Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue Desktop With Antivirus/spyware Remover Request


  • This topic is locked This topic is locked
9 replies to this topic

#1 apachedave

apachedave

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 12 August 2008 - 12:16 AM

Hey, sorry to trouble you all.

I'm running Windows XP Pro, Service Pack 1.

I was browsing the net tonight (Firefox) and suddenly got a windows missing file error (I think it was an exe). My desktop is now blue with a text box in the centre containing the following message:

"Warning! Spyware detected on your computer!

Install an antivirus or spyware remover to clean your computer"

Posted Image


Furthermore, bootup yields the following error:

Posted Image


Edit:
It seems something has installed itself in my program files in "C:\Program Files\rhcnrmj0ev97"

Posted Image

A shortcut corresponding to the directory is on my desktop as "Antivirus XP 2008". Unsurprisingly, running the uninstaller in the above directory does nothing. A process has also popped up in the task manager as "pphcjrmj0ev97.exe", though that identifier has changed under successive instances being executed.


I tried scanning with the Kaspersky online scanner, but ran into problems of the Java applet start variety, so only the standard "main" and "extra" logs are found below. Thanks for taking the time to read this!

- Andy


---------------------------------------------------------------------------------------------
--------------------------------------------MAIN-------------------------------------------
---------------------------------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Andy on 2008-08-12 05:32:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x00000001


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Andy.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:33:48, on 12/08/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\lphcjrmj0ev97.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\drivers\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Documents and Settings\Andy\Desktop\dss.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Andy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [lphcjrmj0ev97] C:\WINDOWS\System32\lphcjrmj0ev97.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\System32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C4C0605-BBC9-4A17-9BDB-467B7FA3ADAF}: NameServer = 192.168.1.1
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5085 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 RT73 (Belkin USB Network Adapter) - c:\windows\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>

S3 ASPI (Advanced SCSI Programming Interface Driver) - c:\windows\system32\drivers\aspi32.sys <Not Verified; Adaptec; Adaptec's ASPI Layer>
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys (file missing)
S3 WBHWDOCT (Winbond GPIO Driver1) - c:\windows\system32\drivers\wbhwdoct.sys <Not Verified; Winbond Electronics Corp.; Winbond Hardware Doctor>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Belkin Wireless USB Network Adapter Service (Belkin Wireless USB Network Adapter) - c:\program files\belkin\belkin wireless network utility\wlservice.exe

S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce MCP Networking Controller
Device ID: PCI\VEN_10DE&DEV_0066&SUBSYS_0C1110DE&REV_A1\3&13C0B0C5&0&20
Manufacturer: Nvidia
Name: NVIDIA nForce MCP Networking Controller
PNP Device ID: PCI\VEN_10DE&DEV_0066&SUBSYS_0C1110DE&REV_A1\3&13C0B0C5&0&20
Service: NVENET

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\103DBAE23C01
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\103DBAE23C01
Service: NIC1394

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_8086&DEV_1040&SUBSYS_10008086&REV_00\4&3B1D9AB8&0&5040
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_8086&DEV_1040&SUBSYS_10008086&REV_00\4&3B1D9AB8&0&5040
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1095&DEV_3114&SUBSYS_61141095&REV_02\4&3B1D9AB8&0&5840
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1095&DEV_3114&SUBSYS_61141095&REV_02\4&3B1D9AB8&0&5840
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\427F12910
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\427F12910
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2008-08-10 12:29:30 244 --a------ C:\WINDOWS\Tasks\Alarm.job


-- Files created between 2008-07-12 and 2008-08-12 -----------------------------

2008-08-12 05:33:40 0 d-------- C:\Program Files\Trend Micro
2008-08-12 04:40:27 60928 --a------ C:\WINDOWS\System32\blphcjrmj0ev97.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-08-12 04:40:25 129536 --a------ C:\WINDOWS\System32\lphcjrmj0ev97.exe
2008-08-12 04:39:08 25600 --a------ C:\WINDOWS\System32\drivers\svchost.exe
2008-08-09 21:31:19 4 --a------ C:\WINDOWSRegDefrag.dat
2008-08-08 23:39:46 0 d-------- C:\Program Files\Microsoft Bootvis
2008-08-08 20:31:28 614 --a------ C:\WINDOWS\eReg.dat
2008-08-07 22:50:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Notepad++
2008-08-07 03:38:33 40960 --a------ C:\WINDOWS\System32\B11gUSB.dll
2008-08-07 03:38:32 94208 --a------ C:\WINDOWS\System32\GTW32N50.dll
2008-08-07 03:38:32 15872 --a------ C:\WINDOWS\System32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-08-07 03:38:32 232192 --a------ C:\WINDOWS\System32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>
2008-08-07 03:04:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Soulseek
2008-08-07 03:00:06 0 d-------- C:\Program Files\SoulseekNS
2008-07-31 18:14:42 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-07-31 18:12:12 0 d-------- C:\WINDOWS\ShellNew
2008-07-31 18:12:10 0 d-------- C:\Program Files\Common Files\L&H
2008-07-30 20:41:57 0 d-------- C:\Westwood
2008-07-30 18:37:29 0 d-------- C:\Documents and Settings\Andy\Application Data\SPAMfighter
2008-07-21 01:28:16 0 d-------- C:\Poker
2008-07-20 16:14:11 0 d-------- C:\Documents and Settings\Andy\Application Data\codeblocks
2008-07-20 16:13:34 0 d-------- C:\Program Files\CodeBlocks
2008-07-18 23:51:06 434688 --a------ C:\WINDOWS\System32\ss2uinst.exe <Not Verified; Virtualzone.de; SetupStream 2>
2008-07-18 23:51:00 0 d-------- C:\Program Files\ET Patch Selector
2008-07-17 23:21:08 0 d-------- C:\Documents and Settings\Andy\Application Data\Soldat
2008-07-15 20:43:17 0 d-------- C:\Documents and Settings\Andy\Application Data\Opera
2008-07-15 20:42:40 0 d-------- C:\Program Files\Opera


