Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

msdp.dll Norton finds it, removes it, but it comes back.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

msdp.dll Norton finds it, removes it, but it comes back.

Unread postby mstele » January 31st, 2008, 3:42 pm

I have been having this problam with an apparant trojan adclicker virus, that is lingering and annoying like a ten inch butt hair.

Two files have been flagged by My norton program, msdp.dll as well as a svchost.exe file. Both located in my c:\program files\commonfiles\ Folder. I have been updating my spyware and Virus programs numerous time over the last few weeks, but to no success. Here is a opy of my HijackThis Log file...

HijackThis Log File:
------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:11 AM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\XWatDog.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [XGIWatchDog] XWatDog.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\uTorrent.exe
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8818883834
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6033 bytes
----------------------------------------------------------------------------------------

PLEASE HELP!!! All attempts to remove any infection are in vain, and I am really sick of seeing a Virus Alert window constantly on, from my Norton Antivirus.
You do not have the required permissions to view the files attached to this post.
mstele
Active Member
 
Posts: 10
Joined: January 31st, 2008, 3:34 pm
Advertisement
Register to Remove

Re: msdp.dll Norton finds it, removes it, but it comes back.

Unread postby silver » February 6th, 2008, 2:20 am

Hi mstele,

I note you are running uTorrent. This program does not come bundled with malware as some similar programs do, but peer-to-peer file sharing networks are one of the biggest sources of malware we see. Anything downloaded from them cannot be trusted to be clean, because even if the file appears to be what it claims to be, it can have malware embedded in it - this may well be how your computer was infected.
I recommend you remove it, but if you choose not to, please do not use it while we are cleaning your machine.
You can remove uTorrent via Start->Control Panel->Add/Remove Programs.


Next press Start->Run, copy/paste the following command (it's one long command) into the box and press OK:
cmd /c dir "C:\Program Files\Common Files" /a >> "%userprofile%\desktop\look.txt"
A black box will open and a file will appear on your Desktop called look.txt.
Please wait until the black box closes before opening look.txt, then post the contents of look.txt in your next response.


Download Deckard's System Scanner (DSS) to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply

Once complete, please post the look.txt output and both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: msdp.dll Norton finds it, removes it, but it comes back.

Unread postby mstele » February 6th, 2008, 3:11 pm

Thank you for your reply....

I have done as instructed, only Deckard is halted when it comes to the "Examining Event Logs" Which Gives an all too familiar "dss.exe has encountered a problem and needs to close."

My norton program noticed a malicious script, Which I knew to be from Deckard, so i allowed and still same problem. So I disabled My Norton, to no avail.

I searched for the logs you were asking for, but they were not created.

Here is the data from my look.txt file:

Volume in drive C has no label.
Volume Serial Number is A40E-D847

Directory of C:\Program Files\Common Files

02/02/2008 07:39 PM <DIR> .
02/02/2008 07:39 PM <DIR> ..
01/03/2008 11:16 AM <DIR> Adobe
12/28/2007 07:02 PM <DIR> Ahead
12/30/2007 04:33 PM <DIR> Apple
01/21/2008 08:00 PM <DIR> AVSMedia
12/28/2007 06:58 PM <DIR> InstallShield
12/28/2007 04:42 PM <DIR> Java
12/27/2007 09:05 PM <DIR> Microsoft Shared
01/08/2008 11:45 AM 572,928 mscd.exe
02/02/2008 07:39 PM 454,144 msdp.dll
12/27/2007 08:35 PM <DIR> MSSoap
12/28/2007 07:03 PM <DIR> Nero
12/28/2007 06:56 PM <DIR> scansoft shared
12/27/2007 08:35 PM <DIR> Services
12/27/2007 12:13 PM <DIR> SpeechEngines
02/02/2008 07:39 PM 20,480 svchost.exe
02/03/2008 12:04 PM <DIR> Symantec Shared
12/27/2007 10:01 PM <DIR> System
3 File(s) 1,047,552 bytes
16 Dir(s) 7,371,898,880 bytes free

Awaiting further instrucion...
Thank you again for your reply.
--------------------------------------------- P S--------------------------------
I rebooted my pc and Deckard was successful. Here are those logs...

Main.txt:---------

Deckard's System Scanner v20071014.68
Run by Family on 2008-02-06 11:22:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 2 Restore Point(s) --
2: 2008-02-06 18:59:47 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-02-06 17:51:43 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 6.65 GiB (less than 15%) free.


-- HijackThis (run as Family.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:09 AM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\XWatDog.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Family\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Family.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [XGIWatchDog] XWatDog.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\uTorrent.exe
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8818883834
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6459 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 Haspnt - c:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
R2 Par1284 - c:\program files\ve lxi expert 7.5v5\program\par1284.sys <Not Verified; Warp Nine Engineering; IEEE 1284 Driver>
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-06 11:22:19 414 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-02-06 09:48:47 466 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
2008-01-31 20:39:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-01-06 and 2008-02-06 -----------------------------

