Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Thread For Metallica (dss Logs)


  • Please log in to reply
18 replies to this topic

#1 fylraen

fylraen

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 04 August 2008 - 05:38 AM

Please bear in mind that this is not my computer, and that I haven't done much with it to fix the helper.dll folder popup so as to let someone better at this (you) have a closer look.

Here are the contents of main.txt:



Deckard's System Scanner v20071014.68
Run by Dan on 2008-08-04 06:29:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
46: 2008-08-04 10:29:27 UTC - RP1112 - Deckard's System Scanner Restore Point
45: 2008-08-03 17:33:26 UTC - RP1111 - ComboFix created restore point
44: 2008-08-03 17:32:01 UTC - RP1110 - Removed Sony Media Manager 2.0
43: 2008-08-03 17:26:42 UTC - RP1109 - Removed Sony ACID Pro 5.0c
42: 2008-08-02 22:35:55 UTC - RP1108 - System Checkpoint


-- First Restore Point --
1: 2008-06-03 00:25:56 UTC - RP1067 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Dan.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:29 AM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Dan\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Dan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6042 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - D:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "D:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
R2 HPFECP13 - c:\windows\system32\drivers\hpfecp13.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S4 ATMsrvc (ATM Service) - c:\windows\system32\atmsrvc.exe <Not Verified; Adobe Systems Incorporated; Adobe Type Manager>
S4 Httscsetor -


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_01321028&REV_01\3&267A616A&0&EF
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_01321028&REV_01\3&267A616A&0&EF
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Parallel Device
Device ID: ROOT\LEGACY_HPFECP13\0000
Manufacturer:
Name: Parallel Device
PNP Device ID: ROOT\LEGACY_HPFECP13\0000
Service: HPFECP13


-- Scheduled Tasks -------------------------------------------------------------

2008-07-19 14:53:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-08-04 06:32:11 0 d-------- C:\Program Files\Trend Micro
2008-08-03 13:33:06 68096 --a------ C:\WINDOWS\zip.exe
2008-08-03 13:33:06 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-03 13:33:06 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-03 13:33:06 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-03 13:33:06 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-03 13:33:06 98816 --a------ C:\WINDOWS\sed.exe
2008-08-03 13:33:06 80412 --a------ C:\WINDOWS\grep.exe
2008-08-03 13:33:06 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-30 22:08:50 0 d-------- C:\Program Files\Common
2008-07-19 17:32:15 0 d-------- C:\Program Files\iTunes
2008-07-19 17:31:18 0 d-------- C:\Program Files\Bonjour
2008-07-19 17:30:12 0 d-------- C:\Program Files\QuickTime
2008-07-19 17:25:27 0 d-------- C:\Program Files\Safari


-- Find3M Report ---------------------------------------------------------------

2008-08-04 06:27:16 0 d-------- C:\Documents and Settings\Dan\Application Data\Mozilla
2008-08-03 13:35:20 0 d-------- C:\Program Files\Common Files
2008-08-03 13:32:45 0 d-------- C:\Program Files\Google
2008-08-03 13:24:58 0 d-------- C:\Documents and Settings\Dan\Application Data\Lavasoft
2008-07-19 17:32:20 0 d-------- C:\Program Files\iPod


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\Updreg.exe" [05/11/2000 02:00 AM]
"AHQInit"="C:\Program Files\Creative\SBLive\Program\AHQInit.exe" [03/27/2001 09:00 PM]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [08/23/2001 05:52 PM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [08/17/2001 12:41 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [08/02/2005 04:35 PM]
"nwiz"="nwiz.exe" [08/02/2005 04:35 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [08/02/2005 04:35 PM]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [07/10/2008 09:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2008 10:51 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Snapfish\SNAPFI~1\data\xtras\mssysmgr.exe" [01/31/2005 03:06 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 05:45 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan^Start Menu^Programs^Startup^Reminder-hpc41001.lnk]
path=C:\Documents and Settings\Dan\Start Menu\Programs\Startup\Reminder-hpc41001.lnk
backup=C:\WINDOWS\pss\Reminder-hpc41001.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIAGENT]
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpfsched]
C:\WINDOWS\hpfsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Snapfish\SNAPFI~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"WZCSVC"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-08-04 06:33:35 ------------