-- Find3M Report ---------------------------------------------------------------

2008-08-12 05:06:56 292 --a------ C:\WINDOWS\System32\DVCStateBkp-{00000001-00000000-00000008-00001102-00000004-10071102}.dat
2008-08-12 05:06:56 292 --a------ C:\WINDOWS\System32\DVCState-{00000001-00000000-00000008-00001102-00000004-10071102}.dat
2008-08-12 02:05:24 0 d-------- C:\Documents and Settings\Andy\Application Data\Free Download Manager
2008-08-09 03:58:33 0 d-------- C:\Program Files\Soulseek
2008-08-09 03:51:15 0 d-------- C:\Program Files\Advanced System Optimizer
2008-08-08 23:01:22 0 d-------- C:\Program Files\Java
2008-08-08 20:31:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-06 21:22:56 0 d-------- C:\Program Files\WMR11
2008-08-01 00:17:05 21528 --a------ C:\Documents and Settings\Andy\Application Data\GDIPFONTCACHEV1.DAT
2008-07-31 18:14:00 0 d-------- C:\Program Files\Common Files
2008-07-24 19:09:56 0 d-------- C:\Documents and Settings\Andy\Application Data\Notepad++
2008-07-24 19:09:48 0 d-------- C:\Program Files\Notepad++
2008-07-09 18:46:21 52736 --a------ C:\WINDOWS\ipuninst.exe <Not Verified; Interplay Productions; Interplay Uninstaller for Windows 95>
2008-07-07 02:04:05 0 d-------- C:\Program Files\ScummVM
2008-07-07 01:59:04 0 d-------- C:\Program Files\DOSBox-0.63
2008-07-04 18:29:59 0 d-------- C:\Program Files\eclipse
2008-07-04 02:32:34 0 d-------- C:\Documents and Settings\Andy\Application Data\OpenOffice.org2
2008-06-24 20:57:36 0 d-------- C:\Program Files\StarUML


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe" [17/06/2003 17:18 C:\WINDOWS\system32\sstray.exe]
"CTHelper"="CTHELPER.EXE" [10/04/2003 09:36 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [28/10/2003 20:24 C:\WINDOWS\system32\regsvr32.exe]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [03/12/2002 18:06]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [16/05/2003 00:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"lphcjrmj0ev97"="C:\WINDOWS\System32\lphcjrmj0ev97.exe" [12/08/2008 04:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [28/10/2003 20:23]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [02/12/2004 18:23]
"SVCHOST.EXE"="C:\WINDOWS\System32\drivers\svchost.exe" [12/08/2008 04:39]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 04:44:06]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdjkx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub



-- End of Deckard's System Scanner: finished at 2008-08-12 05:34:29 ------------




---------------------------------------------------------------------------------------------
-------------------------------------------EXTRA------------------------------------------
---------------------------------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2800+
Percentage of Memory in Use: 29%
Physical Memory (total/avail): 1023.48 MiB / 717.47 MiB
Pagefile Memory (total/avail): 2462.34 MiB / 2268.38 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1944.32 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 111.78 GiB total, 57.55 GiB free.
D: is CDROM (No Media)
F: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - ST3120022A - 111.79 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 111.78 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Andy\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ANDY-1QRIHD223T
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Andy
LOGONSERVER=\\ANDY-1QRIHD223T
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=.;C:\Program Files\Java\jdk1.6.0_04\bin;C:\WINDOWS\system32;.;C:\Program Files\Java\jdk1.6.0_04\bin;C:\WINDOWS\system32
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Andy\LOCALS~1\Temp
TMP=C:\DOCUME~1\Andy\LOCALS~1\Temp
USERDOMAIN=ANDY-1QRIHD223T
USERNAME=Andy
USERPROFILE=C:\Documents and Settings\Andy
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Andy (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBAudigy2\Program\Ctzapxx.EXE" /U /S
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4095E277-3005-42E9-8D84-DE6EB8704CEC}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4095E277-3005-42E9-8D84-DE6EB8704CEC}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F2F3E0C-2025-4F5E-9583-AB8CD5AA88A6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F2F3E0C-2025-4F5E-9583-AB8CD5AA88A6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66BCC50C-22D9-4927-9251-27FA88A32214}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66BCC50C-22D9-4927-9251-27FA88A32214}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D42EFA6C-0553-45F7-AD03-6D36207CA6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D42EFA6C-0553-45F7-AD03-6D36207CA6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Advanced System Optimizer 2.01 --> "C:\Program Files\Advanced System Optimizer\unins000.exe"
AFPL Ghostscript 8.54 --> C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\gs8.54\uninstal.txt"
AFPL Ghostscript Fonts --> C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\fonts\uninstal.txt"
Alarm 2.0.2 --> "C:\Program Files\Alarm\unins000.exe"
Another World 1.1c --> C:\Games\Another World\uninst.exe
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Belkin 54g USB Network Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\Belkin\Belkin Wireless Network Utility\setup.exe" -l0x9
Bontago --> C:\Games\Bontago\Uninstall.exe
CodeBlocks --> C:\Program Files\CodeBlocks\uninstall.exe
Cole2k Media - Codec Pack (Standard) --> C:\WINDOWS\System32\C2MP\Uninst.exe
Command & Conquer Generals --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{06F80017-8F98-4C94-B868-52358569FC32}
Command & Conquer Tiberian Sun --> C:\Games\Command & Conquer\Tiberian Sun\Uninstll.EXE
Counter-Strike: Condition Zero --> C:\Games\Valve\CONDIT~1\UNWISE.EXE C:\Games\Valve\CONDIT~1\INSTALL.LOG
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\SETUP.EXE" -l0x9 /remove
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative Zen Vision M --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DC3065BF-95B4-42C5-B47D-0B713CDA75D0}\SETUP.EXE" -l0x9 /remove
DAEMON Tools --> MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Downhill PAKOON! 2.Many Unlimited 2009 --> C:\WINDOWS\IsUninst.exe -fc:\games\PakoonDownhill2\Uninst.isu
ET Patch Selector 1.3.4 --> C:\WINDOWS\system32\ss2uinst.exe "C:\Program Files\ET Patch Selector\ss2uinst.dat"
Fallout --> C:\WINDOWS\ipuninst.exe -fC:\Games\Fallout\uninst.log
ffdshow (remove only) --> "C:\Program Files\ffdshow\uninstall.exe"
Flashpoint uninstall --> C:\Program Files\Codemasters\UnInstall.exe
Free Download Manager 2.1 --> "C:\Program Files\Free Download Manager\unins000.exe"
GlassFish V2 --> "C:\Program Files\glassfish-v2\uninstall.exe"
GSview 4.8 --> C:\Program Files\Ghostgum\gsview\uninstgs.exe "C:\Program Files\Ghostgum\gsview\uninstal.txt"
Hardware Doctor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5A83008C-1F8B-46B8-850A-0123479C2344}\setup.exe" -l0x9
Harmotion --> "C:\WINDOWS\Harmotion\uninstall.exe" "/U:C:\Games\Uninstall\uninstall.xml"
Heroes of Might and Magic II --> C:\WINDOWS\uninst.exe -f"c:\games\Heroes of Might & Magic 2\DeIsL1.isu"
Homeworld2 -->
InFlac 1.1.1 --> "C:\Program Files\Winamp\InFlac-Uninstall.exe"
J2SE Development Kit 5.0 Update 3 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150030}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java DB 10.3.1.4 --> MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02}
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java™ SE Development Kit 6 Update 4 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160040}
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
K-Lite Codec Pack 2.49 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Media Center Alarm Clock --> MsiExec.exe /I{8689A5F3-BEEC-407D-A6EB-B79F636229A3}
Microsoft Bootvis --> MsiExec.exe /I{0F9196C6-58B4-445B-B56E-B1200FECC151}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
MiKTeX 2.5 --> "C:\Program Files\MiKTeX 2.5\miktex\bin\copystart.exe" "C:\Program Files\MiKTeX 2.5\miktex\config\uninstall.dat"
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP3PowerEncoder --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{969B3B70-8765-11D5-9809-0050BACBF861}\Setup.exe" -uninstall
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NetBeans IDE 6.0 --> "C:\Program Files\NetBeans 6.0\uninstall.exe"
Notepad++ --> C:\Program Files\Notepad++\uninstall.exe
NVIDIA nForce Drivers --> C:\WINDOWS\System32\nvuninst.exe Uninstall C:\WINDOWS\System32\NVU001.nvu,NVIDIA nForce Drivers
Ocular Ink --> "C:\Games\Ocular Ink\uninstall.exe"
OpenOffice.org 2.2 --> MsiExec.exe /I{A1C8D94A-4303-4489-B585-4B6E6CD408CB}
Opera 9.51 --> MsiExec.exe /X{179624B1-2683-45ED-965A-B72189EB5820}
Paddy Power Poker --> "C:\Poker\Paddy Power Poker\_SetupPoker.exe" /uninstall
Painkiller --> C:\WINDOWS\unvise32.exe C:\Games\Painkiller\uninstal.log
PunkBuster Services --> C:\WINDOWS\System32\pbsvc.exe -u
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
Real Alternative 1.7.5 --> "C:\Program Files\Real Alternative\unins000.exe"
ScummVM 0.7.1 --> "C:\Program Files\ScummVM\unins000.exe"
Soldat 1.4.2 --> "C:\Games\Soldat\unins000.exe"
Sony Sound Forge 7.0 --> MsiExec.exe /I{0712667C-A171-49AE-A098-4ACDA28625F8}
SoulSeek 157 NS 13c --> "C:\Program Files\SoulseekNS\uninstall.exe"
SoulSeek Client 156c --> "C:\Program Files\Soulseek\uninstall.exe"
Sound Blaster Audigy 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{42095863-98D1-4A49-BDF8-638DE8A5F316}\SETUP.EXE" -l0x9
Spring 0.74b3 --> C:\Games\Spring\uninst.exe
StarUML 5.0.2.1570 --> "C:\Program Files\StarUML\unins000.exe"
SWI-Prolog (remove only) --> "C:\Program Files\pl\uninstall.exe"
TeXnicCenter Version 1 Beta 7.01 (Greengrass) --> "C:\Program Files\TeXnicCenter\unins000.exe"
Unity Web Player --> C:\Program Files\Unity\WebPlayer\Uninstall.exe
Video to Audio Converter 1.00 --> "C:\Program Files\Video to Audio Converter\unins000.exe"
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Vodei Multimedia Processor 2.10 --> C:\Program Files\Vodei\uninst.exe
Westwood Shared Internet Components --> C:\Westwood\Internet\UnstllAP.EXE
Windows Live Messenger --> MsiExec.exe /I{FCE50DB8-C610-4C42-BE5C-193F46C6F812}
WinHugs --> "C:\Program Files\WinHugs\uninstaller.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Wolfenstein - Enemy Territory --> C:\Games\WOLFEN~1\Uninstall\Unwise.exe /u C:\Games\WOLFEN~1\Uninstall\Install.log