2008-02-06 11:21:01 20480 ---hs---- C:\Program Files\Common Files\svchost.exe
2008-02-06 11:21:01 454144 ---hs---- C:\Program Files\Common Files\msdp.dll
2008-01-31 16:17:33 8405015 --a------ C:\WINDOWS\TempFile
2008-01-31 11:25:48 0 d-------- C:\Program Files\Trend Micro
2008-01-30 10:04:38 0 d-------- C:\movie temp
2008-01-21 20:38:51 0 d-------- C:\WINDOWS\system32\winsecurityxp
2008-01-21 19:32:39 0 d-------- C:\Program Files\Alcohol Soft
2008-01-21 19:10:57 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-21 18:48:15 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-01-21 18:48:13 139264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-01-21 18:48:13 524288 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-01-21 18:48:13 413760 --a------ C:\WINDOWS\system32\mpg4c32.dll <Not Verified; Microsoft Corporation; Microsoft MPEG-4 Video Codec>
2008-01-21 18:48:13 261632 --a------ C:\WINDOWS\system32\mcdvd_32.dll <Not Verified; MainConcept; MainConcept DV Codec "2.0.4>
2008-01-21 18:48:13 638976 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivXNetworks, Inc.; DivX Video for Windows Codec>
2008-01-21 18:48:13 0 d-------- C:\Program Files\AVSMedia
2008-01-21 17:15:57 304640 --a------ C:\WINDOWS\system32\hlvdd.dll <Not Verified; Aladdin Knowledge Systems; Hardlock Win32 DLL>
2008-01-21 17:15:51 1766160 --a------ C:\WINDOWS\system32\VBA5.DLL <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2008-01-21 17:15:51 11111 --a------ C:\WINDOWS\system32\DELTREE.EXE
2008-01-21 17:15:50 463392 --a------ C:\WINDOWS\system32\OWL250F.DLL <Not Verified; Borland International; Borland C++ 4.50>
2008-01-21 17:15:03 0 d-------- C:\Program Files\VE LXi Expert 7.5v5
2008-01-21 17:03:24 50176 --a------ C:\WINDOWS\system32\SNTI386.DLL <Not Verified; Rainbow Technologies, Inc.; Sentinel Driver Setup>
2008-01-21 17:03:24 18432 --a------ C:\WINDOWS\system32\RNBOVDD.DLL <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
2008-01-21 17:03:24 76288 --a------ C:\WINDOWS\system32\drivers\SENTINEL.SYS <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
2008-01-21 17:03:23 0 d-------- C:\WINDOWS\system32\RNBOSENT
2008-01-21 17:01:01 383 --a------ C:\WINDOWS\system32\haspdos.sys
2008-01-21 17:01:00 6656 --a------ C:\WINDOWS\system32\haspvdd.dll <Not Verified; Aladdin Knowledge Systems.; Windows NT HASP Virtual Device Driver>
2008-01-21 17:01:00 47616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
2008-01-20 09:56:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2008-01-20 00:21:57 0 d-------- C:\VundoFix Backups
2008-01-19 21:27:56 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-01-19 21:27:56 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-01-19 21:27:56 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-01-19 21:27:56 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-01-19 21:27:56 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-01-19 21:27:56 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-01-19 21:27:56 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-01-19 21:27:56 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-01-19 21:27:56 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-01-19 21:27:56 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-01-19 21:27:56 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-01-19 21:27:56 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-01-19 21:27:56 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-01-19 21:27:56 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-01-19 21:20:49 0 d--h----- C:\WINDOWS\PIF
2008-01-19 19:49:04 0 d-------- C:\Documents and Settings\Family\.housecall6.6
2008-01-19 14:08:24 0 d-------- C:\Documents and Settings\Family\Application Data\Help
2008-01-18 16:55:56 0 d-------- C:\vcs5BGEffects
2008-01-18 16:53:40 0 d-------- C:\Program Files\AV Vcs 6.0 DIAMOND
2008-01-08 11:45:22 0 d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-08 11:45:17 0 d-------- C:\Program Files\DVD Shrink
2008-01-08 11:45:10 572928 ---hs---- C:\Program Files\Common Files\mscd.exe
2008-01-07 21:59:57 0 d-------- C:\Program Files\Yahoo!
2008-01-06 22:26:30 0 d-------- C:\Documents and Settings\Family\Application Data\CyberLink
2008-01-06 22:25:52 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-01-06 22:25:45 0 d-------- C:\Program Files\CyberLink