BC AdBot (Login to Remove)

 


m

#2 fylraen

fylraen
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 04 August 2008 - 05:39 AM

extra.txt :

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.80GHz
Percentage of Memory in Use: 32%
Physical Memory (total/avail): 766.8 MiB / 517.43 MiB
Pagefile Memory (total/avail): 1877.68 MiB / 1692.39 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1916.76 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19.1 GiB total, 9.84 GiB free.
D: is Fixed (NTFS) - 74.53 GiB total, 25.96 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - MAXTOR 6L020L1 - 19.14 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 19.1 GiB - C:

\\.\PHYSICALDRIVE1 - WDC WD800JB-00ETA0 - 74.53 GiB - 1 partition
\PARTITION0 - Installable File System - 74.53 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

AntivirusOverride is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"D:\\Program Files\\Microsoft Games\\Rise of Nations\\patriots.exe"="D:\\Program Files\\Microsoft Games\\Rise of Nations\\patriots.exe:*:Enabled:Rise of Nations"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"D:\\Program Files\\Quake\\qwcl.exe"="D:\\Program Files\\Quake\\qwcl.exe:*:Enabled:qwcl"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\\Program Files\\Warsow\\warsow.exe"="D:\\Program Files\\Warsow\\warsow.exe:*:Enabled:Warsow"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Dan\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SMALLFRY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Dan
LOGONSERVER=\\SMALLFRY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Dan\LOCALS~1\Temp
TMP=C:\DOCUME~1\Dan\LOCALS~1\Temp
USERDOMAIN=SMALLFRY
USERNAME=Dan
USERPROFILE=C:\Documents and Settings\Dan
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Dan (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Creative\SBLive\Program\Upddrv2k.EXE
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\News\CTNews.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\AudioHQ.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\CTMixer.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Diagnose2.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\HTML.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Midi.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\PlayCenter2\Player2.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Recorder\Recorder.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Restore.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\SoundFont.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\WaveStudio\Wstudio.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Uninstall\Installer.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe InDesign CS --> RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{416DFEDD-9F1B-4EFC-AF70-FCA891AE0251}\zidxp.exe"
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Type Manager Deluxe 4.1 --> C:\WINDOWS\uninst.exe -f"D:\Program Files\Adobe\Adobe Type Manager\DeIsL1.isu" -c"D:\Program Files\Adobe\Adobe Type Manager\UNINST.DLL"
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Mobile Device Support --> MsiExec.exe /I{35B91753-5789-4517-9CF1-2CCE3A8CF4F1}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ArcSoft Panorama Maker 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5F68DC8-0278-4AD8-B413-861509B5F25B}\Setup.exe" -l0x9
BitLord 1.1 --> C:\Program Files\BitLord\uninst.exe
BitTorrent 3.4.2 --> "C:\Program Files\BitTorrent\uninstall.exe"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
Fruityloops 3.5 --> MsiExec.exe /X{C8426AE8-4A79-4DEF-9FF7-BFBE36836A36}
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HP DeskJet 710C Series (Remove only) --> C:\Program Files\HP DeskJet 710C Series\hpfiui.exe -c -vdivid=HPF -vpnum=13 -vproduct=710C -huninstall
iPod for Windows 2006-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033
iTunes --> MsiExec.exe /I{EF6C4600-306D-4F6A-A119-C2A877D25B4A}
Macromedia Dreamweaver MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Macromedia Fireworks MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{930B2432-43D4-11D5-9871-00C04F8EEB39}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft Rise Of Nations --> "D:\Program Files\Microsoft Games\Rise of Nations\UNINSTAL.EXE" /runtemp /addremove
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2002 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe E:\
Microsoft Works 6.0 --> MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}
mIRC --> "D:\Program Files\mIRC\mirc.exe" -uninstall
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Napster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\setup.exe" -l0x9
Napster Burn Engine --> MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nikon Message Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\Setup.exe" -l0x9 UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Opera --> D:\PROGRA~1\Opera\uninst\unwise.exe D:\PROGRA~1\Opera\uninst\install.log
PictureProject --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF3999BE-1A7B-4738-88AA-97BF14094A4A}\Setup.exe" -l0x9 UNINSTALL
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Rise of Nations Thrones and Patriots --> "D:\Program Files\Microsoft Games\Rise of Nations\UNINSTLX.EXE" /runtemp /uninstall
Safari --> MsiExec.exe /I{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}
Snapfish PhotoShow Express --> "C:\Program Files\Snapfish\Snapfish PhotoShow\data\Xtras\Uninstall.exe"
Sony ACID Music Studio 5.0 --> MsiExec.exe /X{12F4BE69-6614-41D3-BB3B-DF7F921DF2BB}
Sony Sound Forge 8.0b --> MsiExec.exe /X{48EB9208-593D-4DC7-B613-9C5A210D87BA}
Sony Sound Series Loops and Samples Reference Library v2 --> MsiExec.exe /X{AB9C7A26-789C-485A-95DB-9753B3E86104}
Sound Blaster Live! Value --> C:\Program Files\Creative\Uninstall\CTUNINST.EXE /U:UNINST1.INI
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.3 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Ventrilo --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XviD MPEG-4 Video Codec --> "C:\Program Files\XviD\unins000.exe"