-- Application Event Log -------------------------------------------------------

Event Record #/Type2503 / Error
Event Submitted/Written: 08/12/2008 05:12:52 AM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type2502 / Error
Event Submitted/Written: 08/12/2008 05:12:52 AM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type2501 / Error
Event Submitted/Written: 08/12/2008 05:10:47 AM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type2500 / Error
Event Submitted/Written: 08/12/2008 05:10:47 AM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type2499 / Error
Event Submitted/Written: 08/12/2008 05:07:55 AM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type53097 / Error
Event Submitted/Written: 08/12/2008 01:07:24 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1055" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type53035 / Error
Event Submitted/Written: 08/11/2008 06:27:33 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1055" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type52931 / Error
Event Submitted/Written: 08/10/2008 04:50:09 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Network Location Awareness (NLA) service failed to start due to the following error:
%%231

Event Record #/Type52929 / Error
Event Submitted/Written: 08/10/2008 04:50:09 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Network Location Awareness (NLA) service failed to start due to the following error:
%%231

Event Record #/Type52926 / Error
Event Submitted/Written: 08/10/2008 04:50:08 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Network Location Awareness (NLA) service failed to start due to the following error:
%%231



-- End of Deckard's System Scanner: finished at 2008-08-12 05:34:29 ------------

Edited by apachedave, 12 August 2008 - 03:11 AM.


BC AdBot (Login to Remove)

 


#2 apachedave

apachedave
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 12 August 2008 - 03:53 AM

UPDATE:

So, some quick googling after the above program installed itself, and I found this wonderful guide on your website. All seems fine now, but I rescanned with DSS just to be sure. Oddly(?), it didn't create an "extra" file - just a "main" one. Anyway, the log is posted below.


Note: I saw that the following registry entries either looked dodgy or are definitely bad and weren't removed by MalwareBytes' Anti-Malware


HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run contains an entry
"C:\Windows\system32\kdjkx.exe" with the same value and type "REG_SZ", though it's in the log file above as you can probably see.

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion contains an entry "rhcnrmj0ev97"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform contains an entry "AntivirXP08"

The last two are noted as associated files in the linked guide and have been deleted. The First one is still there. The log below was created after the two items' removals.


Appreciate the help!
- Andy


---------------------------------------------------------------------------------------------
--------------------------------------------MAIN-------------------------------------------
---------------------------------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Andy on 2008-08-12 10:11:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Andy.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:26, on 12/08/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\PROGRA~1\Alarm\Alarm.exe
C:\Documents and Settings\Andy\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Andy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdjkx.exe] C:\WINDOWS\system32\kdjkx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C4C0605-BBC9-4A17-9BDB-467B7FA3ADAF}: NameServer = 192.168.1.1
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 4801 bytes