-- Find3M Report ---------------------------------------------------------------

2008-02-06 11:21:28 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-06 11:21:19 0 d-------- C:\Documents and Settings\Family\Application Data\uTorrent
2008-02-06 11:21:01 0 d-------- C:\Program Files\Common Files
2008-02-02 19:41:48 0 d-------- C:\Documents and Settings\Family\Application Data\Macromedia
2008-01-31 10:37:19 0 d-------- C:\Program Files\Norton AntiVirus
2008-01-29 01:11:57 0 d-------- C:\Documents and Settings\Family\Application Data\Apple Computer
2008-01-19 20:34:17 0 d-------- C:\Program Files\Crazy Browser
2008-01-19 12:38:34 0 d-------- C:\Program Files\Google
2008-01-08 12:01:49 0 d-------- C:\Documents and Settings\Family\Application Data\Google
2008-01-06 22:25:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-05 11:46:23 0 d-------- C:\Documents and Settings\Family\Application Data\Ahead
2008-01-03 11:21:34 0 d-------- C:\Documents and Settings\Family\Application Data\Adobe
2008-01-03 11:16:07 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-03 08:19:53 0 --a------ C:\WINDOWS\system32\BIPORT
2007-12-30 21:18:05 0 d-------- C:\Program Files\uTorrent
2007-12-30 16:34:33 0 d-------- C:\Program Files\QuickTime
2007-12-30 16:33:47 0 d-------- C:\Program Files\Apple Software Update
2007-12-30 16:33:17 0 d-------- C:\Program Files\Common Files\Apple
2007-12-30 16:17:15 0 d-------- C:\Program Files\Reflexive
2007-12-29 14:30:31 32 --ahs---- C:\WINDOWS\system32\{4BEA445E-2689-47DF-84DE-72E1EA6CBACB}.dat
2007-12-29 14:30:31 32 --ahs---- C:\WINDOWS\{C27F8090-C02C-4F9B-AD7D-4827A2315264}.dat
2007-12-29 14:30:27 14 --a------ C:\WINDOWS\system32\SR2.dat
2007-12-29 14:30:02 0 d-------- C:\Program Files\Symantec
2007-12-29 14:29:47 0 d-------- C:\Documents and Settings\Family\Application Data\Symantec
2007-12-28 19:08:48 0 d-------- C:\Program Files\Java
2007-12-28 19:04:08 0 d-------- C:\Program Files\Ahead
2007-12-28 19:03:04 0 d-------- C:\Program Files\Common Files\Nero
2007-12-28 19:02:14 0 d-------- C:\Program Files\Common Files\Ahead
2007-12-28 18:59:12 0 d-------- C:\Program Files\Brother
2007-12-28 18:58:44 0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-28 18:56:56 0 d-------- C:\Program Files\Common Files\scansoft shared
2007-12-28 18:56:47 0 d-------- C:\Program Files\Scansoft
2007-12-28 16:45:28 0 d-------- C:\Documents and Settings\Family\Application Data\Sun
2007-12-28 16:42:47 0 d-------- C:\Program Files\Common Files\Java
2007-12-27 21:59:28 0 d-------- C:\Program Files\Windows Media Connect 2
2007-12-27 21:53:26 0 d-------- C:\Program Files\Messenger
2007-12-27 21:05:24 0 d-------- C:\Documents and Settings\Family\Application Data\Identities
2007-12-27 20:38:06 0 d-------- C:\Program Files\microsoft frontpage
2007-12-27 20:37:44 0 -rahs---- C:\MSDOS.SYS
2007-12-27 20:37:44 0 -rahs---- C:\IO.SYS
2007-12-27 20:37:44 0 --a------ C:\CONFIG.SYS
2007-12-27 20:37:44 0 --a------ C:\AUTOEXEC.BAT
2007-12-27 20:36:03 0 d--h----- C:\Program Files\WindowsUpdate
2007-12-27 20:35:07 0 d-------- C:\Program Files\Common Files\MSSoap
2007-12-27 20:34:59 0 d-------- C:\Program Files\Movie Maker
2007-12-27 20:34:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-12-27 20:33:41 0 d-------- C:\Program Files\Online Services
2007-12-27 20:33:31 0 d-------- C:\Program Files\MSN Gaming Zone
2007-12-27 20:33:21 0 d-------- C:\Program Files\Windows NT
2007-12-27 12:13:45 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-12-27 12:13:20 62 --ahs---- C:\Documents and Settings\Family\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegServer"="regserve.exe" [01/28/2005 04:41 PM C:\WINDOWS\system32\RegServe.exe]
"XGIWatchDog"="XWatDog.exe" [01/28/2005 04:42 PM C:\WINDOWS\system32\XWatDog.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [08/12/2002 10:33 AM]
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [08/12/2002 11:07 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [08/19/2002 10:22 PM]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [08/19/2002 10:23 PM]
"Advanced Tools Check"="C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" [08/26/2002 10:35 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/11/2007 10:56 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 07:42 PM]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [11/02/2004 04:59 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 08:24 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05/12/2004 01:03 AM]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" [08/09/2005 02:28 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 04:56 PM]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [07/02/2007 02:29 AM]

C:\Documents and Settings\Family\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe [12/11/2007 2:34:48 PM]
æTorrent.lnk - C:\Program Files\uTorrent\uTorrent.exe [12/30/2007 9:18:05 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [8/12/2002 10:00:40 AM]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D51g62BC-4266-43f0-B6ED-9D76C4202C7E}]
C:\Program Files\Common Files\mscd.exe



-- Hosts -----------------------------------------------------------------------

127.0.0.1 mpa.one.microsoft.com


-- End of Deckard's System Scanner: finished at 2008-02-06 11:23:55 ------------

EXTRA.TXT------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Duron(tm) processor
Percentage of Memory in Use: 34%
Physical Memory (total/avail): 1023.48 MiB / 665.98 MiB
Pagefile Memory (total/avail): 2461.76 MiB / 2192.66 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.86 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 6.65 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800JB-00FMA0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
AntivirusOverride is set.