-- Application Event Log -------------------------------------------------------

No Errors/Warnings found.


-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type24844 / Error
Event Submitted/Written: 08/03/2008 05:33:47 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Event Record #/Type24843 / Error
Event Submitted/Written: 08/03/2008 05:33:43 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The iPod Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type24721 / Error
Event Submitted/Written: 08/03/2008 01:33:45 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type24720 / Error
Event Submitted/Written: 08/03/2008 01:33:45 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Event Record #/Type24719 / Error
Event Submitted/Written: 08/03/2008 01:33:45 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Network DDE DSDM service terminated unexpectedly. It has done this 1 time(s).



-- End of Deckard's System Scanner: finished at 2008-08-04 06:33:35 ------------

#3 fylraen

fylraen
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 04 August 2008 - 05:50 AM

This is an older computer with a long-time XP install on it. Pentium IV 1.8ghz, 768mb ram, XP SP2.

I'll be at work all day so I'll be able to respond later this evening if / when you need something else.

#4 Metallica

Metallica

    Spyware Veteran


  • Malware Response Team
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:10:15 PM

Posted 04 August 2008 - 06:41 AM

Thanks fylraen,

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
helper.sig
helper.dll

[Exclude]

[Options]
Filter=KVDLU



2. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.
Then move helper.dll and helper.sig out of the Common Files folder. reboot and let me know what happens.
How can I be lost, if I've got nowhere to go?
My blog
MS-MVP Consumer Security 2003-2015

#5 fylraen

fylraen
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 04 August 2008 - 07:15 PM