-- Files created between 2008-07-12 and 2008-08-12 -----------------------------

2008-08-12 09:27:36 0 d-------- C:\Documents and Settings\Andy\Application Data\Malwarebytes
2008-08-12 09:27:33 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-12 09:27:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-12 05:33:40 0 d-------- C:\Program Files\Trend Micro
2008-08-09 21:31:19 4 --a------ C:\WINDOWSRegDefrag.dat
2008-08-08 23:39:46 0 d-------- C:\Program Files\Microsoft Bootvis
2008-08-08 20:31:28 614 --a------ C:\WINDOWS\eReg.dat
2008-08-07 22:50:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Notepad++
2008-08-07 03:38:33 40960 --a------ C:\WINDOWS\System32\B11gUSB.dll
2008-08-07 03:38:32 94208 --a------ C:\WINDOWS\System32\GTW32N50.dll
2008-08-07 03:38:32 15872 --a------ C:\WINDOWS\System32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-08-07 03:38:32 232192 --a------ C:\WINDOWS\System32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>
2008-08-07 03:04:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Soulseek
2008-08-07 03:00:06 0 d-------- C:\Program Files\SoulseekNS
2008-07-31 18:14:42 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-07-31 18:12:12 0 d-------- C:\WINDOWS\ShellNew
2008-07-31 18:12:10 0 d-------- C:\Program Files\Common Files\L&H
2008-07-30 20:41:57 0 d-------- C:\Westwood
2008-07-30 18:37:29 0 d-------- C:\Documents and Settings\Andy\Application Data\SPAMfighter
2008-07-21 01:28:16 0 d-------- C:\Poker
2008-07-20 16:14:11 0 d-------- C:\Documents and Settings\Andy\Application Data\codeblocks
2008-07-20 16:13:34 0 d-------- C:\Program Files\CodeBlocks
2008-07-18 23:51:06 434688 --a------ C:\WINDOWS\System32\ss2uinst.exe <Not Verified; Virtualzone.de; SetupStream 2>
2008-07-18 23:51:00 0 d-------- C:\Program Files\ET Patch Selector
2008-07-17 23:21:08 0 d-------- C:\Documents and Settings\Andy\Application Data\Soldat
2008-07-15 20:43:17 0 d-------- C:\Documents and Settings\Andy\Application Data\Opera
2008-07-15 20:42:40 0 d-------- C:\Program Files\Opera


-- Find3M Report ---------------------------------------------------------------

2008-08-12 09:39:26 292 --a------ C:\WINDOWS\System32\DVCStateBkp-{00000001-00000000-00000008-00001102-00000004-10071102}.dat
2008-08-12 09:39:26 292 --a------ C:\WINDOWS\System32\DVCState-{00000001-00000000-00000008-00001102-00000004-10071102}.dat
2008-08-12 02:05:24 0 d-------- C:\Documents and Settings\Andy\Application Data\Free Download Manager
2008-08-09 03:58:33 0 d-------- C:\Program Files\Soulseek
2008-08-09 03:51:15 0 d-------- C:\Program Files\Advanced System Optimizer
2008-08-08 23:01:22 0 d-------- C:\Program Files\Java
2008-08-08 20:31:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-06 21:22:56 0 d-------- C:\Program Files\WMR11
2008-08-01 00:17:05 21528 --a------ C:\Documents and Settings\Andy\Application Data\GDIPFONTCACHEV1.DAT
2008-07-31 18:14:00 0 d-------- C:\Program Files\Common Files
2008-07-24 19:09:56 0 d-------- C:\Documents and Settings\Andy\Application Data\Notepad++
2008-07-24 19:09:48 0 d-------- C:\Program Files\Notepad++
2008-07-09 18:46:21 52736 --a------ C:\WINDOWS\ipuninst.exe <Not Verified; Interplay Productions; Interplay Uninstaller for Windows 95>
2008-07-07 02:04:05 0 d-------- C:\Program Files\ScummVM
2008-07-07 01:59:04 0 d-------- C:\Program Files\DOSBox-0.63
2008-07-04 18:29:59 0 d-------- C:\Program Files\eclipse
2008-07-04 02:32:34 0 d-------- C:\Documents and Settings\Andy\Application Data\OpenOffice.org2
2008-06-24 20:57:36 0 d-------- C:\Program Files\StarUML


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe" [17/06/2003 17:18 C:\WINDOWS\system32\sstray.exe]
"CTHelper"="CTHELPER.EXE" [10/04/2003 09:36 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [28/10/2003 20:24 C:\WINDOWS\system32\regsvr32.exe]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [03/12/2002 18:06]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [16/05/2003 00:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"C:\WINDOWS\system32\kdjkx.exe"="C:\WINDOWS\system32\kdjkx.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [28/10/2003 20:23]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [02/12/2004 18:23]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 04:44:06]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub



-- End of Deckard's System Scanner: finished at 2008-08-12 10:11:43 ------------

Edited by apachedave, 12 August 2008 - 04:12 AM.


#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:06 AM

Posted 14 August 2008 - 08:11 AM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 apachedave

apachedave
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 14 August 2008 - 12:50 PM

Hey,

sorry about the lack of scanning - I had trouble installing those programs I'm familiar with and figured Malwarebytes' Anti-Malware would do the trick. Thanks for the info. on Avira.

The Avira Log is first, followed by the DSS one. I performed a complete system scan on all files with the former and it found one threat, which was removed.


Thanks again!
- Andy


---------------------------------------------------------------------------------------------
-------------------------------------------AVIRA------------------------------------------
---------------------------------------------------------------------------------------------

Avira AntiVir Personal
Report file date: 14 August 2008 15:58

Scanning for 1552040 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 1) [5.1.2600]
Boot mode: Normally booted
Username: Andy
Computer name: ANDY-1QRIHD223T

Version information:
BUILD.DAT : 8.1.0.326 16933 Bytes 11/07/2008 12:57:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 26/06/2008 09:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 26/05/2008 08:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 12/06/2008 13:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 26/05/2008 08:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 11:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 24/06/2008 14:54:15
ANTIVIR2.VDF : 7.0.6.10 2587136 Bytes 14/08/2008 14:52:48
ANTIVIR3.VDF : 7.0.6.15 12288 Bytes 14/08/2008 14:52:48
Engineversion : 8.1.1.19
AEVDF.DLL : 8.1.0.5 102772 Bytes 09/07/2008 09:46:50
AESCRIPT.DLL : 8.1.0.63 311673 Bytes 14/08/2008 14:53:15
AESCN.DLL : 8.1.0.23 119156 Bytes 14/08/2008 14:53:12
AERDL.DLL : 8.1.0.20 418165 Bytes 09/07/2008 09:46:50
AEPACK.DLL : 8.1.2.1 364917 Bytes 14/08/2008 14:53:11
AEOFFICE.DLL : 8.1.0.21 192891 Bytes 14/08/2008 14:53:06
AEHEUR.DLL : 8.1.0.47 1368437 Bytes 14/08/2008 14:53:05
AEHELP.DLL : 8.1.0.15 115063 Bytes 09/07/2008 09:46:50
AEGEN.DLL : 8.1.0.35 315764 Bytes 14/08/2008 14:52:55
AEEMU.DLL : 8.1.0.7 430452 Bytes 14/08/2008 14:52:53
AECORE.DLL : 8.1.1.8 172406 Bytes 14/08/2008 14:52:51
AEBB.DLL : 8.1.0.1 53617 Bytes 24/04/2008 09:50:42
AVWINLL.DLL : 1.0.0.12 15105 Bytes 09/07/2008 09:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 16/05/2008 10:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 14/08/2008 14:52:49
AVREG.DLL : 8.0.0.1 33537 Bytes 09/05/2008 12:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 09:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 12/06/2008 13:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/01/2008 18:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 12/06/2008 13:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 13:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 12/06/2008 14:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 27/06/2008 14:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 14 August 2008 15:58

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'WLanCfgG.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'WLService.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'CTDetect.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'point32.exe' - '1' Module(s) have been scanned
Scan process 'CTHELPER.EXE' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
29 processes with 29 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '52' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\OHWBCV8F\pipo[1]
[DETECTION] Is the TR/Dldr.Small.aaws Trojan
[NOTE] The file was deleted!


End of the scan: 14 August 2008 18:19
Used time: 2:21:11 Hour(s)

The scan has been done completely.

18824 Scanning directories
957917 Files were scanned
1 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
1 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
957915 Files not concerned
11158 Archives were scanned
1 Warnings
1 Notes



---------------------------------------------------------------------------------------------
----------------------------------------DSS - MAIN---------------------------------------
---------------------------------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Andy on 2008-08-14 18:48:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Andy.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:48:23, on 14/08/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\notepad.exe
C:\Documents and Settings\Andy\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Andy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdjkx.exe] C:\WINDOWS\system32\kdjkx.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C4C0605-BBC9-4A17-9BDB-467B7FA3ADAF}: NameServer = 192.168.1.1
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5476 bytes

-- Files created between 2008-07-14 and 2008-08-14 -----------------------------

2008-08-14 15:44:48 0 d-------- C:\Program Files\Avira
2008-08-14 15:44:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-08-12 09:27:36 0 d-------- C:\Documents and Settings\Andy\Application Data\Malwarebytes
2008-08-12 09:27:33 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-12 09:27:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-12 05:33:40 0 d-------- C:\Program Files\Trend Micro
2008-08-09 21:31:19 4 --a------ C:\WINDOWSRegDefrag.dat
2008-08-08 23:39:46 0 d-------- C:\Program Files\Microsoft Bootvis
2008-08-08 20:31:28 614 --a------ C:\WINDOWS\eReg.dat
2008-08-07 22:50:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Notepad++
2008-08-07 03:38:33 40960 --a------ C:\WINDOWS\System32\B11gUSB.dll
2008-08-07 03:38:32 94208 --a------ C:\WINDOWS\System32\GTW32N50.dll
2008-08-07 03:38:32 15872 --a------ C:\WINDOWS\System32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-08-07 03:38:32 232192 --a------ C:\WINDOWS\System32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>
2008-08-07 03:04:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Soulseek
2008-08-07 03:00:06 0 d-------- C:\Program Files\SoulseekNS
2008-07-31 18:14:42 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-07-31 18:12:12 0 d-------- C:\WINDOWS\ShellNew
2008-07-31 18:12:10 0 d-------- C:\Program Files\Common Files\L&H
2008-07-30 20:41:57 0 d-------- C:\Westwood
2008-07-30 18:37:29 0 d-------- C:\Documents and Settings\Andy\Application Data\SPAMfighter
2008-07-21 01:28:16 0 d-------- C:\Poker
2008-07-20 16:14:11 0 d-------- C:\Documents and Settings\Andy\Application Data\codeblocks
2008-07-20 16:13:34 0 d-------- C:\Program Files\CodeBlocks
2008-07-18 23:51:06 434688 --a------ C:\WINDOWS\System32\ss2uinst.exe <Not Verified; Virtualzone.de; SetupStream 2>
2008-07-18 23:51:00 0 d-------- C:\Program Files\ET Patch Selector
2008-07-17 23:21:08 0 d-------- C:\Documents and Settings\Andy\Application Data\Soldat
2008-07-15 20:43:17 0 d-------- C:\Documents and Settings\Andy\Application Data\Opera
2008-07-15 20:42:40 0 d-------- C:\Program Files\Opera