AV: Norton AntiVirus v2003 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"="C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe:*:Enabled:GunzLauncher"
"C:\\Program Files\\Crazy Browser\\Crazy Browser.exe"="C:\\Program Files\\Crazy Browser\\Crazy Browser.exe:*:Enabled:Crazy Browser"
"C:\\Program Files\\VE LXi Expert 7.5v5\\Program\\App.exe"="C:\\Program Files\\VE LXi Expert 7.5v5\\Program\\App.exe:*:Enabled:Design Software"
"C:\\Program Files\\VE LXi Expert 7.5v5\\Program\\App2.exe"="C:\\Program Files\\VE LXi Expert 7.5v5\\Program\\App2.exe:*:Enabled:Production"
"%SystemDir%\\winsecurityxp\\mswinup.exe"="%SystemDir%\\winsecurityxp\\mswinup.exe:*:Enabled:Internet Explorer"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Family\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FAMILY-C1A2461D
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Family
LOGONSERVER=\\FAMILY-C1A2461D
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Family\LOCALS~1\Temp
TMP=C:\DOCUME~1\Family\LOCALS~1\Temp
USERDOMAIN=FAMILY-C1A2461D
USERNAME=Family
USERPROFILE=C:\Documents and Settings\Family
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Family (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> C:\WINDOWS\UNNVEContent.exe /UNINSTALL
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AV Voice Changer Software DIAMOND 6.0 --> C:\PROGRA~1\AVVCS6~1.0DI\UNWISE.EXE C:\PROGRA~1\AVVCS6~1.0DI\INSTALL.LOG
AVS Disc Creator version 2.1 --> "C:\Program Files\AVSMedia\DiscCreator\unins000.exe"
AVS Video Tools 5.1 --> "C:\Program Files\AVSMedia\VideoTools\unins000.exe"
Brother MFL Pro Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0C3FCE48-6984-11D5-90F8-00E029591716}\Setup.exe" bruninst.dll
Crazy Browser version 1.05 --> "C:\Program Files\Crazy Browser\unins000.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
J2SE Runtime Environment 5.0 Update 12 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150120}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
Norton AntiVirus 2003 Professional Edition --> MsiExec.exe /I{F4C9398F-B6C6-4A4B-8B6D-795CD86F915D}
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
PaperPort 8.0 SE --> MsiExec.exe /I{AEF2D1F3-0696-11D5-8E6A-00C04F7FA234}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
Sentinel System Driver --> C:\WINDOWS\SYSTEM32\RNBOSENT\SETUPX86.EXE /U /q
Spybot - Search & Destroy 1.3 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
VE LXi Expert 7.5v5 --> "C:\WINDOWS\ISUninst.exe" -f"C:\Program Files\VE LXi Expert 7.5v5\Uninst.isu" -c"C:\Program Files\VE LXi Expert 7.5v5\Program\Uninstall.dll"
VIA Rhine-Family Fast-Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Widgets --> C:\PROGRA~1\Yahoo!\Widgets\uninstall.exe
Yahtzee --> "C:\Program Files\Reflexive\Yahtzeeuninstall.exe" "/U:C:\Program Files\Reflexive\Yahtzee\Uninstall\uninstall.xml"


-- Application Event Log -------------------------------------------------------

Event Record #/Type228 / Error
Event Submitted/Written: 02/06/2008 11:14:46 AM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 541261047.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type227 / Error
Event Submitted/Written: 02/06/2008 11:14:37 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type226 / Error
Event Submitted/Written: 02/06/2008 11:07:21 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type225 / Error
Event Submitted/Written: 02/06/2008 11:04:03 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type224 / Error
Event Submitted/Written: 02/06/2008 11:02:35 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Processing media-specific event for [dss.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1491 / Warning
Event Submitted/Written: 02/06/2008 11:21:19 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type1469 / Warning
Event Submitted/Written: 02/04/2008 06:03:54 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type1467 / Warning
Event Submitted/Written: 02/04/2008 01:06:40 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type1466 / Error
Event Submitted/Written: 02/03/2008 10:42:47 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {F3A614DC-ABE0-11D2-A441-00C04F795683} did not register with DCOM within the required timeout.

Event Record #/Type1453 / Warning
Event Submitted/Written: 02/03/2008 10:31:20 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-02-06 11:23:55 ------------

Sorry for the confusion.
mstele
Active Member
 
Posts: 10
Joined: January 31st, 2008, 3:34 pm

Re: msdp.dll Norton finds it, removes it, but it comes back.

Unread postby mstele » February 6th, 2008, 3:38 pm

One quick after-note:

The problem spawned after Downloading and running a portal / stand alone program for the popular gamesite Runescape. (runscape.exe) At the time I wasn't downloading any type of file via uTorrent.

The site is known to be attacked by various computers/people, so do you think this may have anything to do with it? The gamesite can be found at Runescape.com for reference.

Sorry about the double post.
mstele
Active Member
 
Posts: 10
Joined: January 31st, 2008, 3:34 pm

Re: msdp.dll Norton finds it, removes it, but it comes back.

Unread postby silver » February 6th, 2008, 9:50 pm

Hi mstele,

The problem spawned after Downloading and running a portal / stand alone program for the popular gamesite Runescape.
It's possible that the download was rigged with malware, if you have the original download let me know and I will check it for you.


Please download MGADiag.exe to your Desktop from here:
http://go.microsoft.com/fwlink/?linkid=56062
  • Double-click on MGADiag.exe
  • When the program has finished, click on the Validation tab and then click on Copy to Clipboard.
  • Please post the results in your next reply.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: msdp.dll Norton finds it, removes it, but it comes back.

Unread postby mstele » February 6th, 2008, 11:41 pm

Diagnostic Report (1.7.0066.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-224GP-DCW2V-R8FKJ
Windows Product Key Hash: l7HH/i8Od4JzLyD61aMbW9o17MQ=
Windows Product ID: 55274-640-0198953-23640
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro
CSVLK Server: N/A
CSVLK PID: N/A
ID: {4E6FA1EE-1832-44A6-BE92-A08821FE4BB9}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.59.1
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1_E2AD56EA-337-8009_E2AD56EA-338-2efd_16E0B333-80-80004005
Resolution Status: N/A

Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.7.18.7
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: FCEE394C-2989-80070002_B4D0AA8B-470-80070002

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{4E6FA1EE-1832-44A6-BE92-A08821FE4BB9}</UGUID><Version>1.7.0066.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-R8FKJ</PKey><PID>55274-640-0198953-23640</PID><PIDType>1</PIDType><SID>S-1-5-21-1004336348-842925246-854245398</SID><SYSTEM><Manufacturer>VIA Technologies, Inc.</Manufacturer><Model>VT8367-8235</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="2"/><Date>20030910000000.000000+000</Date></BIOS><HWID>F99539070184206B</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>109</Result><Products/></Office></Software></GenuineResults>

There ya go...
mstele
Active Member
 
Posts: 10
Joined: January 31st, 2008, 3:34 pm

Re: msdp.dll Norton finds it, removes it, but it comes back.

