead\Uninstall\Setup.exe /uninstall
Norton AntiSpam --> MsiExec.exe /I{3B29A786-5803-4e9e-9B58-3014A5B4E519}
Norton AntiSpam --> MsiExec.exe /I{5677563D-0CB1-485f-9E18-C5025306BB3F}
Norton AntiVirus 2005 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton Internet Security --> MsiExec.exe /I{12E2B9E9-05B1-407d-B0FD-B5F350535125}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{526AD5DC-CFC4-4f2a-8442-C84CC91D6C7F}
Norton Internet Security --> MsiExec.exe /I{A93C9E60-29B6-49da-BA21-F70AC6AADE20}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security --> MsiExec.exe /I{FC2C0536-583C-46c0-844A-62CECAE01F22}
Norton Internet Security 2005 (Symantec Corporation) --> H:\Program Files\Common Files\Symantec Shared\SymSetup\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}.exe /X
Norton WMI Update --> MsiExec.exe /X{E85FA9A1-C241-4698-893B-DD99509B8DB0}
Norton WMI Update --> MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
PowerDVD --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
RealPlayer --> H:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
SAMSUNG CDMA Modem Driver Set --> H:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
SAMSUNG Mobile Composite Device Software --> H:\WINDOWS\system32\Samsung_USB_Drivers\6\SSBCUninstall.exe
Samsung Mobile phone USB driver Software --> H:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software --> H:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software --> H:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 2.1 --> H:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{D48C9BFC-FBCF-4F29-B97D-822ED6D497FE} /l1033
Samsung PC Studio 3 --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -l0x9 -removeonly
Samsung PC Studio 3 USB Driver Installer --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}\setup.exe" -l0x9 -removeonly
Samsung USB Driver (MCCI 4.24) --> H:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{77F09242-A107-4CB6-A295-D8656C2C3795}
ScanToWeb --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\setup.exe" ADDREMOVEDLG
SiS 661FX --> Rundll32 SiSInst.dll,Uninstall VGA,R
SiS 900 PCI Fast Ethernet Adapter Driver --> H:\Progra~1\SiSLan\Uninst.exe
Sony USB Driver --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SpeedTouch USB Software --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{D41FAAA9-8048-4906-86B2-9AADEA1FA0B7}\setup.exe" /l0009 -Control_Panel
Symantec Script Blocking Installer --> MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Windows Live Toolbar --> "H:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Media Format 11 runtime --> "H:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
ZENcast Organizer --> RunDll32 H:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{C029DB0E-C59F-417A-90F8-88FD5B2C4AE7}\setup.exe" -l0x9 /remove


-- Application Event Log -------------------------------------------------------

Event Record #/Type51216 / Error
Event Submitted/Written: 07/29/2008 05:31:37 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application nmain.exe, version 103.0.2.10, faulting module ascompbr.dll, version 2005.1.0.163, fault address 0x00009179.
Processing media-specific event for [nmain.exe!ws!]

Event Record #/Type51215 / Error
Event Submitted/Written: 07/29/2008 05:30:58 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application nmain.exe, version 103.0.2.10, faulting module ascompbr.dll, version 2005.1.0.163, fault address 0x00009179.
Processing media-specific event for [nmain.exe!ws!]

Event Record #/Type51113 / Error
Event Submitted/Written: 07/28/2008 07:34:23 PM
Event ID/Source: 11327 / MsiInstaller
Event Description:
Product: SPBBC -- Error 1327.Invalid Drive: C:\

Event Record #/Type51073 / Error
Event Submitted/Written: 07/24/2008 04:57:44 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type50970 / Error
Event Submitted/Written: 07/23/2008 09:30:41 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type83917 / Error
Event Submitted/Written: 07/29/2008 05:31:47 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type83916 / Error
Event Submitted/Written: 07/29/2008 05:31:30 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service Symantec Core LC with arguments "-Service"
in order to run the server:
{60C70E11-2B08-4798-B366-C8450CDA7B1A}

Event Record #/Type83915 / Error
Event Submitted/Written: 07/29/2008 05:31:28 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service Symantec Core LC with arguments "-Service"
in order to run the server:
{60C70E11-2B08-4798-B366-C8450CDA7B1A}

Event Record #/Type83914 / Error
Event Submitted/Written: 07/29/2008 05:31:26 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service Symantec Core LC with arguments "-Service"
in order to run the server:
{60C70E11-2B08-4798-B366-C8450CDA7B1A}

Event Record #/Type83913 / Error
Event Submitted/Written: 07/29/2008 05:31:23 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service Symantec Core LC with arguments "-Service"
in order to run the server:
{60C70E11-2B08-4798-B366-C8450CDA7B1A}



-- End of Deckard's System Scanner: finished at 2008-07-29 17:50:17 ------------

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:48 AM

Posted 09 August 2008 - 09:31 AM

Hello gezkc

Welcome to BleepingComputer :thumbsup:
========================
If you are still in need of assistance please post a new Dss log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 gezkc

gezkc
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 11 August 2008 - 05:51 AM

Hi Kahdah,

I'm not at the pc that's affected at the moment, but will post a new DSS log as soon as poss.

Thanks :thumbsup:

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:48 AM

Posted 11 August 2008 - 06:29 PM

Ok.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 gezkc

gezkc
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 12 August 2008 - 11:59 AM

Hi,

Please see my new DSS log below. For some reason it only produced a Main.txt file this time, but no extra log file.

(By the way, I recently uninstalled my Norton Antivirus and am now using Avast4 free - my system's still slow, but not as slow as it was with Norton).

Deckard's System Scanner v20071014.68
Run by Mrs Casey on 2008-08-12 17:52:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-12 17:53:05
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
H:\WINDOWS\system32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
H:\Program Files\Alwil Software\Avast4\ashServ.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
H:\WINDOWS\system32\CTSVCCDA.EXE
H:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
H:\WINDOWS\explorer.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe
H:\WINDOWS\system32\rundll32.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\Alwil Software\Avast4\ashDisp.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\LiveUpdate\LiveUpdate.exe
H:\Program Files\Canon\CAL\CALMAIN.exe
H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
H:\Program Files\Alwil Software\Avast4\ashWebSv.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Documents and Settings\Start Menu\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "H:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BTCLiveUpdate] "H:\Program Files\LiveUpdate\LiveUpdate.exe" /autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://H:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://www.facebook.com (HKCU)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} () - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} () - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} () - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - H:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} () - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} () - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} () - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} () - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} () - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} () - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136645533382
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} () - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} () - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{7A4BDBD6-7695-43CD-B5A7-BC4E2C0E8901}: NameServer = 194.72.9.38 194.74.65.68
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - H:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - H:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - H:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - H:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - H:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - H:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: EpsonBidirectionalService - Unknown owner - H:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - H:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: YPCService - Yahoo! Inc. - H:\WINDOWS\system32\YPcservice.exe


--
End of file - 7968 bytes

-- Files created between 2008-07-12 and 2008-08-12 -----------------------------

2008-08-04 22:12:54 0 dr-h---c- H:\Documents and Settings\Mrs Casey\Recent
2008-08-04 19:10:55 0 d------c- H:\Documents and Settings\Mrs Casey\Application Data\ZoomBrowser EX
2008-08-04 19:05:01 0 d------c- H:\Documents and Settings\Mrs Casey\Application Data\CameraWindowDC
2008-08-04 19:04:59 0 d------c- H:\Documents and Settings\Mrs Casey\Application Data\CANON INC
2008-08-04 18:58:47 0 d------c- H:\Program Files\QuickTime
2008-08-04 18:58:29 0 d------c- H:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-04 18:51:18 0 d------c- H:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-08-04 18:50:44 0 d------c- H:\Program Files\Canon
2008-08-04 18:49:35 0 d------c- H:\Program Files\Common Files\Canon
2008-08-01 20:53:53 0 d------c- H:\Program Files\Alwil Software
2008-07-23 18:48:20 4608 --a----c- H:\WINDOWS\system32\drivers\symlcbrd.sys <Not Verified; Symantec Corporation; Symantec Core Component>
2008-07-20 16:03:15 40960 -------c- H:\WINDOWS\system32\ChCfg.exe
2008-07-20 16:03:04 294912 -------c- H:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Update driver Tool>
2008-07-20 16:03:04 200704 -------c- H:\WINDOWS\alcrmv.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Removing driver Tool>
2008-07-20 16:02:59 192512 -------c- H:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-07-20 16:01:06 266240 --a----c- H:\WINDOWS\CMIUninstall.exe <Not Verified; ; GeneralUninstall Application>
2008-07-20 16:01:06 225280 --a----c- H:\WINDOWS\CmiRmRedundDir.exe <Not Verified; ; CmiRmRedundDir Application>
2008-07-20 16:01:06 28672 --a----c- H:\WINDOWS\CMIRmDriver.dll
2008-07-20 16:01:06 0 d------c- H:\Program Files\C-Media 3D Audio
2008-07-20 16:00:17 0 d------c- H:\Program Files\Gigabyte
2008-07-20 15:51:31 0 d------c- H:\Documents and Settings\Mrs Casey\WINDOWS


-- Find3M Report ---------------------------------------------------------------

2008-08-04 18:59:48 0 d--h---c- H:\Program Files\InstallShield Installation Information
2008-08-04 18:49:35 0 d------c- H:\Program Files\Common Files
2008-08-01 19:56:42 0 d------c- H:\Program Files\Common Files\Symantec Shared
2008-07-20 16:06:02 4096 --a----c- H:\WINDOWS\gdrv.sys
2008-07-04 15:15:06 0 d------c- H:\Program Files\Common Files\Adobe
2008-07-04 15:08:01 0 d------c- H:\Documents and Settings\Mrs Casey\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="H:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [26/01/2004 12:38]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 00:56 H:\WINDOWS\system32\bthprops.cpl]
"Cmaudio"="cmicnfg.cpl" []
"SoundMan"="SOUNDMAN.EXE" [23/02/2005 11:13 H:\WINDOWS\SOUNDMAN.EXE]
"avast!"="H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [19/07/2008 15:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [04/08/2004 13:00]
"BTCLiveUpdate"="H:\Program Files\LiveUpdate\LiveUpdate.exe" [08/03/2004 13:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=H:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Yahoo! Help.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Yahoo! Help.lnk
backup=H:\WINDOWS\pss\BT Yahoo! Help.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=H:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector U]
"H:\Program Files\Creative\MediaSource5\CTDetctu.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
H:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
"H:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
H:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
H:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
H:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"H:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
H:\WINDOWS\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"H:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
H:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"H:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"H:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzGBK]
D:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e1f45a9-5b80-11d9-999a-00148585cf61}]
AutoRun\command- C:\ie.exe
explore\Command- C:\ie.exe
open\Command- C:\ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77086658-12f3-11dd-9af1-000e5038b636}]
AutoRun\command- C:\fooool.exe
explore\Command- C:\fooool.exe
open\Command- C:\fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa9b70e-3e34-11dd-9b3e-000e5038b636}]
AutoRun\command- C:\fooool.exe
explore\Command- C:\fooool.exe
open\Command- C:\fooool.exe




-- End of Deckard's System Scanner: finished at 2008-08-12 17:54:03 ------------

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:48 AM

Posted 12 August 2008 - 12:44 PM

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\ie.exe
    C:\fooool.exe
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e1f45a9-5b80-11d9-999a-00148585cf61}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77086658-12f3-11dd-9af1-000e5038b636}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa9b70e-3e34-11dd-9b3e-000e5038b636}
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=============
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
============
POst these logs:
OT MOve it log
Mbam log
New dss log

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 gezkc

gezkc
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 12 August 2008 - 01:54 PM

Hi again,

Here are the results of the three scans (I notice that the OT Moveit2 log says it couldn't find C:\ie/exe or C:\foool.exe. The C:\ drive on my pc is the removable (USB stick) drive - does this mean that one of my USB sticks is infected? Please excuse my ignorance if that's a stupid question!)

OTMoveit2

File/Folder C:\ie.exe not found.
File/Folder C:\fooool.exe not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e1f45a9-5b80-11d9-999a-00148585cf61} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e1f45a9-5b80-11d9-999a-00148585cf61}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77086658-12f3-11dd-9af1-000e5038b636} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77086658-12f3-11dd-9af1-000e5038b636}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa9b70e-3e34-11dd-9b3e-000e5038b636} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa9b70e-3e34-11dd-9b3e-000e5038b636}\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08122008_192839


mbam

Malwarebytes' Anti-Malware 1.24
Database version: 1045
Windows 5.1.2600 Service Pack 2

19:40:08 12/08/2008
mbam-log-8-12-2008 (19-40-08).txt

Scan type: Quick Scan
Objects scanned: 45406
Time elapsed: 7 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

New DSS log

Deckard's System Scanner v20071014.68
Run by Mrs Casey on 2008-08-12 19:43:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-12 19:43:42
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
H:\WINDOWS\system32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
H:\Program Files\Alwil Software\Avast4\ashServ.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
H:\WINDOWS\system32\CTSVCCDA.EXE
H:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
H:\WINDOWS\explorer.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe
H:\WINDOWS\system32\rundll32.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\Alwil Software\Avast4\ashDisp.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\LiveUpdate\LiveUpdate.exe
H:\Program Files\Canon\CAL\CALMAIN.exe
H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
H:\Program Files\Alwil Software\Avast4\ashWebSv.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\WINDOWS\system32\wuauclt.exe
H:\Documents and Settings\Start Menu\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "H:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BTCLiveUpdate] "H:\Program Files\LiveUpdate\LiveUpdate.exe" /autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://H:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://www.facebook.com (HKCU)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} () - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} () - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} () - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - H:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} () - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} () - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} () - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} () - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} () - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} () - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136645533382
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} () - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} () - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{7A4BDBD6-7695-43CD-B5A7-BC4E2C0E8901}: NameServer = 194.72.9.38 194.74.65.68
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - H:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - H:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - H:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - H:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - H:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - H:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: EpsonBidirectionalService - Unknown owner - H:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - H:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: YPCService - Yahoo! Inc. - H:\WINDOWS\system32\YPcservice.exe


--
End of file - 8001 bytes

-- Files created between 2008-07-12 and 2008-08-12 -----------------------------

2008-08-12 19:30:58 0 d------c- H:\Documents and Settings\Mrs Casey\Application Data\Malwarebytes
2008-08-12 19:30:53 0 d------c- H:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-12 19:30:52 0 d------c- H:\Program Files\Malwarebytes' Anti-Malware
2008-08-04 22:12:54 0 dr-h---c- H:\Documents and Settings\Mrs Casey\Recent
2008-08-04 19:10:55 0 d------c- H:\Documents and Settings\Mrs Casey\Application Data\ZoomBrowser EX
2008-08-04 19:05:01 0 d------c- H:\Documents and Settings\Mrs Casey\Application Data\CameraWindowDC
2008-08-04 19:04:59 0 d------c- H:\Documents and Settings\Mrs Casey\Application Data\CANON INC
2008-08-04 18:58:47 0 d------c- H:\Program Files\QuickTime
2008-08-04 18:58:29 0 d------c- H:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-04 18:51:18 0 d------c- H:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-08-04 18:50:44 0 d------c- H:\Program Files\Canon
2008-08-04 18:49:35 0 d------c- H:\Program Files\Common Files\Canon
2008-08-01 20:53:53 0 d------c- H:\Program Files\Alwil Software
2008-07-23 18:48:20 4608 --a----c- H:\WINDOWS\system32\drivers\symlcbrd.sys <Not Verified; Symantec Corporation; Symantec Core Component>
2008-07-20 16:03:15 40960 -------c- H:\WINDOWS\system32\ChCfg.exe
2008-07-20 16:03:04 294912 -------c- H:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Update driver Tool>
2008-07-20 16:03:04 200704 -------c- H:\WINDOWS\alcrmv.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Removing driver Tool>
2008-07-20 16:02:59 192512 -------c- H:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-07-20 16:01:06 266240 --a----c- H:\WINDOWS\CMIUninstall.exe <Not Verified; ; GeneralUninstall Application>
2008-07-20 16:01:06 225280 --a----c- H:\WINDOWS\CmiRmRedundDir.exe <Not Verified; ; CmiRmRedundDir Application>
2008-07-20 16:01:06 28672 --a----c- H:\WINDOWS\CMIRmDriver.dll
2008-07-20 16:01:06 0 d------c- H:\Program Files\C-Media 3D Audio
2008-07-20 16:00:17 0 d------c- H:\Program Files\Gigabyte
2008-07-20 15:51:31 0 d------c- H:\Documents and Settings\Mrs Casey\WINDOWS


-- Find3M Report ---------------------------------------------------------------

2008-08-04 18:59:48 0 d--h---c- H:\Program Files\InstallShield Installation Information
2008-08-04 18:49:35 0 d------c- H:\Program Files\Common Files
2008-08-01 19:56:42 0 d------c- H:\Program Files\Common Files\Symantec Shared
2008-07-20 16:06:02 4096 --a----c- H:\WINDOWS\gdrv.sys
2008-07-04 15:15:06 0 d------c- H:\Program Files\Common Files\Adobe
2008-07-04 15:08:01 0 d------c- H:\Documents and Settings\Mrs Casey\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="H:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [26/01/2004 12:38]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 00:56 H:\WINDOWS\system32\bthprops.cpl]
"Cmaudio"="cmicnfg.cpl" []
"SoundMan"="SOUNDMAN.EXE" [23/02/2005 11:13 H:\WINDOWS\SOUNDMAN.EXE]
"avast!"="H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [19/07/2008 15:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [04/08/2004 13:00]
"BTCLiveUpdate"="H:\Program Files\LiveUpdate\LiveUpdate.exe" [08/03/2004 13:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=H:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Yahoo! Help.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Yahoo! Help.lnk
backup=H:\WINDOWS\pss\BT Yahoo! Help.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=H:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector U]
"H:\Program Files\Creative\MediaSource5\CTDetctu.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
H:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
"H:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
H:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
H:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
H:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"H:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
H:\WINDOWS\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"H:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
H:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"H:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"H:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzGBK]
D:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


-- End of Deckard's System Scanner: finished at 2008-08-12 19:44:20 ------------

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:48 AM

Posted 12 August 2008 - 02:38 PM

Yes you will have to plug in your flash drive and re-do the Ot move it steps using the same files as before for removal.
You can then post the OT MOve it log and a new dss log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 gezkc

gezkc
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 14 August 2008 - 01:37 PM

Hi,

I've run another OT Move it scan with the Flash drive plugged in (actually I did it with three different Flash drives just in case!) and the results are below. It still didn't seem to find those files:

USB Stick 1:

File/Folder C:\ie.exe not found.
File/Folder C:\fooool.exe not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e1f45a9-5b80-11d9-999a-00148585cf61} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e1f45a9-5b80-11d9-999a-00148585cf61}\\ not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77086658-12f3-11dd-9af1-000e5038b636} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77086658-12f3-11dd-9af1-000e5038b636}\\ not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa9b70e-3e34-11dd-9b3e-000e5038b636} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa9b70e-3e34-11dd-9b3e-000e5038b636}\\ not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08142008_192956

USB Stick 2:

File/Folder C:\ie.exe not found.
File/Folder C:\fooool.exe not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e1f45a9-5b80-11d9-999a-00148585cf61} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e1f45a9-5b80-11d9-999a-00148585cf61}\\ not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77086658-12f3-11dd-9af1-000e5038b636} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77086658-12f3-11dd-9af1-000e5038b636}\\ not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa9b70e-3e34-11dd-9b3e-000e5038b636} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa9b70e-3e34-11dd-9b3e-000e5038b636}\\ not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08142008_192906

USB Stick 3:

File/Folder C:\ie.exe not found.
File/Folder C:\fooool.exe not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e1f45a9-5b80-11d9-999a-00148585cf61} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e1f45a9-5b80-11d9-999a-00148585cf61}\\ not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77086658-12f3-11dd-9af1-000e5038b636} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77086658-12f3-11dd-9af1-000e5038b636}\\ not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa9b70e-3e34-11dd-9b3e-000e5038b636} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fa9b70e-3e34-11dd-9b3e-000e5038b636}\\ not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08142008_192749


And here's the new DSS Log:

Deckard's System Scanner v20071014.68
Run by Mrs Casey on 2008-08-14 19:30:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-14 19:30:47
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
H:\WINDOWS\system32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
H:\Program Files\Alwil Software\Avast4\ashServ.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
H:\WINDOWS\system32\CTSVCCDA.EXE
H:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\explorer.exe
H:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe
H:\WINDOWS\system32\rundll32.exe
H:\WINDOWS\SOUNDMAN.EXE
H:\Program Files\Alwil Software\Avast4\ashDisp.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\LiveUpdate\LiveUpdate.exe
H:\Program Files\Canon\CAL\CALMAIN.exe
H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
H:\Program Files\Alwil Software\Avast4\ashWebSv.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\system32\wuauclt.exe
H:\Documents and Settings\Start Menu\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - H:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "H:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BTCLiveUpdate] "H:\Program Files\LiveUpdate\LiveUpdate.exe" /autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://H:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://www.facebook.com (HKCU)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} () - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} () - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} () - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - H:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} () - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} () - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} () - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} () - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} () - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} () - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136645533382
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} () - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} () - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - H:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - H:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - H:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - H:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - H:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - H:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: EpsonBidirectionalService - Unknown owner - H:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - H:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: YPCService - Yahoo! Inc. - H:\WINDOWS\system32\YPcservice.exe


--
End of file - 7915 bytes

-- Files created between 2008-07-14 and 2008-08-14 -----------------------------

2008-08-13 11:30:09 0 d------c- H:\Documents and Settings\All Users\Application Data\ArcSoft
2008-08-12 20:28:31 0 dr-h---c- H:\Documents and Settings\Mrs Casey\Recent
2008-08-12 19:30:58 0 d------c- H:\Documents and Settings\Mrs Casey\Application Data\Malwarebytes
2008-08-12 19:30:53 0 d------c- H:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-12 19:30:52 0 d------c- H:\Program Files\Malwarebytes' Anti-Malware
2008-08-04 19:10:55 0 d------c- H:\Documents and Settings\Mrs Casey\Application Data\ZoomBrowser EX
2008-08-04 19:05:01 0 d------c- H:\Documents and Settings\Mrs Casey\Application Data\CameraWindowDC
2008-08-04 19:04:59 0 d------c- H:\Documents and Settings\Mrs Casey\Application Data\CANON INC
2008-08-04 18:58:47 0 d------c- H:\Program Files\QuickTime
2008-08-04 18:58:29 0 d------c- H:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-04 18:51:18 0 d------c- H:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-08-04 18:50:44 0 d------c- H:\Program Files\Canon
2008-08-04 18:49:35 0 d------c- H:\Program Files\Common Files\Canon
2008-08-01 20:53:53 0 d------c- H:\Program Files\Alwil Software
2008-07-23 18:48:20 4608 --a----c- H:\WINDOWS\system32\drivers\symlcbrd.sys <Not Verified; Symantec Corporation; Symantec Core Component>
2008-07-20 16:03:15 40960 -------c- H:\WINDOWS\system32\ChCfg.exe
2008-07-20 16:03:04 294912 -------c- H:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Update driver Tool>
2008-07-20 16:03:04 200704 -------c- H:\WINDOWS\alcrmv.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Removing driver Tool>
2008-07-20 16:02:59 192512 -------c- H:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-07-20 16:01:06 266240 --a----c- H:\WINDOWS\CMIUninstall.exe <Not Verified; ; GeneralUninstall Application>
2008-07-20 16:01:06 225280 --a----c- H:\WINDOWS\CmiRmRedundDir.exe <Not Verified; ; CmiRmRedundDir Application>
2008-07-20 16:01:06 28672 --a----c- H:\WINDOWS\CMIRmDriver.dll
2008-07-20 16:01:06 0 d------c- H:\Program Files\C-Media 3D Audio
2008-07-20 16:00:17 0 d------c- H:\Program Files\Gigabyte
2008-07-20 15:51:31 0 d------c- H:\Documents and Settings\Mrs Casey\WINDOWS


-- Find3M Report ---------------------------------------------------------------

2008-08-04 18:59:48 0 d--h---c- H:\Program Files\InstallShield Installation Information
2008-08-04 18:49:35 0 d------c- H:\Program Files\Common Files
2008-08-01 19:56:42 0 d------c- H:\Program Files\Common Files\Symantec Shared
2008-07-20 16:06:02 4096 --a----c- H:\WINDOWS\gdrv.sys
2008-07-04 15:15:06 0 d------c- H:\Program Files\Common Files\Adobe
2008-07-04 15:08:01 0 d------c- H:\Documents and Settings\Mrs Casey\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="H:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [26/01/2004 12:38]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 00:56 H:\WINDOWS\system32\bthprops.cpl]
"Cmaudio"="cmicnfg.cpl" []
"SoundMan"="SOUNDMAN.EXE" [23/02/2005 11:13 H:\WINDOWS\SOUNDMAN.EXE]
"avast!"="H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [19/07/2008 15:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [04/08/2004 13:00]
"BTCLiveUpdate"="H:\Program Files\LiveUpdate\LiveUpdate.exe" [08/03/2004 13:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=H:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Yahoo! Help.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Yahoo! Help.lnk
backup=H:\WINDOWS\pss\BT Yahoo! Help.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\H:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=H:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=H:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector U]
"H:\Program Files\Creative\MediaSource5\CTDetctu.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
H:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
"H:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
H:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
H:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
H:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"H:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
H:\WINDOWS\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"H:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
H:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"H:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"H:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzGBK]
D:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-08-14 19:31:26 ------------

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:48 AM

Posted 15 August 2008 - 10:57 AM

Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.reg on your Desktop.
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzGBK]
Now double-click fixthis.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.

You can delete this after it merges.
=======================================
Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
===============
Use a Firewall:

Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Sunbelt Free Firewall or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.


=============================
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingcomputer.com/tutorials/...143.html#manual
=====================================
After that your log is clean. :thumbsup:

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 gezkc

gezkc
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 16 August 2008 - 11:52 AM

Hi Kahdah,

I've now merged the fixthis.reg file with the registry, done the cleanup and uninstalled the other programs that we'd used to clean up my pc.
Regarding the firewall, you mention that I should only have one firewall/antivirus program installed at a time - as I already have Avast installed on my pc, will downloading the Sunbelt Free or Zonealarm firewalls on top of that cause a problem, or should I uninstall Avast first?

If you can let me know, I'll then proceed with setting the System Restore points etc.

Thanks.

Edited by gezkc, 16 August 2008 - 11:55 AM.


#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:48 AM

Posted 16 August 2008 - 12:01 PM

AVast is only an antivirus programit is not a firewall.
You can have both of those installed at once just not 2 antivirus programs or 2 firewalls.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 gezkc

gezkc
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 20 August 2008 - 04:38 PM

Ok thanks. I'll install one of those firewalls you recommended tomorrow night when I'm back at that computer. I'll let you know how it's running then.

Thanks

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:48 AM

Posted 20 August 2008 - 07:03 PM

Ok :thumbsup:
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 gezkc

gezkc
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 21 August 2008 - 02:10 PM

Hi again,

Ok, I've installed the Sunbelt Free Firewall and reset my System Restore point. Hopefully all will be well. I've not had the computer on too long this evening yet, but so far so good.

Thanks for all your help Kahdah. It's much appreciated. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users