-- Find3M Report ---------------------------------------------------------------

2008-08-14 18:38:29 292 --a------ C:\WINDOWS\System32\DVCStateBkp-{00000001-00000000-00000008-00001102-00000004-10071102}.dat
2008-08-14 18:38:29 292 --a------ C:\WINDOWS\System32\DVCState-{00000001-00000000-00000008-00001102-00000004-10071102}.dat
2008-08-14 04:46:00 0 d-------- C:\Documents and Settings\Andy\Application Data\Free Download Manager
2008-08-14 00:46:26 0 d-------- C:\Program Files\eclipse
2008-08-09 03:58:33 0 d-------- C:\Program Files\Soulseek
2008-08-09 03:51:15 0 d-------- C:\Program Files\Advanced System Optimizer
2008-08-08 23:01:22 0 d-------- C:\Program Files\Java
2008-08-08 20:31:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-06 21:22:56 0 d-------- C:\Program Files\WMR11
2008-08-01 00:17:05 21528 --a------ C:\Documents and Settings\Andy\Application Data\GDIPFONTCACHEV1.DAT
2008-07-31 18:14:00 0 d-------- C:\Program Files\Common Files
2008-07-24 19:09:56 0 d-------- C:\Documents and Settings\Andy\Application Data\Notepad++
2008-07-24 19:09:48 0 d-------- C:\Program Files\Notepad++
2008-07-09 18:46:21 52736 --a------ C:\WINDOWS\ipuninst.exe <Not Verified; Interplay Productions; Interplay Uninstaller for Windows 95>
2008-07-07 02:04:05 0 d-------- C:\Program Files\ScummVM
2008-07-07 01:59:04 0 d-------- C:\Program Files\DOSBox-0.63
2008-07-04 02:32:34 0 d-------- C:\Documents and Settings\Andy\Application Data\OpenOffice.org2
2008-06-24 20:57:36 0 d-------- C:\Program Files\StarUML


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe" [17/06/2003 17:18 C:\WINDOWS\system32\sstray.exe]
"CTHelper"="CTHELPER.EXE" [10/04/2003 09:36 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [28/10/2003 20:24 C:\WINDOWS\system32\regsvr32.exe]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [03/12/2002 18:06]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [16/05/2003 00:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"C:\WINDOWS\system32\kdjkx.exe"="C:\WINDOWS\system32\kdjkx.exe" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [12/06/2008 14:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [28/10/2003 20:23]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [02/12/2004 18:23]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 04:44:06]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub



-- End of Deckard's System Scanner: finished at 2008-08-14 18:48:41 ------------

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:06 AM

Posted 14 August 2008 - 01:13 PM

Hi,

You always need an Antivirus running in the background, as a real time scanner. Most people think that an Antivirus is only needed to clean malware if your system is infected, but as a matter of fact, an Antivirus is needed to PREVENT malware in the first place.

Anyway, check and fix next leftover in HijackThis:

O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdjkx.exe] C:\WINDOWS\system32\kdjkx.exe

Also, check and fix the following IN CASE you didn't set the Proxyserver:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 apachedave

apachedave
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 14 August 2008 - 02:16 PM

Howdy. Thanks for the quick reply.

Interesting information regarding the virus scanner. I'd agree they're important, but I find those things slow the computer down too much. I tend to veer more toward regular scanning, though I find I can get away with nothing at all for the most part (problems seem very rare for me - first time I've had a problem this bad in years). Bad practice, I know! Forgive me.

Since I originally scanned with MalwareBytes' Anti-Malware I've had no visible problems. The leftovers you mentioned seem the only trouble at the moment. I've fixed them (the above keys) in HijackThis and my DSS log file is below.

Thanks again!
- Andy


---------------------------------------------------------------------------------------------
----------------------------------------DSS - MAIN---------------------------------------
---------------------------------------------------------------------------------------------


Deckard's System Scanner v20071014.68
Run by Andy on 2008-08-14 20:10:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Andy.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:10:03, on 14/08/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Andy\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Andy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C4C0605-BBC9-4A17-9BDB-467B7FA3ADAF}: NameServer = 192.168.1.1
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5180 bytes