Unread postby silver » February 7th, 2008, 1:29 am

Hi mstele,

Thanks for that, did you put this line into your hosts file on purpose?
127.0.0.1 mpa.one.microsoft.com



Please download Suspicious File Packer to your Desktop.
  • Right-click sfp.zip, choose Extract All... and extract sfp.exe to your Desktop
  • Double-click sfp.exe to start the program
  • Copy and Paste the following file list into the text box of the program:
    C:\Program Files\Common Files\msdp.dll
    C:\Program Files\Common Files\svchost.exe
    C:\Program Files\Common Files\mscd.exe
  • A file called requested-files[YYYY-MM-DD_MM_ss].cab will appear on your Desktop.
  • Now open this page in your browser
  • Press Browse and browse to the requested-files[YYYY-MM-DD_MM_ss].cab file on your Desktop, fill in the other fields as appropriate then press Send File

Next press Start->Run, copy/paste the following command (it's one long command) into the box and press OK:
cmd /c dir "C:\WINDOWS\PIF" /a /s >> "%userprofile%\desktop\look.txt"
A black box will open and a file will appear on your Desktop called look.txt.
Please wait until the black box closes before opening look.txt, then post the contents of look.txt in your next response.

Once complete, please post the look.txt output.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: msdp.dll Norton finds it, removes it, but it comes back.

Unread postby mstele » February 7th, 2008, 4:48 am

Thanks for that, did you put this line into your hosts file on purpose?

Quote:
127.0.0.1 mpa.one.microsoft.com


No, I wouldn't even be sure how to do so...

After following your instructions, here is my look.txt file:


Volume in drive C has no label.
Volume Serial Number is A40E-D847

Directory of C:\WINDOWS\PIF

01/19/2008 09:20 PM <DIR> .
01/19/2008 09:20 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 6,683,734,016 bytes free

------------------------------------------------------
END OF FILE
------------------------------------------------------

Is it hopeless? What's going on?
mstele
Active Member
 
Posts: 10
Joined: January 31st, 2008, 3:34 pm

Re: msdp.dll Norton finds it, removes it, but it comes back.

Unread postby silver » February 7th, 2008, 6:04 am

Hi mmstele,

No, far from hopeless! However, sfp wasn't able to grab those files so we'll need to do things differently.

Temporarily disable Spybot's TeaTimer. This is a two step process.
First:
  • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  • Choose Exit Spybot S&D Resident
Second:
  • Open Spybot S&D
  • Click Mode, check Advanced Mode
  • Go To Left Panel, Click Tools, then also in left panel, click Resident
  • If your firewall raises a question, say OK
  • Uncheck the box labeled Resident TeaTimer and OK any prompts.
  • Use File, Exit to terminate Spybot.
  • Reboot your machine for the changes to take effect.


Please download OTMoveIt2 by OldTimer to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Double-click OTMoveIt2.exe to start the program.
  • Copy the lines in the OTMoveIt file list below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    OTMoveIt Standard List:
    Code: Select all
    C:\Program Files\Common Files\svchost.exe
    C:\Program Files\Common Files\msdp.dll 
    C:\WINDOWS\system32\winsecurityxp
    C:\VundoFix Backups
    C:\Program Files\Common Files\mscd.exe
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Then place a checkmark in the box marked Zip files after move
  • Now click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Once you have completed the removals, please upload the moved files as follows:
Please open this page in your browser:
http://www.bleepingcomputer.com/submit- ... channel=32
Press the Browse button and navigate to this folder (do not copy/paste this into the box):
C:\_OTMoveIt\MovedFiles
Select the zipped (compressed) folder named MMDDYYYY_HHMMSS.zip (where MMDDYY_HHMMSS is the date/time the files were moved) and press Open
Please fill in the link to topic field with a link to this topic
Then press Send File, this will upload the file for analysis


Once complete, please post the OTMoveIt report along with a new HijackThis log and let me know if you had any problems with the instructions.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: msdp.dll Norton finds it, removes it, but it comes back.

Unread postby mstele » February 7th, 2008, 6:28 am

Okay then, Sounds good. Zip file was submitted and here are my current logs...

_OTMoveIt:
File move failed. C:\Program Files\Common Files\svchost.exe scheduled to be moved on reboot.
LoadLibrary failed for C:\Program Files\Common Files\msdp.dll
C:\Program Files\Common Files\msdp.dll NOT unregistered.
File move failed. C:\Program Files\Common Files\msdp.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\winsecurityxp moved successfully.
C:\VundoFix Backups moved successfully.
File/Folder C:\Program Files\Common Files\mscd.exe not found.

OTMoveIt2 v1.0.18 log created on 02072008_021911

------------
END OF LOG
------------

And Here is HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:56 AM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\XWatDog.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [XGIWatchDog] XWatDog.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\uTorrent.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8818883834
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6793 bytes
--
mstele
Active Member
 
Posts: 10
Joined: January 31st, 2008, 3:34 pm

Re: msdp.dll Norton finds it, removes it, but it comes back.

Unread postby silver » February 7th, 2008, 6:48 am

Hi mstele,

Some of the files were scheduled to be moved but were not present in the zip file, did your antivirus program give a warning during the process?

Please open Start->Control Panel->Add/Remove Programs, look down the list for these items and remove them:
J2SE Runtime Environment 5.0 Update 12
Java(TM) 6 Update 3
These are out of date and now a security risk, you can get the latest update (version 6 update 4) from here


Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://aumha.org/downloads/erunt.zip
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
  • Inside the new folder, double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: to restore your registry, go to the backup folder and start ERDNT.exe

Then, open Notepad (press Start->Run, enter notepad and press OK)
Copy everything inside the code box below (Starting with REGEDIT4) and paste it into a new notepad file.
Change the Save As Type to All Files and save it as fix.reg to your Desktop.