Step 1:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.5.0

; Results at 8/4/2008 8:09:01 PM for strings:
; 'helper.sig'
; 'helper.dll'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\InprocServer32]
@="C:\\Program Files\\Adobe\\Acrobat 7.0\\ActiveX\\AcroIEHelper.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\InprocServer32]
@="C:\\PROGRA~1\\SPYBOT~1\\SDHelper.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A6443A5-ED5A-11CF-9662-00A0C905428A}\InprocServer32]
@="C:\\WINDOWS\\System32\\vmhelper.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC}\InprocServer32]
@="C:\\WINDOWS\\System32\\vmhelper.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}\1.0\0\win32]
@="C:\\Program Files\\Adobe\\Acrobat 7.0\\ActiveX\\AcroIEHelper.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\0\win32]
@="C:\\Program Files\\Common\\helper.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM\CONSOLE]
"PlugUIText"="@vmhelper.dll,-4000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM\JIT]
"PlugUIText"="@vmhelper.dll,-4001"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM\LOGGING]
"PlugUIText"="@vmhelper.dll,-4002"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\114D11D962554EA48AD7DE493179A765]
"68AB67CA7DA73301B7447A9000000020"="C:\\Program Files\\Adobe\\Acrobat 7.0\\ActiveX\\AcroIEHelper.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\20700791739EEC14F8A70C19A120C3A1]
"4559AC80EF5B313439F84D4A718B1157"="C:\\Program Files\\QuickTime\\QTSystem\\QuickTimeWebHelper.Resources\\QuickTimeWebHelper.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8BD74C0E2B4311544BBB1C44C780C466]
"0064C6FED603A6F41A912C8A772DB5A4"="C:\\Program Files\\iTunes\\iTunesHelper.Resources\\iTunesHelper.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E1B4F4BCB48FBD115BB65B85558D5939]
"35719B5398757154C91FC2ECA3C84F1F"="C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\OutlookSyncClientHelper.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER\JAVA]
"PlugUIText"="@vmhelper.dll,-4003"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER\JAVA\CUSTOM]
"PlugUIText"="@vmhelper.dll,-4004"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER\JAVA\DISABLE]
"PlugUIText"="@vmhelper.dll,-4005"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER\JAVA\HIGH]
"PlugUIText"="@vmhelper.dll,-4006"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER\JAVA\LOW]
"PlugUIText"="@vmhelper.dll,-4007"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER\JAVA\MEDIUM]
"PlugUIText"="@vmhelper.dll,-4008"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\uihelper.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Java VM]
"EventMessageFile"="C:\\WINDOWS\\System32\\vmhelper.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\uihelper.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\Java VM]
"EventMessageFile"="C:\\WINDOWS\\System32\\vmhelper.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\uihelper.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Java VM]
"EventMessageFile"="C:\\WINDOWS\\System32\\vmhelper.dll"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"b"="C:\\Program Files\\Common\\helper.dll"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll]
"a"="C:\\Program Files\\Common\\helper.dll"


; End Of The Log...

#6 fylraen

fylraen
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 04 August 2008 - 07:21 PM

Step 2:

Moved the files helper.dll and helper.sig to a new folder on the desktop and rebooted the computer.

program files\common\ still opens up, but is now an empty folder.


Waiting on further instructions, captain!


edit to add: I should mention that navigating through windows explorer hangs for just a second each time you open a folder. It could just be that it's an old computer, but it doesn't feel right.

Edited by fylraen, 04 August 2008 - 07:24 PM.


#7 Metallica

Metallica

    Spyware Veteran


  • Malware Response Team
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:10:15 PM

Posted 04 August 2008 - 11:22 PM

I think we have a trail to follow, my dear Watson. :thumbsup:

Make a new options.txt which looks like this:
RegSearch Options File 

[Search] 
{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
{986A8AC1-AB4D-4F41-9068-4B01C0197867}
{A0E1054B-01EE-4D57-A059-4D99F339709F}
main.DLL

[Exclude] 

[Options] 
Filter=KVDLU

Run regsearch again and post the entire contents of the Notepad file from RegSearch.

Also, delete this folder:
C:\Program Files\Common\
Do NOT delete the C:\Program Files\Common Files\ folder

Edited by Metallica, 04 August 2008 - 11:31 PM.

How can I be lost, if I've got nowhere to go?
My blog
MS-MVP Consumer Security 2003-2015

#8 fylraen

fylraen
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 05 August 2008 - 06:32 AM

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.5.0

; Results at 8/5/2008 7:24:41 AM for strings:
; '{8e3c68cd-f500-4a2a-8cb9-132bb38c3573}'
; '{afd4ad01-58c1-47db-a404-fbe00a6c5486}'
; '{986a8ac1-ab4d-4f41-9068-4b01c0197867}'
; '{a0e1054b-01ee-4d57-a059-4d99f339709f}'
; 'main.dll'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}\ProxyStubClsid]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}\TypeLib]
@="{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\main.BHO\CLSID]
@="{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\main.BHO.1\CLSID]
@="{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\0\win32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\FLAGS]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\HELPDIR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{9394EDE7-C8B5-483E-8773-474BF36AF6E4}]
"DllName"="stmain.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\msobmain.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\msobmain.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\msobmain.dll]

; End Of The Log...

#9 Metallica

Metallica

    Spyware Veteran


  • Malware Response Team
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:10:15 PM

Posted 05 August 2008 - 07:31 AM

I'm very close to having a fix for this one, I need to do some testing and I would like you to look for one file for me.

It's called main.dll and I have no idea if it really exists, but if it does I'd like to know where exactly.
So can you do a search for that on your computer and let me know?

Thanks,

Pieter
How can I be lost, if I've got nowhere to go?
My blog
MS-MVP Consumer Security 2003-2015

#10 fylraen

fylraen
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 05 August 2008 - 10:14 PM

A standard windows search (including hidden folders / files) does not find main.dll .

Edited by fylraen, 05 August 2008 - 10:15 PM.


#11 Metallica

Metallica

    Spyware Veteran


  • Malware Response Team
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:10:15 PM

Posted 05 August 2008 - 11:07 PM

Thanks. :thumbsup:

Please download Brute Force Uninstaller .
  • Right click the downloaded BFU folder, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download DeepDive Remover.
Save it in the same folder you made earlier (c:\BFU).

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select DeepDive.bfu
  • Press Execute and let the program do it’s job. (Do not be startled as your taskbar will disappear for a little while.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
  • A notepad file called BFUlogdeepdive.txt should be open. Post the content of that file please.

How can I be lost, if I've got nowhere to go?
My blog
MS-MVP Consumer Security 2003-2015

#12 fylraen

fylraen
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 05 August 2008 - 11:53 PM

Interesting - I did as directed. BFU opened the My Documents folder and told me it couldn't find a log. Do I want to create a new log file? I clicked yes, then it just creates a blank text document with the name BFUlogdeepdive.txt.

When I exited BFU, it hadn't written anything to the newly created logfile. I closed BFUlogdeepdive.txt and it is now gone (searching for it doesn't find it; I didn't get a "save" prompt because there was no text, I assume).

I'm sorry - I don't know why that happened. But I can't post the log that you've requested, because it didn't / doesn't exist.

Edited by fylraen, 05 August 2008 - 11:53 PM.


#13 Metallica

Metallica

    Spyware Veteran


  • Malware Response Team
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:10:15 PM

Posted 06 August 2008 - 01:24 AM

Not to worry. Probably the timing in my script was too tight.
(Never had a chance to test it on a truly infected computer)
Let's check if it was all removed in another way then.
Can you use regsearch again with the last options.txt ?

Only the last 4 lines should have survived the script.
How can I be lost, if I've got nowhere to go?
My blog
MS-MVP Consumer Security 2003-2015

#14 fylraen

fylraen
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 06 August 2008 - 08:08 AM

That looks to be the case! edit to add: When I boot up, the folder doesn't appear any longer.

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.5.0

; Results at 8/6/2008 8:46:46 AM for strings:
; '{8e3c68cd-f500-4a2a-8cb9-132bb38c3573}'
; '{afd4ad01-58c1-47db-a404-fbe00a6c5486}'
; '{986a8ac1-ab4d-4f41-9068-4b01c0197867}'
; '{a0e1054b-01ee-4d57-a059-4d99f339709f}'
; 'main.dll'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{9394EDE7-C8B5-483E-8773-474BF36AF6E4}]
"DllName"="stmain.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\msobmain.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\msobmain.dll]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\msobmain.dll]

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"001"="main.dll"

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5604]
"000"="main.dll"

; End Of The Log...

Edited by fylraen, 06 August 2008 - 08:08 AM.


#15 Metallica

Metallica

    Spyware Veteran


  • Malware Response Team
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:10:15 PM

Posted 06 August 2008 - 08:16 AM

Pats himself on the back and thanks you very much for your co-operation. :thumbsup:

Follow the link in my signature to see how you can improve the security on your girlfriends computer.

Regards,

Pieter

edit

I should mention that navigating through windows explorer hangs for just a second each time you open a folder.

Is this solved as well?

Edited by Metallica, 06 August 2008 - 08:17 AM.

How can I be lost, if I've got nowhere to go?
My blog
MS-MVP Consumer Security 2003-2015




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users