-- Files created between 2008-07-14 and 2008-08-14 -----------------------------

2008-08-14 15:44:48 0 d-------- C:\Program Files\Avira
2008-08-14 15:44:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-08-12 09:27:36 0 d-------- C:\Documents and Settings\Andy\Application Data\Malwarebytes
2008-08-12 09:27:33 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-12 09:27:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-12 05:33:40 0 d-------- C:\Program Files\Trend Micro
2008-08-09 21:31:19 4 --a------ C:\WINDOWSRegDefrag.dat
2008-08-08 23:39:46 0 d-------- C:\Program Files\Microsoft Bootvis
2008-08-08 20:31:28 614 --a------ C:\WINDOWS\eReg.dat
2008-08-07 22:50:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Notepad++
2008-08-07 03:38:33 40960 --a------ C:\WINDOWS\System32\B11gUSB.dll
2008-08-07 03:38:32 94208 --a------ C:\WINDOWS\System32\GTW32N50.dll
2008-08-07 03:38:32 15872 --a------ C:\WINDOWS\System32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2008-08-07 03:38:32 232192 --a------ C:\WINDOWS\System32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>
2008-08-07 03:04:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Soulseek
2008-08-07 03:00:06 0 d-------- C:\Program Files\SoulseekNS
2008-07-31 18:14:42 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-07-31 18:12:12 0 d-------- C:\WINDOWS\ShellNew
2008-07-31 18:12:10 0 d-------- C:\Program Files\Common Files\L&H
2008-07-30 20:41:57 0 d-------- C:\Westwood
2008-07-30 18:37:29 0 d-------- C:\Documents and Settings\Andy\Application Data\SPAMfighter
2008-07-21 01:28:16 0 d-------- C:\Poker
2008-07-20 16:14:11 0 d-------- C:\Documents and Settings\Andy\Application Data\codeblocks
2008-07-20 16:13:34 0 d-------- C:\Program Files\CodeBlocks
2008-07-18 23:51:06 434688 --a------ C:\WINDOWS\System32\ss2uinst.exe <Not Verified; Virtualzone.de; SetupStream 2>
2008-07-18 23:51:00 0 d-------- C:\Program Files\ET Patch Selector
2008-07-17 23:21:08 0 d-------- C:\Documents and Settings\Andy\Application Data\Soldat
2008-07-15 20:43:17 0 d-------- C:\Documents and Settings\Andy\Application Data\Opera
2008-07-15 20:42:40 0 d-------- C:\Program Files\Opera


-- Find3M Report ---------------------------------------------------------------

2008-08-14 18:54:09 292 --a------ C:\WINDOWS\System32\DVCStateBkp-{00000001-00000000-00000008-00001102-00000004-10071102}.dat
2008-08-14 18:54:09 292 --a------ C:\WINDOWS\System32\DVCState-{00000001-00000000-00000008-00001102-00000004-10071102}.dat
2008-08-14 04:46:00 0 d-------- C:\Documents and Settings\Andy\Application Data\Free Download Manager
2008-08-14 00:46:26 0 d-------- C:\Program Files\eclipse
2008-08-09 03:58:33 0 d-------- C:\Program Files\Soulseek
2008-08-09 03:51:15 0 d-------- C:\Program Files\Advanced System Optimizer
2008-08-08 23:01:22 0 d-------- C:\Program Files\Java
2008-08-08 20:31:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-06 21:22:56 0 d-------- C:\Program Files\WMR11
2008-08-01 00:17:05 21528 --a------ C:\Documents and Settings\Andy\Application Data\GDIPFONTCACHEV1.DAT
2008-07-31 18:14:00 0 d-------- C:\Program Files\Common Files
2008-07-24 19:09:56 0 d-------- C:\Documents and Settings\Andy\Application Data\Notepad++
2008-07-24 19:09:48 0 d-------- C:\Program Files\Notepad++
2008-07-09 18:46:21 52736 --a------ C:\WINDOWS\ipuninst.exe <Not Verified; Interplay Productions; Interplay Uninstaller for Windows 95>
2008-07-07 02:04:05 0 d-------- C:\Program Files\ScummVM
2008-07-07 01:59:04 0 d-------- C:\Program Files\DOSBox-0.63
2008-07-04 02:32:34 0 d-------- C:\Documents and Settings\Andy\Application Data\OpenOffice.org2
2008-06-24 20:57:36 0 d-------- C:\Program Files\StarUML


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe" [17/06/2003 17:18 C:\WINDOWS\system32\sstray.exe]
"CTHelper"="CTHELPER.EXE" [10/04/2003 09:36 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [28/10/2003 20:24 C:\WINDOWS\system32\regsvr32.exe]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [03/12/2002 18:06]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [16/05/2003 00:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [12/06/2008 14:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [28/10/2003 20:23]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [02/12/2004 18:23]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 04:44:06]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub



-- End of Deckard's System Scanner: finished at 2008-08-14 20:10:24 ------------

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:06 AM

Posted 14 August 2008 - 02:25 PM

I'd agree they're important, but I find those things slow the computer down too much. I tend to veer more toward regular scanning, though I find I can get away with nothing at all for the most part (problems seem very rare for me - first time I've had a problem this bad in years). Bad practice, I know! Forgive me.

Trust me, malware isn't the same anymore as a couple of years ago. A click on a legitimate site can also install a malware bundle nowadays. If no scanner is present in the background to block the installer, then it's already too late and you're infected.
Keep in mind that a lot of malware is designed to collect passwords and other important info from your PC as well. Also, some malware may install silently, so you won't notice a thing - but in a meanwhile it uses your mail to send spam from, or malware links, or collects your passwords. And as I said, this happens in the background, so you won't notice a thing.

Also see here:
http://miekiemoes.blogspot.com/2008/08/i-d...use-i-have.html

So the choice shouldn't be that hard - or you secure your computer with an Antivirus which is able to prevent malware - or you leave your computer insecure, so nothing will block malware. Remember, malware damages a lot and causes a much more slower system. Avira Antivirus doesn't slow down the computer though.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 apachedave

apachedave
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 14 August 2008 - 02:56 PM

Thanks miekiemoes! I really, really appreciate the help.

You guys provide a wonderful resource here - when I'm finished being a poor student I'll try to give back in some way ( , or time, or both).


Thanks again!
- Andy

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:06 AM

Posted 14 August 2008 - 04:09 PM

You're most welcome :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:06 AM

Posted 18 August 2008 - 02:13 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users