Note: Please copy and paste all the text at once, and check that there is NO blank line above REGEDIT4 and one blank line at the bottom.
Code: Select all
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D51g62BC-4266-43f0-B6ED-9D76C4202C7E}]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%SystemDir%\\winsecurityxp\\mswinup.exe"=-

Locate fix.reg on your Desktop, if you did it right it should look like this:Image
Double-click it, when it asks if you want to merge with the registry, click Yes.
You can then delete fix.reg

Download HostsXpert to your Desktop
  • Unzip HostsXpert.zip
  • Double click on HostsXpert.exe
  • Click Backup/Restore->Create Backup to back up your existing hosts file
  • Then click on Restore Original Hosts and OK the prompt to restore your Hosts file to the default
  • Click on Make Hosts Read Only to secure it against changes
  • Close program when complete.
  • If for any reason you wish to restore the old hosts file, you can do so by pressing Make Writeable?, then Backup/Restore->Restore Backup and OK to the prompt.

Next press Start->Run, copy/paste the following command (it's one long command) into the box and press OK:
cmd /c dir "C:\Program Files\Common Files" /a > "%userprofile%\desktop\look.txt"
A black box will open and a file will appear on your Desktop called look.txt.
Please wait until the black box closes before opening look.txt, then post the contents of look.txt in your next response.

Next make another DSS log as follows:
  • Make sure DSS.exe is on your Desktop
  • Press the Start->Run, copy/paste the following command into the box and press OK:
    "%userprofile%\desktop\dss.exe" /config
  • A configuration box will appear, click the Check All button, then un-check everything in the Extra Log section and press Scan!

Once complete, please post the look.txt output and the new DSS main.txt.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: msdp.dll Norton finds it, removes it, but it comes back.

Unread postby mstele » February 10th, 2008, 3:21 pm

DONT CLOSE MY THREAD YET!!!

Sorry, I had been called out of town for a few days.

Still busy today but I am going to be following your instructions as soon as I get home this afternoon... (California)

Just wanted to let you know I haven't got to it yet...

Sorry again, I will be getting to you shortly with my results.
mstele
Active Member
 
Posts: 10
Joined: January 31st, 2008, 3:34 pm

Re: msdp.dll Norton finds it, removes it, but it comes back.

Unread postby silver » February 10th, 2008, 7:47 pm

No problem, thanks for letting me know :)
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: msdp.dll Norton finds it, removes it, but it comes back.

Unread postby mstele » February 10th, 2008, 9:14 pm

Thanks for your Patience and sorry again for the delay, here are my DSS and look.txt logs starting with look.txt...

Volume in drive C has no label.
Volume Serial Number is A40E-D847

Directory of C:\Program Files\Common Files

02/10/2008 11:24 AM <DIR> .
02/10/2008 11:24 AM <DIR> ..
01/03/2008 11:16 AM <DIR> Adobe
12/28/2007 07:02 PM <DIR> Ahead
12/30/2007 04:33 PM <DIR> Apple
01/21/2008 08:00 PM <DIR> AVSMedia
12/28/2007 06:58 PM <DIR> InstallShield
02/06/2008 01:31 PM <DIR> Kodak
12/27/2007 09:05 PM <DIR> Microsoft Shared
12/27/2007 08:35 PM <DIR> MSSoap
12/28/2007 07:03 PM <DIR> Nero
12/28/2007 06:56 PM <DIR> scansoft shared
12/27/2007 08:35 PM <DIR> Services
12/27/2007 12:13 PM <DIR> SpeechEngines
02/10/2008 09:04 AM <DIR> Symantec Shared
12/27/2007 10:01 PM <DIR> System
0 File(s) 0 bytes
16 Dir(s) 28,523,581,440 bytes free

END OF FILE
---------------------------------------------------------------

DSS Log (Main.txt):
Deckard's System Scanner v20071014.68
Run by Family on 2008-02-10 17:08:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
13: 2008-02-11 01:08:24 UTC - RP13 - Deckard's System Scanner Restore Point
12: 2008-02-11 01:00:16 UTC - RP12 - Removed Java DB 10.3.1.4
11: 2008-02-10 19:23:48 UTC - RP11 - Removed Java(TM) SE Development Kit 6 Update 4
10: 2008-02-10 19:22:37 UTC - RP10 - Removed Java(TM) 6 Update 4
9: 2008-02-10 19:21:53 UTC - RP9 - Removed Java(TM) 6 Update 3


-- First Restore Point --
1: 2008-02-06 17:51:43 UTC - RP1 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Family.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:20 PM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\XWatDog.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Family\desktop\dss.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Family.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [XGIWatchDog] XWatDog.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\uTorrent.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8818883834
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6410 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 Haspnt - c:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
R2 Par1284 - c:\program files\ve lxi expert 7.5v5\program\par1284.sys <Not Verified; Warp Nine Engineering; IEEE 1284 Driver>
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 1584)
2003-05-15 14:43:24 119808 --a------ C:\Program Files\WinRAR\RarExt.dll
-- :: 0 --------- C:\DOCUME~1\Family\LOCALS~1\Temp\IadHide5.dll
2002-08-14 06:03:00 106496 --a------ C:\Program Files\Norton AntiVirus\AdvTools\NDRVEX.DLL <Not Verified; Symantec Corporation; Norton Utilities for Windows>


-- Scheduled Tasks -------------------------------------------------------------

2008-02-10 17:03:13 414 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-02-10 09:03:08 466 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job


-- Files created between 2008-01-10 and 2008-02-10 -----------------------------

2008-02-08 18:04:02 0 d-------- C:\WINDOWS\CSC
2008-02-07 09:52:35 0 d-------- C:\Documents and Settings\Family\.SunDownloadManager
2008-02-07 02:14:38 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-07 02:14:38 3453 --a------ C:\WINDOWS\unins000.dat
2008-02-06 22:19:28 0 d-------- C:\Program Files\MSXML 4.0
2008-02-06 13:35:15 11448 --a------ C:\logfile
2008-02-06 13:32:06 0 d-------- C:\WINDOWS\system32\BWKDLogs
2008-02-06 13:31:13 0 d-------- C:\Program Files\Common Files\Kodak
2008-02-06 13:29:24 0 d-------- C:\Program Files\Kodak
2008-02-06 13:19:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Kodak
2008-01-31 16:17:33 8405015 --a------ C:\WINDOWS\TempFile
2008-01-31 11:25:48 0 d-------- C:\Program Files\Trend Micro
2008-01-30 10:04:38 0 d-------- C:\movie temp
2008-01-21 19:32:39 0 d-------- C:\Program Files\Alcohol Soft
2008-01-21 19:10:57 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-21 18:48:15 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-01-21 18:48:13 139264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-01-21 18:48:13 524288 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-01-21 18:48:13 413760 --a------ C:\WINDOWS\system32\mpg4c32.dll <Not Verified; Microsoft Corporation; Microsoft MPEG-4 Video Codec>
2008-01-21 18:48:13 261632 --a------ C:\WINDOWS\system32\mcdvd_32.dll <Not Verified; MainConcept; MainConcept DV Codec "2.0.4>
2008-01-21 18:48:13 638976 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivXNetworks, Inc.; DivX Video for Windows Codec>
2008-01-21 18:48:13 0 d-------- C:\Program Files\AVSMedia
2008-01-21 17:15:57 304640 --a------ C:\WINDOWS\system32\hlvdd.dll <Not Verified; Aladdin Knowledge Systems; Hardlock Win32 DLL>
2008-01-21 17:15:51 1766160 --a------ C:\WINDOWS\system32\VBA5.DLL <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2008-01-21 17:15:51 11111 --a------ C:\WINDOWS\system32\DELTREE.EXE
2008-01-21 17:15:50 463392 --a------ C:\WINDOWS\system32\OWL250F.DLL <Not Verified; Borland International; Borland C++ 4.50>
2008-01-21 17:15:03 0 d-------- C:\Program Files\VE LXi Expert 7.5v5
2008-01-21 17:03:24 50176 --a------ C:\WINDOWS\system32\SNTI386.DLL <Not Verified; Rainbow Technologies, Inc.; Sentinel Driver Setup>
2008-01-21 17:03:24 18432 --a------ C:\WINDOWS\system32\RNBOVDD.DLL <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
2008-01-21 17:03:24 76288 --a------ C:\WINDOWS\system32\drivers\SENTINEL.SYS <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
2008-01-21 17:03:23 0 d-------- C:\WINDOWS\system32\RNBOSENT
2008-01-21 17:01:01 383 --a------ C:\WINDOWS\system32\haspdos.sys
2008-01-21 17:01:00 6656 --a------ C:\WINDOWS\system32\haspvdd.dll <Not Verified; Aladdin Knowledge Systems.; Windows NT HASP Virtual Device Driver>
2008-01-21 17:01:00 47616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
2008-01-20 09:56:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2008-01-19 21:27:56 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-01-19 21:27:56 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-01-19 21:27:56 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-01-19 21:27:56 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-01-19 21:27:56 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-01-19 21:27:56 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-01-19 21:27:56 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-01-19 21:27:56 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-01-19 21:27:56 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-01-19 21:27:56 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-01-19 21:27:56 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-01-19 21:27:56 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-01-19 21:27:56 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-01-19 21:27:56 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-01-19 21:20:49 0 d--h----- C:\WINDOWS\PIF
2008-01-19 19:49:04 0 d-------- C:\Documents and Settings\Family\.housecall6.6
2008-01-19 14:08:24 0 d-------- C:\Documents and Settings\Family\Application Data\Help
2008-01-18 16:55:56 0 d-------- C:\vcs5BGEffects
2008-01-18 16:53:40 0 d-------- C:\Program Files\AV Vcs 6.0 DIAMOND


-- Find3M Report ---------------------------------------------------------------

2008-02-10 11:24:43 0 d-------- C:\Program Files\Java
2008-02-10 11:24:36 0 d-------- C:\Program Files\Common Files
2008-02-10 09:04:01 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-10 09:03:59 0 d-------- C:\Documents and Settings\Family\Application Data\uTorrent
2008-02-07 21:56:30 0 d-------- C:\Program Files\QuickTime
2008-02-02 19:41:48 0 d-------- C:\Documents and Settings\Family\Application Data\Macromedia
2008-01-31 10:37:19 0 d-------- C:\Program Files\Norton AntiVirus
2008-01-29 01:11:57 0 d-------- C:\Documents and Settings\Family\Application Data\Apple Computer
2008-01-19 20:34:17 0 d-------- C:\Program Files\Crazy Browser
2008-01-19 12:38:34 0 d-------- C:\Program Files\Google
2008-01-08 12:01:49 0 d-------- C:\Documents and Settings\Family\Application Data\Google
2008-01-08 11:45:20 0 d-------- C:\Program Files\DVD Shrink
2008-01-07 22:03:26 0 d-------- C:\Program Files\Yahoo!
2008-01-06 22:26:30 0 d-------- C:\Documents and Settings\Family\Application Data\CyberLink
2008-01-06 22:25:49 0 d-------- C:\Program Files\CyberLink
2008-01-06 22:25:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-05 11:46:23 0 d-------- C:\Documents and Settings\Family\Application Data\Ahead
2008-01-03 11:21:34 0 d-------- C:\Documents and Settings\Family\Application Data\Adobe
2008-01-03 11:16:07 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-03 08:19:53 0 --a------ C:\WINDOWS\system32\BIPORT
2007-12-30 21:18:05 0 d-------- C:\Program Files\uTorrent
2007-12-30 16:33:47 0 d-------- C:\Program Files\Apple Software Update
2007-12-30 16:33:17 0 d-------- C:\Program Files\Common Files\Apple
2007-12-30 16:17:15 0 d-------- C:\Program Files\Reflexive
2007-12-29 14:30:31 32 --ahs---- C:\WINDOWS\system32\{4BEA445E-2689-47DF-84DE-72E1EA6CBACB}.dat
2007-12-29 14:30:31 32 --ahs---- C:\WINDOWS\{C27F8090-C02C-4F9B-AD7D-4827A2315264}.dat
2007-12-29 14:30:27 14 --a------ C:\WINDOWS\system32\SR2.dat
2007-12-29 14:30:02 0 d-------- C:\Program Files\Symantec
2007-12-29 14:29:47 0 d-------- C:\Documents and Settings\Family\Application Data\Symantec
2007-12-28 19:04:08 0 d-------- C:\Program Files\Ahead
2007-12-28 19:03:04 0 d-------- C:\Program Files\Common Files\Nero
2007-12-28 19:02:14 0 d-------- C:\Program Files\Common Files\Ahead
2007-12-28 18:59:12 0 d-------- C:\Program Files\Brother
2007-12-28 18:58:44 0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-28 18:56:56 0 d-------- C:\Program Files\Common Files\scansoft shared
2007-12-28 18:56:47 0 d-------- C:\Program Files\Scansoft
2007-12-28 16:45:28 0 d-------- C:\Documents and Settings\Family\Application Data\Sun
2007-12-27 21:59:28 0 d-------- C:\Program Files\Windows Media Connect 2
2007-12-27 21:53:26 0 d-------- C:\Program Files\Messenger
2007-12-27 21:05:24 0 d-------- C:\Documents and Settings\Family\Application Data\Identities
2007-12-27 20:38:06 0 d-------- C:\Program Files\microsoft frontpage
2007-12-27 20:37:44 0 -rahs---- C:\MSDOS.SYS
2007-12-27 20:37:44 0 -rahs---- C:\IO.SYS
2007-12-27 20:37:44 0 --a------ C:\CONFIG.SYS
2007-12-27 20:37:44 0 --a------ C:\AUTOEXEC.BAT
2007-12-27 20:36:03 0 d--h----- C:\Program Files\WindowsUpdate
2007-12-27 20:35:07 0 d-------- C:\Program Files\Common Files\MSSoap
2007-12-27 20:34:59 0 d-------- C:\Program Files\Movie Maker
2007-12-27 20:34:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-12-27 20:33:41 0 d-------- C:\Program Files\Online Services
2007-12-27 20:33:31 0 d-------- C:\Program Files\MSN Gaming Zone
2007-12-27 20:33:21 0 d-------- C:\Program Files\Windows NT
2007-12-27 12:13:45 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-12-27 12:13:20 62 --ahs---- C:\Documents and Settings\Family\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegServer"="regserve.exe" [01/28/2005 04:41 PM C:\WINDOWS\system32\RegServe.exe]
"XGIWatchDog"="XWatDog.exe" [01/28/2005 04:42 PM C:\WINDOWS\system32\XWatDog.exe]
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [08/12/2002 10:33 AM]
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [08/12/2002 11:07 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [08/19/2002 10:22 PM]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [08/19/2002 10:23 PM]
"Advanced Tools Check"="C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" [08/26/2002 10:35 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 07:42 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/31/2008 11:13 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 08:24 AM]
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" [08/09/2005 02:28 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 04:56 PM]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [07/02/2007 02:29 AM]

C:\Documents and Settings\Family\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe [12/11/2007 2:34:48 PM]
æTorrent.lnk - C:\Program Files\uTorrent\uTorrent.exe [12/30/2007 9:18:05 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [6/21/2007 10:56:14 PM]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2/13/2004 2:12:08 PM]
SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [8/12/2002 10:00:40 AM]




-- End of Deckard's System Scanner: finished at 2008-02-10 17:10:44 ------------

Also, to answer your question, I did get an anti-virus alert during your previous instructions, when the files failed to be moved. Also, since following those directions, my PC isn't finding the viruses msdp.dll or svchost.exe anymore. However, since then, my PC has crashed for no reason and reboot, once rebooted, the system freezes saying no boot system is found, or there is a drive error. Then upon rebooting a second time, everything starts up just fine. Could these be related, you think?
mstele
Active Member
 
Posts: 10
Joined: January 31st, 2008, 3:34 pm

Re: msdp.dll Norton finds it, removes it, but it comes back.

Unread postby silver » February 11th, 2008, 7:54 pm

Hi mstele,

However, since then, my PC has crashed for no reason and reboot, once rebooted, the system freezes saying no boot system is found, or there is a drive error. Then upon rebooting a second time, everything starts up just fine. Could these be related, you think?

It's possible but it doesn't sound like it's related.
Is this happening regularly or did it happen just the once?

Next, please do an online scan with Kaspersky:
Open Kaspersky Online Scanner in Internet Explorer using this link:
http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
  • Click Accept and the web scanner will begin to load
  • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
  • You will be prompted to install an ActiveX component from Kaspersky, click Install
  • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT and then Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save as Text button and save the file to your desktop
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Once complete, please post the Kaspersky report along with a new HijackThis log and let me know how your computer is running.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 73 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware