Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Av System Care popups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Av System Care popups

Unread postby TomD22 » August 20th, 2007, 9:09 am

Hey,

I'm getting popup's starting new firefox windows starting adverts about avg system care (as well as a few other ads for free ipods and crap like that) every so often when I start my browser.

I've read a bit about the problem, here on this board and elsewhere and it seems it's fairly hard to remove - I've done everything I can to get rid of it so I figure it's time to ask for help.

I've already run Spyware S&D and Ad-Aware scans in safe mode - both found the program responsible, both claimed to have removed it but the problem hasn't gone away.

Spyware S&D did warn me that "the program creates randomly-named dll files in the windows/system32 folder, and thus may be difficult for Spyware S&D to remove. You may need to seek expert help"

Sure enough that's exactly what it's doing. I found a few of them (for example ddccff.dll, flcydf.dll, etc etc) with HijackThis and deleted them manually.

I restarted the computer a few times, each time doing a new HijackThis scan, each time finding and deleting a few more of these dll's.

But, they seem to have stopped coming. I can't find any more, even after restarting. Spybot S&D and Ad-aware are also coming up clean. However, the popups and ads are still happening.....

So, what's next? I can't see anything obviously wrong in the log myself, but then I'm not the expert! (Kontiki service is the p2p app for bbc iplayer, right?)

Thanks for any help, HijackThis log below :) Using latest firefox, on vista, if you need to know.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:07:54, on 20/08/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\winddl32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Tom\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 6144 bytes
TomD22
Regular Member
 
Posts: 19
Joined: August 20th, 2007, 8:57 am
Advertisement
Register to Remove

edit..

Unread postby TomD22 » August 20th, 2007, 9:17 am

The forum lacks an edit button, but this is to say:

I mean "av system care" not "avg system care". typo.
TomD22
Regular Member
 
Posts: 19
Joined: August 20th, 2007, 8:57 am

F-Secure blacklight log

Unread postby TomD22 » August 20th, 2007, 12:02 pm

I read some other threads here and saw that the first thing you've asked everyone is to post an f-secure blacklight log and a hijackthis uninstall log. So I've gone ahead and done that below:

Blacklight log:

08/20/07 16:57:33 [Info]: BlackLight Engine 1.0.64 initialized
08/20/07 16:57:33 [Info]: OS: 6.0 build 6000 ()
08/20/07 16:57:33 [Note]: 7019 4
08/20/07 16:57:33 [Note]: 7005 0
08/20/07 16:57:38 [Note]: 7006 0
08/20/07 16:57:38 [Note]: 7027 0
08/20/07 16:57:38 [Note]: 7026 0
08/20/07 16:57:38 [Note]: 7026 0
08/20/07 16:57:40 [Note]: FSRAW library version 1.7.1022

Hijackthis uninstall log:

3DMark06
abitEQ V1.1.0.9
Ad-Aware 2007
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.0
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AirPlus G
Apple Mobile Device Support
Apple Software Update
Azureus
BBC iPlayer Library
Combined Community Codec Pack 2007-07-22
Company of Heroes
DivX Codec
DivX Web Player
FlashMenu
Google Gmail Notifier
Guild Wars
HD Tune 2.53
HijackThis 2.0.2
iTunes
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6
Marvell Miniport Driver
McAfee VirusScan Enterprise
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.6)
NVIDIA Drivers
ObjectDock
OpenOffice.org 2.2
PDF Settings
Prime95
QuickTime
Realtek High Definition Audio Driver
RivaTuner v2.02
S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0003]
Spybot - Search & Destroy 1.4
Steam
Unix Utilities for Yahoo! Widgets
Ventrilo Client
VideoLAN VLC media player 0.8.6c
Wallpaper Changer (Remove only)
WinRAR archiver
Xvid 1.1.3 final uninstall
Yahoo! Install Manager
Yahoo! Widgets
TomD22
Regular Member
 
Posts: 19
Joined: August 20th, 2007, 8:57 am

Unread postby Katana » August 21st, 2007, 9:54 am

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please note that I am training, this means that any reply I give to you has to be checked first by an expert.
I apologize for any delay this might cause.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I am looking at your log and will get back to you ASAP :)
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Katana » August 21st, 2007, 11:00 am

Hi TomD22,


First I would recommend that you uninstall AdAware 2007.
Whilst this is a very good program, as yet it is not compatible with Vista and has been known to cause problems.


Move HJT

Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. For this reason it cannot be run from a Zip file or from Temporary folders because the backups will be deleted. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

1. Please go to you're main drive (usually C: ), right-click and select 'New > Folder' then name the folder 'HJT'.

2. Copy and paste HijackThis.exe to the new folder.


Show All Files And Folders
Now you need to show all files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck Hide file extensions for known file types
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti
( you may need to show hidden files and folders. See HERE for help)

Please visit Jotti
Click on Browse... and navigate to the following file: C:\Windows\System32\winddl32.exe
Click Open
Please post back, to let me know the results.

If Jotti is too busy please try Virustotal

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • The Jotti/Virus Total report
  • A fresh HJT log


You have a P2P filesharing program installed.
  • Many of these programs come with unwanted components bundled with them.
  • If you wish to find out whether the one you're using does click here.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.


My recommendation is you uninstall it.

Please note: you must NOT use this whilst we are cleaning your machine.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby TomD22 » August 21st, 2007, 1:59 pm

Thanks for the reply

(and I apologise for bumping my own thread...there's no edit button here for some reason, and I (foolishly) noticed the sticky only after replying to myself).

New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:30:33, on 21/08/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\RivaTuner v2.02\Tools\RivaTunerStatisticsServer\RivaTunerStatisticsServer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /S
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 6288 bytes


Virus Total Report:

Antivirus Version Last Update Result
AhnLab-V3 2007.8.22.0 2007.08.21 Win-Trojan/Xema.variant
AntiVir 7.4.1.62 2007.08.21 BDS/VB.bco.141
Authentium 4.93.8 2007.08.20 W32/Backdoor.BLLW
Avast 4.7.1029.0 2007.08.21 Win32:VB-EHP
AVG 7.5.0.484 2007.08.21 BackDoor.Generic8.BPT
BitDefender 7.2 2007.08.21 Backdoor.Vb.BCO
CAT-QuickHeal 9.00 2007.08.21 -
ClamAV 0.91 2007.08.21 Trojan.Karsh
DrWeb 4.33 2007.08.21 -
eSafe 7.0.15.0 2007.08.20 Win32.Trojan
eTrust-Vet 31.1.5076 2007.08.21 -
Ewido 4.0 2007.08.21 -
FileAdvisor 1 2007.08.21 -
Fortinet 2.91.0.0 2007.08.21 -
F-Prot 4.3.2.48 2007.08.20 W32/Backdoor.BLLW
F-Secure 6.70.13030.0 2007.08.21 Backdoor.Win32.VB.bco
Ikarus T3.1.1.12 2007.08.21 Backdoor.Shark.C
Kaspersky 4.0.2.24 2007.08.21 -
McAfee 5102 2007.08.21 -
Microsoft 1.2803 2007.08.21 -
NOD32v2 2473 2007.08.21 probably a variant of Win32/VB
Norman 5.80.02 2007.08.21 -
Panda 9.0.0.4 2007.08.21 Trj/Shark.F
Rising 19.37.12.00 2007.08.21 Backdoor.Win32.VB.bco
Sophos 4.20.0 2007.08.21 -
Sunbelt 2.2.907.0 2007.08.21 Backdoor.Unidentified.gen
Symantec 10 2007.08.21 Backdoor.Trojan
TheHacker 6.1.8.171 2007.08.21 -
VBA32 3.12.2.2 2007.08.21 Backdoor.Win32.VB.bco
VirusBuster 4.3.26:9 2007.08.21 -
Webwasher-Gateway 6.0.1 2007.08.21 Trojan.VB.bco.141

Hmm, sorry, the formatting on that list has gotten a bit messed up. But I guess the consensus is clear enough anyway, heh.


By the way as you say you're a trainee (and still learning) may I make a small suggestion? You gave me instructions for making hidden files visible that are specific to windows XP...it's slightly different in vista, and although I could figure out where to go easily enough someone less confident might struggle. I don't want to be rude, when you're so kindly helping me, but I thought I'd mention it.

Specifically, vista no longer has a "tools" menu in the new interface - instead you have to click on the "organise" tab, after opening my computer.
TomD22
Regular Member
 
Posts: 19
Joined: August 20th, 2007, 8:57 am

Unread postby Katana » August 22nd, 2007, 1:07 pm

Hi TomD22,


Specifically, vista no longer has a "tools" menu in the new interface - instead you have to click on the "organise" tab, after opening my computer.

Thanks for the info :)

Hmm, sorry, the formatting on that list has gotten a bit messed up. But I guess the consensus is clear enough anyway, heh.

Yes the concensus is very clear :(

I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.
The infection is a Backdoor Trojan ---- See HERE for more specific details

The file in question seems to target only Instant Message programs, however it also gives the person who wrote it TOTAL CONTROL of your machine
It could allow outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

Please Note: The above is a standard XP Backdoor Rootkit speech
As yet we have not seen any Vista Rootkits, however, this does not mean that they do not exist.
It is very likely that we can clean your machine of this infection with no future consquences,
But we can not guarantee it

The Decision Whether to ReFormat or Not should be based on:
  • The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
  • The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.

While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby TomD22 » August 22nd, 2007, 2:13 pm

OK, thanks for the info.

I'll go use another machine to change all my important passwords for banking etc.

For now, I'd prefer to attempt to disinfect, if you can help me do that. If/when that fails I can reformat.

What risk is there likely to be to the two other computers on my network? One is running vista, the other XP. (actually I can probably go find that out myself with HJT...I'll go look...)

(Perhaps not relevant right now, but I'd love to know how I've gotten infected. I've never had a serious malware problem with any of my computers before, and always thought I was fairly careful in that regard. This one I only finished building and putting vista on a few days ago. It's had *nothing* installed on it that I don't trust and haven't already been using without problems on my old machine. The very first thing I did after installing vista (and before connecting to the internet for the first time) was install the virus scanner and i've been behind a NAT router with firewall the whole time. I'm actually worried, if this has somehow gotten to me once and I can't see how - it might just do it again, as soon as I get rid of it!)
TomD22
Regular Member
 
Posts: 19
Joined: August 20th, 2007, 8:57 am

Unread postby Katana » August 22nd, 2007, 3:37 pm

Hi TomD22,

Regarding your other machines, I can't comment on them without knowing how it got on this machine.
At the moment I would treat them as suspect if they are networked in any way.
Please don't post any logs from them as yet, lets get this one clean first (it will only get confusing)

As for how you got infected, well, lets see if anything else is there that gives us a clue before we start guessing that one :)


Please download this file Deckard's System Scanner (DSS) to your Desktop.
Don't use it yet, we will need it shortly though !!!

Please Print or Copy/Paste to notepad the following instructions as they require a reboot

Lets remove that file for a start.

Delete a file
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Delete A File On Reboot button.
  • Navigate to C:\Windows\System32\winddl32.exe and click on it.
  • Click Open
  • In the window that opens click Yes


Now lets see if we can find out what is starting it

Deckard's System Scanner
Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby TomD22 » August 23rd, 2007, 12:07 pm

OK, here's Main:

Deckard's System Scanner v20070819.64
Run by Tom on 2007-08-23 16:54:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
33: 2007-08-22 15:19:28 UTC - RP117 - Scheduled Checkpoint
32: 2007-08-22 00:31:48 UTC - RP116 - Windows Update
31: 2007-08-21 21:44:01 UTC - RP115 - Installed Sound Blaster Audigy 4
30: 2007-08-21 21:43:27 UTC - RP113 - Installed Sound Blaster for Media Center
29: 2007-08-21 21:43:06 UTC - RP111 - Installed Creative Audio Device Selection


-- First Restore Point --
1: 2007-08-19 14:23:28 UTC - RP63 - Scheduled Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Tom.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:30:33, on 21/08/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\RivaTuner v2.02\Tools\RivaTunerStatisticsServer\RivaTunerStatisticsServer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /S
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 6288 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 RivaTuner32 - \??\c:\program files\rivatuner v2.02\rivatuner32.sys

S3 ABIT-IO - \??\c:\program files\u-abit\abiteq\abit-io.sys
S3 ENTECH - \??\c:\windows\system32\drivers\entech.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {85b5ddd0-e090-4b15-bdf2-a443a3ca0b66}
Description:
Device ID: ROOT\*ATITOOLDEVICE\0000
Manufacturer:
Name:
PNP Device ID: ROOT\*ATITOOLDEVICE\0000
Service:


-- Scheduled Tasks -------------------------------------------------------------

2007-08-20 13:36:16 324 --a------ C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job


-- Files created between 2007-07-23 and 2007-08-23 -----------------------------

2007-08-21 22:45:40 0 d-------- C:\Kontiki
2007-08-21 22:44:36 41984 -----n--- C:\Windows\Ctregrun.exe <Not Verified; Creative Technology Ltd; Creative On-line Registration System>
2007-08-21 22:39:36 77824 -----n--- C:\Windows\system32\ctdvda32.dll <Not Verified; Creative Technology Ltd; Creative DVD-Audio Product>
2007-08-21 21:13:05 0 d-------- C:\Program Files\Creative
2007-08-21 21:12:48 0 d-------- C:\Windows\system32\Defaults
2007-08-21 21:09:56 0 d-------- C:\Program Files\OpenAL
2007-08-21 21:09:12 0 d-------- C:\Windows\system32\Data
2007-08-21 21:09:12 3072 --a------ C:\Windows\CTXFIRES.DLL <Not Verified; ; CTxfiRes Dynamic Link Library>
2007-08-21 21:09:12 10240 --a------ C:\Windows\CTDCRES.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-08-21 21:09:10 66560 -----n--- C:\Windows\system32\CmdRtr.dll
2007-08-21 21:09:10 103936 -----n--- C:\Windows\system32\APOMngr.dll
2007-08-21 18:23:50 0 d-------- C:\HJT
2007-08-21 13:10:16 0 d-------- C:\Program Files\ATITool
2007-08-21 01:10:30 0 d-------- C:\Users\All Users\Media Center Programs
2007-08-21 01:06:16 0 d-------- C:\Program Files\2K Games
2007-08-20 17:09:57 0 d-------- C:\Windows\Sun
2007-08-20 16:34:20 0 d-------- C:\Program Files\Steam
2007-08-20 12:20:20 0 d-------- C:\Users\All Users\Lavasoft
2007-08-20 12:15:45 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2007-08-19 15:38:03 0 d-------- C:\Users\All Users\Kontiki
2007-08-19 15:38:03 0 d-------- C:\Program Files\Kontiki
2007-08-18 13:04:39 0 d-------- C:\Program Files\HD Tune
2007-08-18 00:17:37 6486 ---hs---- C:\Windows\system32\ghhkj.bak1
2007-08-18 00:12:26 287766 --a------ C:\Windows\system32\ddccyww.dll
2007-08-18 00:11:58 304161 -----n--- C:\Windows\system32\lfjusesj.exe
2007-08-18 00:08:58 4628 --a------ C:\Windows\system32\jklhoorb.exe
2007-08-18 00:01:13 0 d--hs---- C:\Windows\VG9t
2007-08-17 22:35:03 0 d-------- C:\Program Files\Bonjour
2007-08-17 22:23:31 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-17 20:19:51 0 d-------- C:\Users\All Users\FLEXnet
2007-08-17 15:46:42 0 d-------- C:\Users\Tom\{b359c3d6-fc87-40a9-bfc4-84dd70141a06}
2007-08-17 14:10:43 0 d-------- C:\Program Files\DivX
2007-08-17 14:10:07 0 d-------- C:\Program Files\Combined Community Codec Pack
2007-08-17 14:09:37 765952 --a------ C:\Windows\system32\xvidcore.dll
2007-08-17 14:09:36 180224 --a------ C:\Windows\system32\xvidvfw.dll
2007-08-17 14:09:36 0 d-------- C:\Program Files\Xvid
2007-08-17 12:29:15 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-17 11:46:49 0 d-------- C:\Program Files\Ventrilo
2007-08-17 10:42:50 0 d-------- C:\QUARANTINE
2007-08-17 10:35:23 0 d-------- C:\Users\All Users\Adobe
2007-08-17 10:24:27 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-17 09:47:45 0 d-------- C:\Program Files\Guild Wars
2007-08-17 07:43:32 0 d-------- C:\Windows\Panther
2007-08-17 07:43:23 0 d--hs---- C:\Boot
2007-08-16 22:47:05 0 d-------- C:\Windows\SoftwareDistribution
2007-08-16 22:45:59 0 d-------- C:\Windows\Debug
2007-08-16 22:44:51 0 d-------- C:\Windows\Prefetch
2007-08-16 22:44:41 0 d--hs---- C:\System Volume Information
2007-08-16 21:17:47 0 d-------- C:\Program Files\THQ
2007-08-16 20:27:12 0 d-------- C:\Program Files\RivaTuner v2.02
2007-08-16 19:34:18 0 d-------- C:\Program Files\Yahoo!
2007-08-16 19:33:11 1495552 --a------ C:\Windows\system32\epoPGPsdk.dll <Not Verified; PGP Corporation; PGPsdk>
2007-08-16 19:33:10 0 d-------- C:\Program Files\Common Files\Cisco Systems
2007-08-16 19:33:08 0 d-------- C:\Users\All Users\McAfee
2007-08-16 19:32:38 0 d-------- C:\Program Files\McAfee
2007-08-16 19:32:38 0 d-------- C:\Program Files\Common Files\McAfee
2007-08-16 18:27:56 0 d-------- C:\Program Files\Stardock
2007-08-16 18:27:56 0 d-------- C:\Program Files\Common Files\Stardock
2007-08-16 18:27:37 409600 --a------ C:\Windows\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2007-08-16 18:27:37 114688 --a------ C:\Windows\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2007-08-16 18:25:46 0 d-------- C:\Windows\system32\Futuremark
2007-08-16 18:25:46 3972 --a------ C:\Windows\system32\drivers\PciBus.sys
2007-08-16 18:25:46 5632 --a------ C:\Windows\system32\drivers\Entech64.sys <Not Verified; EnTech Taiwan; EnTech.sys>
2007-08-16 18:25:46 21664 --a------ C:\Windows\system32\drivers\Entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
2007-08-16 18:24:31 0 d-------- C:\Program Files\Futuremark
2007-08-16 18:12:58 0 d-------- C:\Program Files\Azureus
2007-08-16 18:06:40 0 d-------- C:\Windows\system32\Macromed
2007-08-16 18:06:07 0 d-------- C:\Users\All Users\NVIDIA
2007-08-16 17:52:15 0 d-------- C:\Program Files\VideoLAN
2007-08-16 17:51:35 0 d-------- C:\Program Files\iPod
2007-08-16 17:51:33 0 d-------- C:\Program Files\iTunes
2007-08-16 17:50:50 0 d-------- C:\Program Files\QuickTime
2007-08-16 17:50:49 0 d-------- C:\Users\All Users\Apple Computer
2007-08-16 17:50:31 0 d-------- C:\Program Files\Apple Software Update
2007-08-16 17:49:14 0 d-------- C:\Program Files\Common Files\Apple
2007-08-16 17:49:12 0 d-------- C:\Users\All Users\Apple
2007-08-16 17:47:49 0 d-------- C:\Program Files\OpenOffice.org 2.2
2007-08-16 17:47:32 0 d-------- C:\Program Files\Java
2007-08-16 17:47:31 0 d-------- C:\Program Files\Common Files\Java
2007-08-16 17:42:42 0 d-------- C:\Program Files\Google
2007-08-16 17:39:48 0 d-------- C:\Program Files\Prime95
2007-08-16 17:30:56 0 d-------- C:\NVIDIA
2007-08-16 17:25:38 0 d-------- C:\Program Files\Wallpaper Changer
2007-08-16 17:04:23 0 --a------ C:\Windows\nsreg.dat
2007-08-16 16:39:06 0 d-------- C:\Program Files\D-Link
2007-08-16 16:18:12 0 d-------- C:\Program Files\U-ABIT
2007-08-16 16:17:41 0 d-------- C:\Program Files\Marvell
2007-08-16 16:17:23 0 d--hs---- C:\Windows\Installer
2007-08-16 16:16:58 0 d-------- C:\Windows\system32\RTCOM
2007-08-16 16:16:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-16 16:16:25 315392 --a------ C:\Windows\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2007-08-16 16:16:21 0 d-------- C:\Program Files\Common Files\InstallShield
2007-08-16 16:14:40 0 d-------- C:\Program Files\Intel
2007-08-16 16:14:31 0 d-------- C:\Intel
2007-08-16 15:53:29 0 dr------- C:\Users\Tom\Searches
2007-08-16 15:53:19 0 dr------- C:\Users\Tom\Contacts
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Videos
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Templates
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Start Menu
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\SendTo
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Saved Games
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Recent
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\PrintHood
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Pictures
2007-08-16 15:53:14 2621440 --ahs---- C:\Users\Tom\ntuser.dat
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\NetHood
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\My Documents
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Music
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Local Settings
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Links
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Favorites
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Downloads
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Documents
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Desktop
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Cookies
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Application Data
2007-08-16 15:53:14 0 d--h----- C:\Users\Tom\AppData
2007-07-26 03:53:34 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2007-07-26 03:50:34 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-07-26 03:50:34 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-07-26 03:50:22 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-07-26 03:50:22 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 03:50:22 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 03:50:22 740442 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 03:49:28 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll


-- Find3M Report ---------------------------------------------------------------

2007-08-21 22:33:37 0 d-------- C:\Users\Tom\AppData\Roaming\Bioshock
2007-08-21 21:00:03 0 d-------- C:\Users\Tom\AppData\Roaming\OpenOffice.org2
2007-08-20 15:57:52 0 d-------- C:\Users\Tom\AppData\Roaming\Adobe
2007-08-19 11:06:53 0 d-------- C:\Users\Tom\AppData\Roaming\Azureus
2007-08-17 22:23:31 0 d-------- C:\Program Files\Common Files
2007-08-17 15:02:14 0 d-------- C:\Users\Tom\AppData\Roaming\DivX
2007-08-17 14:11:24 0 d-------- C:\Users\Tom\AppData\Roaming\WinRAR
2007-08-17 14:03:57 0 d-------- C:\Users\Tom\AppData\Roaming\vlc
2007-08-16 18:20:51 0 d-------- C:\Users\Tom\AppData\Roaming\Apple Computer
2007-08-16 18:08:02 0 d-------- C:\Users\Tom\AppData\Roaming\Macromedia
2007-08-16 18:02:21 0 d-------- C:\Program Files\Windows Mail
2007-08-16 18:02:21 0 d-------- C:\Program Files\Windows Defender
2007-08-16 17:04:29 0 d-------- C:\Users\Tom\AppData\Roaming\Talkback
2007-08-16 17:04:21 0 d-------- C:\Users\Tom\AppData\Roaming\Mozilla
2007-08-16 16:18:01 0 d-------- C:\Users\Tom\AppData\Roaming\InstallShield
2007-08-16 15:53:21 0 d-------- C:\Users\Tom\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="" []
"RtHDVCpl"="RtHDVCpl.exe" [09/08/2007 19:26 C:\Windows\RtHDVCpl.exe]
"Wallpaper"="" []
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [15/07/2005 22:48]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [31/07/2007 18:44]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [22/02/2007 20:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [19/12/2006 11:27]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06]
"fcrnli"="c:\users\tom\appdata\local\microsoft\fcrnli.exe" [18/08/2007 00:12]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [17/08/2007 16:23]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [17/08/2007 16:23]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [17/08/2007 16:23]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.02\RivaTuner.exe" [01/07/2007 20:20]
"CTHelper"="CTHELPER.EXE" [12/02/2007 19:47 C:\Windows\System32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [12/02/2007 19:47 C:\Windows\System32\CTXFIHLP.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [18/06/2003 01:00]
"CTSysVol"="C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [15/02/2005 16:10]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [16/06/2005 18:25]
"UpdReg"="C:\Windows\UpdReg.EXE" [11/05/2000 01:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [02/11/2006 13:35]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02/11/2006 13:35]
"Steam"="" []

C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [16/08/2007 18:27:56]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [20/07/2007 18:57:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"=0 (0x0)
"NoClose"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FE2480A7-A6F0-E0B3-F837-C49E5829BE08}]
C:\Windows\system32\winddl32.exe



-- End of Deckard's System Scanner: finished at 2007-08-23 16:58:01 ------------

and Extra:

Deckard's System Scanner v20070819.64
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: English

CPU 0: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
Percentage of Memory in Use: 38%
Physical Memory (total/avail): 2045.88 MiB / 1256.45 MiB
Pagefile Memory (total/avail): 4313.06 MiB / 3514.66 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1943.57 MiB

C: is Fixed (NTFS) - 111.79 GiB total, 51.38 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 232.88 GiB total, 139.99 GiB free.


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: McAfee VirusScan Enterprise v8.5.0.781 (McAfee, Inc.)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Tom\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TOM-PC
ComSpec=C:\Windows\system32\cmd.exe
DEFLOGDIR=C:\ProgramData\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Tom
LOCALAPPDATA=C:\Users\Tom\AppData\Local
LOGONSERVER=\\TOM-PC
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Tom\AppData\Local\Temp
TMP=C:\Users\Tom\AppData\Local\Temp
USERDOMAIN=Tom-PC
USERNAME=Tom
USERPROFILE=C:\Users\Tom
VSEDEFLOGDIR=C:\ProgramData\McAfee\DesktopProtection
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Tom (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EF644C7-1A0D-4B94-9AF5-AD04702094A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EF644C7-1A0D-4B94-9AF5-AD04702094A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32B4B536-4443-42F0-9676-98373BE9114F}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32B4B536-4443-42F0-9676-98373BE9114F}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44267176-A318-447F-A62A-0A5FD608C34F}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44267176-A318-447F-A62A-0A5FD608C34F}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52338F65-A1C3-4CDC-B733-50051682B297}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{52338F65-A1C3-4CDC-B733-50051682B297}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{55F63529-9E2F-46C0-A22C-8445B670BCFA}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{55F63529-9E2F-46C0-A22C-8445B670BCFA}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{569A9538-86EC-44C3-8EE4-C68B165F2A75}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{569A9538-86EC-44C3-8EE4-C68B165F2A75}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B17E626-7885-4FC3-A66A-73548A4F01FD}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5B17E626-7885-4FC3-A66A-73548A4F01FD}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73919E2B-725C-4FAA-8473-45E063A3575F}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{73919E2B-725C-4FAA-8473-45E063A3575F}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA9944C8-7D34-475E-8C90-2788685B2C47}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA9944C8-7D34-475E-8C90-2788685B2C47}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B20EB9BE-3795-47BA-BDD6-889593E8FD55}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B20EB9BE-3795-47BA-BDD6-889593E8FD55}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BD6928A2-9F8F-4AA7-9A3A-FD4A271712EE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BD6928A2-9F8F-4AA7-9A3A-FD4A271712EE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C88C3C27-AECE-4137-A6CC-D7A6FFAD2F84}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C88C3C27-AECE-4137-A6CC-D7A6FFAD2F84}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DE4A4C48-2232-4CCB-AD61-490ACD29BA85}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DE4A4C48-2232-4CCB-AD61-490ACD29BA85}\setup.exe" -l0x9 /remove
3DMark06 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}\setup.exe" -l0x9 -removeonly
abitEQ V1.1.0.9 --> C:\Program Files\InstallShield Installation Information\{A3DB6885-DDFA-442A-A2C2-EC1842CA4953}\setup.exe -runfromtemp -l0x0009 -removeonly
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AirPlus G --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B7E4354-0492-460A-BDB1-1F59EE141025}\setup.exe" -l0x9 -removeonly
Apple Mobile Device Support --> MsiExec.exe /I{967D588C-9B96-40C9-A222-DCD6922563CA}
Apple Software Update --> MsiExec.exe /I{492724FC-3B26-46B4-824F-3CE2722D9AA0}
ATITool Overclocking Utility --> "C:\Program Files\ATITool\Uninstall.exe"
Azureus --> C:\Program Files\Azureus\Uninstall.exe
BBC iPlayer Library --> MsiExec.exe /X{D466F3D9-510C-4729-B7D4-2E70490E4CDF}
BioShock Demo --> C:\Program Files\InstallShield Installation Information\{36BBA884-C697-48B6-B496-5F329215E249}\setup.exe -runfromtemp -l0x0009 -removeonly
Combined Community Codec Pack 2007-07-22 --> "C:\Program Files\Combined Community Codec Pack\unins000.exe"
Company of Heroes --> MsiExec.exe /X{66F78C51-D108-4F0C-A93C-1CBE74CE338F}
Creative Audio Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9 /remove
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
FlashMenu --> C:\Program Files\InstallShield Installation Information\{047E5F60-5357-43FB-A080-1912EB0132A4}\setup.exe -runfromtemp -l0x0009 -removeonly
Google Gmail Notifier --> "C:\Program Files\Google\Gmail Notifier\UninstallGmail.exe"
Guild Wars --> "C:\Program Files\Guild Wars\Gw.exe" -uninstall
Half-Life 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/220
Half-Life 2: Episode One --> "C:\Program Files\Steam\steam.exe" steam://uninstall/380
Half-Life 2: Lost Coast --> "C:\Program Files\Steam\steam.exe" steam://uninstall/340
HD Tune 2.53 --> "C:\Program Files\HD Tune\unins000.exe"
HijackThis 2.0.2 --> "C:\Users\Tom\Downloads\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{E0219810-16E4-437D-9165-93D7B22524F9}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
McAfee VirusScan Enterprise --> MsiExec.exe /X{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
ObjectDock --> C:\PROGRA~1\Stardock\OBJECT~1\UNWISE.EXE C:\PROGRA~1\Stardock\OBJECT~1\INSTALL.LOG
OpenAL --> "C:\Program Files\OpenAL\OALInst.exe" /U
OpenOffice.org 2.2 --> MsiExec.exe /I{3CCBC9FF-7F35-4220-B66D-B60E2E7AB4E2}
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Prime95 --> "C:\Program Files\Prime95\Uninstall.exe" "C:\Program Files\Prime95\install.log"
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
RivaTuner v2.02 --> "C:\Program Files\RivaTuner v2.02\uninstall.exe"
S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0003] --> "C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\unins000.exe"
Sound Blaster Audigy 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A8AD6CB8-DE96-43FA-9B73-5FB873DD1CAE}\SETUP.EXE" -l0x9 /remove
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Unix Utilities for Yahoo! Widgets --> C:\Program Files\Yahoo!\Widgets\UnixUtils\uninstall.exe
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Wallpaper Changer (Remove only) --> "C:\Program Files\Wallpaper Changer\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"
Yahoo! Install Manager --> C:\Windows\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Widgets --> C:\PROGRA~1\Yahoo!\Widgets\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2447 / Success
Event Submitted/Written: 08/23/2007 04:53:01 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type2445 / Success
Event Submitted/Written: 08/23/2007 04:52:58 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type2444 / Success
Event Submitted/Written: 08/23/2007 04:52:58 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type2422 / Success
Event Submitted/Written: 08/23/2007 04:34:07 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type2421 / Success
Event Submitted/Written: 08/23/2007 04:34:04 PM
Event ID/Source: 5615 / WinMgmt
Event Description:




-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type8156 / Warning
Event Submitted/Written: 08/23/2007 04:53:05 PM
Event ID/Source: 134 / W32Time
Event Description:
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x1'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)

Event Record #/Type8153 / Warning
Event Submitted/Written: 08/23/2007 04:53:03 PM
Event ID/Source: 134 / W32Time
Event Description:
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x1'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)

Event Record #/Type8152 / Warning
Event Submitted/Written: 08/23/2007 04:53:00 PM
Event ID/Source: 134 / W32Time
Event Description:
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x1'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)

Event Record #/Type8151 / Warning
Event Submitted/Written: 08/23/2007 04:53:00 PM
Event ID/Source: 134 / W32Time
Event Description:
NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x1'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)

Event Record #/Type8144 / Warning
Event Submitted/Written: 08/23/2007 04:51:57 PM
Event ID/Source: 4001 / Microsoft-Windows-WLAN-AutoConfig
Event Description:




-- End of Deckard's System Scanner: finished at 2007-08-23 16:58:01 ------------
TomD22
Regular Member
 
Posts: 19
Joined: August 20th, 2007, 8:57 am

Unread postby Katana » August 24th, 2007, 12:40 am

Hi TomD22,

Well I haven't found out how you got bitten, but it looks like it happened around midnight on 18/08/07 if that helps ?

Oh, by the way, that looks like a nice piece of kit you are running :)
Quad core with 2gb ram, ----- I want one :( :lol:

Now lets get down to business.


Turn Off User Account Control
  1. Open Control Panel.
  2. Under User Account and Family settings click on the "Add or remove user account".
  3. Click on Your user account,
  4. Under the user account click on the "Go to the main User Account page" link.
  5. Under "Make changes to your user account" click on the "Change security settings" link.
  6. In the "Turn on User Account Control (UAC) to make your computer more secure" click to unselect the "Use User Account Control (UAC) to help protect your computer". Click on the Ok button.
  7. You will be prompted to reboot your computer. Do so when ready.

In order to re-enable UAC just select the above checkbox and reboot.

Backup the Registry
NOTE: To make sure the programs are executed with proper administrative privileges,
you should turn off User Account Control in Vista’s system settings.

  • Download ERUNT to your desktop
  • Double-click on the file to install the program
  • Untick the NTREGOPT desktop shortcut option
  • Click No when you get the option to run Erunt at Windows startup.
  • During the installation, tick Launch Erunt
  • Accept the defaults for running a backup
  • Erunt will then backup your registry


Create A Registry File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it Regfix.reg Please save it on your desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fcrnli"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FE2480A7-A6F0-E0B3-F837-C49E5829BE08}]


Make sure there are NO lines before Windows Registry Editor Version 5.00 and ONE line at the end
Double click on Regfix.reg and click Yes at the prompt


Delete Files and Folders
Find and delete the following Files and Folders if present
C:\Windows\system32\ghhkj.bak1 <<< This File
C:\Windows\system32\ddccyww.dll <<< This File
C:\Windows\system32\winddl32.exe <<< This File ( should be gone but it's safer to check )


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti
( you may need to show hidden files and folders. See HERE for help)

Please visit Jotti
Click on Browse... and navigate to the following file: C:\Windows\system32\jklhoorb.exe
Click Open
Please post back, to let me know the results.

Please do the same for the following file

C:\Windows\system32\lfjusesj.exe
c:\users\tom\appdata\local\microsoft\fcrnli.exe <<< This is probably gone, but please check.

If Jotti is too busy please try Virustotal

Kaspersky Online Scanner .

Go Here http://www.kaspersky.com/virusscanner

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • Jotti/Virus Total results
  • Kaspersky log
  • How are things running now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby TomD22 » August 24th, 2007, 9:07 am

Well I was in Singapore last week so I bought most of the parts there. Electronics are a little cheaper there anyway - then claim back the Singaporean sales tax at the airport - then don't pay UK vat when you come back here - and it's a lot cheaper to build that system than you might think! I reckon overall I saved about 40% compared to the cheapest UK prices I could find.

I've just added another 1GB of ram to it this morning, actually. Amazingly, with vista, I was still running out when gaming/photoshopping even with 2GB, although turning off Superfetch helped a bit.

Aaaanyway, back on topic...


You said to delete ghhkj.bak1. I did so, but there was also a ghhkj.ini file. I left it for the time being, but does that need to be deleted too?



Virustotal log for jklhoorb.exe

Antivirus Version Last Update Result
AhnLab-V3 2007.8.22.0 2007.08.24 Win-Trojan/Xema.variant
AntiVir 7.4.1.63 2007.08.24 TR/Click.Agent.NP
Authentium 4.93.8 2007.08.23 W32/Downldr2.AJXG
Avast 4.7.1029.0 2007.08.24 Win32:Tiny-IF
AVG 7.5.0.484 2007.08.23 Downloader.Generic4.ZQI
BitDefender 7.2 2007.08.24 Trojan.Clicker.Agent.NP
CAT-QuickHeal 9.00 2007.08.23 TrojanDownloader.Tiny.id
ClamAV 0.91 2007.08.24 Trojan.Downloader-10686
DrWeb 4.33 2007.08.24 Trojan.Click.2799
eSafe 7.0.15.0 2007.08.23 -
eTrust-Vet 31.1.5084 2007.08.24 Win32/Secdrop.OC
Ewido 4.0 2007.08.24 Downloader.Tiny.id
FileAdvisor 1 2007.08.24 -
Fortinet 2.91.0.0 2007.08.24 -
F-Prot 4.3.2.48 2007.08.23 W32/Downldr2.AJXG
F-Secure 6.70.13030.0 2007.08.24 Trojan-Downloader.Win32.Tiny.id
Ikarus T3.1.1.12 2007.08.24 Trojan.Click.2799
Kaspersky 4.0.2.24 2007.08.24 Trojan-Downloader.Win32.Tiny.id
McAfee 5104 2007.08.23 -
Microsoft 1.2803 2007.08.24 Trojan:Win32/Conhook.D
NOD32v2 2482 2007.08.24 probably a variant of Win32/TrojanDownloader.Small
Norman 5.80.02 2007.08.23 W32/Tiny.AHW
Panda 9.0.0.4 2007.08.24 Trj/Downloader.PCQ
Prevx1 V2 2007.08.24 Generic.Malware
Rising 19.37.42.00 2007.08.24 Trojan.DL.Win32.Tiny.id
Sophos 4.20.0 2007.08.24 -
Sunbelt 2.2.907.0 2007.08.24 -
Symantec 10 2007.08.24 Trojan.Vundo
TheHacker 6.1.8.172 2007.08.24 Trojan/Downloader.Tiny.id
VBA32 3.12.2.3 2007.08.23 Trojan.Click.2799
VirusBuster 4.3.26:9 2007.08.23 Trojan.DL.Tiny.IH
Webwasher-Gateway 6.0.1 2007.08.24 Trojan.Click.Agent.NP
Additional information
File size: 4628 bytes
MD5: e064bf0b680c7aa679beb803b08bd6ae
SHA1: 4587e7f05548fd0591819e65e029c7e977d3bb95
Prevx info: http://fileinfo.prevx.com/fileinfo.asp? ... 001CB2B7C9

Virustotal log for lfjusesj.exe

Antivirus Version Last Update Result
AhnLab-V3 2007.8.22.0 2007.08.24 -
AntiVir 7.4.1.63 2007.08.24 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2007.08.23 -
Avast 4.7.1029.0 2007.08.24 Win32:Vundo-gen46
AVG 7.5.0.484 2007.08.23 Generic6.KLR
BitDefender 7.2 2007.08.24 -
CAT-QuickHeal 9.00 2007.08.23 (Suspicious) - DNAScan
ClamAV 0.91 2007.08.24 -
DrWeb 4.33 2007.08.24 Trojan.Virtumod
eSafe 7.0.15.0 2007.08.23 Suspicious Trojan/Worm
eTrust-Vet 31.1.5084 2007.08.24 -
Ewido 4.0 2007.08.24 -
FileAdvisor 1 2007.08.24 -
Fortinet 2.91.0.0 2007.08.24 -
F-Prot 4.3.2.48 2007.08.23 -
F-Secure 6.70.13030.0 2007.08.24 -
Ikarus T3.1.1.12 2007.08.24 Win32.Rigel.6468
Kaspersky 4.0.2.24 2007.08.24 -
McAfee 5104 2007.08.23 -
Microsoft 1.2803 2007.08.24 -
NOD32v2 2482 2007.08.24 probably a variant of Win32/Genetik
Norman 5.80.02 2007.08.23 -
Panda 9.0.0.4 2007.08.24 Spyware/Virtumonde
Prevx1 V2 2007.08.24 -
Rising 19.37.42.00 2007.08.24 -
Sophos 4.20.0 2007.08.24 -
Sunbelt 2.2.907.0 2007.08.24 VIPRE.Suspicious
Symantec 10 2007.08.24 Downloader
TheHacker 6.1.8.172 2007.08.24 -
VBA32 3.12.2.3 2007.08.23 Trojan.Virtumod
VirusBuster 4.3.26:9 2007.08.23 Adware.Vundo.P.Gen
Webwasher-Gateway 6.0.1 2007.08.24 Trojan.Crypt.XPACK.Gen
Additional information
File size: 304161 bytes
MD5: 7f7bd797498074fbcf66847145818ac7
SHA1: 12cdb928300ffa6a9c9e37191ceb20e049954fd9
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

fcrnli.exe seems to be gone.

Kapersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, August 24, 2007 2:04:39 PM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 24/08/2007
Kaspersky Anti-Virus database records: 388870
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 98588
Number of viruses found: 5
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 01:12:12

Infected Object Name / Virus Name / Last Action
C:\$Recycle.Bin\S-1-5-21-3399875639-2395462664-3684426604-1000\$RC17MOK.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\Deckard\System Scanner\backup\Users\Tom\AppData\Local\Temp\5726624.exe Infected: Backdoor.Win32.VB.bco skipped
C:\Deckard\System Scanner\backup\Users\Tom\AppData\Local\Temp\cmdinst.exe/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Deckard\System Scanner\backup\Users\Tom\AppData\Local\Temp\cmdinst.exe/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Deckard\System Scanner\backup\Users\Tom\AppData\Local\Temp\cmdinst.exe/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Deckard\System Scanner\backup\Users\Tom\AppData\Local\Temp\cmdinst.exe Inno: infected - 3 skipped
C:\ProgramData\Kontiki\error.log Object is locked skipped
C:\ProgramData\McAfee\Common Framework\Db\Agent_TOM-PC.log Object is locked skipped
C:\ProgramData\McAfee\Common Framework\Db\PrdMgr_TOM-PC.log Object is locked skipped
C:\ProgramData\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\ProgramData\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\ProgramData\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\5348f2a3d7abd9025def2d455d7da4a9_4c5d2237-d468-4f99-9708-f75cc4586b59 Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.9.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.9.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001F.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010020.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010023.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010026.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy27.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf74E1.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf74E2.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-11022006-050241.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Users\Tom\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Tom\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Tom\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Tom\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Tom\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Tom\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Tom\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Tom\AppData\Local\Microsoft\Windows\UsrClass.dat{8cd9c338-4c42-11dc-9a38-00508d9f52a5}.TM.blf Object is locked skipped
C:\Users\Tom\AppData\Local\Microsoft\Windows\UsrClass.dat{8cd9c338-4c42-11dc-9a38-00508d9f52a5}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Tom\AppData\Local\Microsoft\Windows\UsrClass.dat{8cd9c338-4c42-11dc-9a38-00508d9f52a5}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Tom\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
C:\Users\Tom\AppData\Local\Mozilla\Firefox\Profiles\c5ucj75j.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\Tom\AppData\Local\Mozilla\Firefox\Profiles\c5ucj75j.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\Tom\AppData\Local\Mozilla\Firefox\Profiles\c5ucj75j.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\Tom\AppData\Local\Mozilla\Firefox\Profiles\c5ucj75j.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\Tom\AppData\Local\Temp\NAILogs\UpdaterUI_TOM-PC.log Object is locked skipped
C:\Users\Tom\AppData\Local\Yahoo\Widget Engine\Widgets DB\widgets.db Object is locked skipped
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cert8.db Object is locked skipped
C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\formhistory.dat Object is locked skipped
C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\history.dat Object is locked skipped
C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\key3.db Object is locked skipped
C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\parent.lock Object is locked skipped
C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\search.sqlite Object is locked skipped
C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\urlclassifier2.sqlite Object is locked skipped
C:\Users\Tom\ntuser.dat Object is locked skipped
C:\Users\Tom\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Tom\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Tom\NTUSER.DAT{7c22ab2d-4c99-11dc-86c4-00179abe9a73}.TM.blf Object is locked skipped
C:\Users\Tom\NTUSER.DAT{7c22ab2d-4c99-11dc-86c4-00179abe9a73}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Tom\NTUSER.DAT{7c22ab2d-4c99-11dc-86c4-00179abe9a73}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{b316b1ec-4cd5-11dc-8d1a-00179abe9a73}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{b316b1ec-4cd5-11dc-8d1a-00179abe9a73}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{b316b1ec-4cd5-11dc-8d1a-00179abe9a73}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{b316b1ec-4cd5-11dc-8d1a-00179abe9a73}.TxR.blf Object is locked skipped
C:\Windows\System32\jklhoorb.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\SMI\Store\Machine\schema.dat Object is locked skipped
C:\Windows\System32\SMI\Store\Machine\schema.dat.LOG1 Object is locked skipped
C:\Windows\System32\SMI\Store\Machine\schema.dat.LOG2 Object is locked skipped
C:\Windows\System32\SMI\Store\Machine\schema.dat{3a53986c-6a70-11db-887c-d362bd253390}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\SMI\Store\Machine\schema.dat{3a53986c-6a70-11db-887c-d362bd253390}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\SMI\Store\Machine\schema.dat{3a53986c-6a70-11db-887c-d362bd253390}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\SMI\Store\Machine\schema.dat{3a53986c-6a70-11db-887c-d362bd253390}.TxR.blf Object is locked skipped
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{3a53986d-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{3a53986d-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{3a53986d-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.002 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\{00000005-00000000-00000004-00001102-00000008-10211102}.CDF Object is locked skipped
E:\28e9d06704c034e8d9\%temp%dd_msxml_retMSI.txt Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

It took me a while to figure out why Kaspersky didn't wanna work until I read the small print and realised it required internet explorer not firefox :oops:.

As to how things are running now: Essentially no change. I'm still getting the same popup windows, and no other symptoms have appeared.
TomD22
Regular Member
 
Posts: 19
Joined: August 20th, 2007, 8:57 am

Unread postby Elrond » August 24th, 2007, 11:22 am

mom2sarah I want to iterate what is posted in the anouncement in this room.


ONLY trained staff are allowed to post answers to topics, so if you are NOT in a helper grade here, do not post a reply to victims. If you do be aware your post WILL be removed wither it has good OR bad advise.
If you would like to join - see the link to the University in the main menu at the top of the page.



TomD please Do NOT follow the advice of mom2sarah


The posts have been removed.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby Katana » August 25th, 2007, 1:14 pm

Hi Tom,

VundoFix
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Delete Files and Folders
Find and delete the following Files and Folders if present
C:\Windows\system32\ghhkj.ini <<< This File
C:\Windows\system32\lfjusesj.exe <<< This File
C:\Windows\system32\jklhoorb.exe <<< This File


Download AVG Anti-Spyware
Please download AVG Anti-Spyware. to your Desktop or to your usual Download Folder.

  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.


Run AVG Anti-Spyware
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Do not automatically generate reports
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Deckard's System Scanner
Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, a text file will open - main.txt
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your reply

(NOTE: Only one file will be created this time)

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • vundofix.txt
  • AVG Log
  • DSS Log
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby TomD22 » August 26th, 2007, 9:37 am

Hey,


Vundofix Log:


VundoFix V6.5.7

Checking Java version...

Scan started at 12:24:20 26/08/2007

Listing files found while scanning....

C:\windows\system32\jklhoorb.exe

Beginning removal...

Attempting to delete C:\windows\system32\jklhoorb.exe
C:\windows\system32\jklhoorb.exe Has been deleted!

Performing Repairs to the registry.
Done!


New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:03:43, on 26/08/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.exe
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /S
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 7091 bytes




ghhkj.ini deleted

lfjusesj deleted

jklhoorb.exe wasn't there (I think the vundo thing just deleted it)


AVG scan log:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 14:31:56 26/08/2007

+ Scan result:



C:\Deckard\System Scanner\backup\Users\Tom\AppData\Local\Temp\cmdinst.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\VundoFix Backups\jklhoorb.exe.bad -> Downloader.Tiny.id : Cleaned with backup (quarantined).
:mozilla.414:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.651:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Adobe : Cleaned.
:mozilla.652:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Adobe : Cleaned.
:mozilla.255:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@com[1].txt -> TrackingCookie.Com : Cleaned.
:mozilla.11:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@stat.dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.359:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Gamershell : Cleaned.
:mozilla.360:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Gamershell : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.gamershell[2].txt -> TrackingCookie.Gamershell : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ehg-hotgroup.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.264:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.334:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Intelli-direct : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@intelli-direct[1].txt -> TrackingCookie.Intelli-direct : Cleaned.
:mozilla.107:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.41:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.42:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.43:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.137:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.110:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.111:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.49:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Tracking101 : Cleaned.
:mozilla.50:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Tracking101 : Cleaned.
:mozilla.52:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Tracking101 : Cleaned.
:mozilla.53:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Tracking101 : Cleaned.
:mozilla.54:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Tracking101 : Cleaned.
:mozilla.55:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Tracking101 : Cleaned.
:mozilla.56:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.451:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.433:C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\c5ucj75j.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Windows\VG9t\p36Q.vbs -> Trojan.Small : Cleaned with backup (quarantined).


::Report end


Deckard System Scan log:

Deckard's System Scanner v20070819.64
Run by Tom on 2007-08-26 14:33:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Tom.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:33:42, on 26/08/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.exe
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Tom\Desktop\dss.exe
C:\HJT\Tom.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /S
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [fcrnli] c:\users\tom\appdata\local\microsoft\fcrnli.exe fcrnli
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{1BF74E30-1B78-4EDD-86AB-3659697836B8}: NameServer = 85.92.175.4,85.92.175.5
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 7307 bytes

-- Files created between 2007-07-26 and 2007-08-26 -----------------------------

2007-08-26 13:25:35 0 d-------- C:\Users\All Users\Grisoft
2007-08-26 12:24:20 0 d-------- C:\VundoFix Backups
2007-08-24 12:41:13 0 d-------- C:\Users\All Users\Kaspersky Lab
2007-08-24 12:41:12 0 d-------- C:\Windows\system32\Kaspersky Lab
2007-08-21 22:45:40 0 d-------- C:\Kontiki
2007-08-21 22:44:36 41984 -----n--- C:\Windows\Ctregrun.exe <Not Verified; Creative Technology Ltd; Creative On-line Registration System>
2007-08-21 22:39:36 77824 -----n--- C:\Windows\system32\ctdvda32.dll <Not Verified; Creative Technology Ltd; Creative DVD-Audio Product>
2007-08-21 21:13:05 0 d-------- C:\Program Files\Creative
2007-08-21 21:12:48 0 d-------- C:\Windows\system32\Defaults
2007-08-21 21:09:56 0 d-------- C:\Program Files\OpenAL
2007-08-21 21:09:12 0 d-------- C:\Windows\system32\Data
2007-08-21 21:09:12 3072 --a------ C:\Windows\CTXFIRES.DLL <Not Verified; ; CTxfiRes Dynamic Link Library>
2007-08-21 21:09:12 10240 --a------ C:\Windows\CTDCRES.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-08-21 21:09:10 66560 -----n--- C:\Windows\system32\CmdRtr.dll
2007-08-21 21:09:10 103936 -----n--- C:\Windows\system32\APOMngr.dll
2007-08-21 18:23:50 0 d-------- C:\HJT
2007-08-21 13:10:16 0 d-------- C:\Program Files\ATITool
2007-08-21 01:10:30 0 d-------- C:\Users\All Users\Media Center Programs
2007-08-21 01:06:16 0 d-------- C:\Program Files\2K Games
2007-08-20 17:09:57 0 d-------- C:\Windows\Sun
2007-08-20 16:34:20 0 d-------- C:\Program Files\Steam
2007-08-20 12:20:20 0 d-------- C:\Users\All Users\Lavasoft
2007-08-20 12:15:45 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2007-08-19 15:38:03 0 d-------- C:\Users\All Users\Kontiki
2007-08-19 15:38:03 0 d-------- C:\Program Files\Kontiki
2007-08-18 13:04:39 0 d-------- C:\Program Files\HD Tune
2007-08-18 00:01:13 0 d--hs---- C:\Windows\VG9t
2007-08-17 22:35:03 0 d-------- C:\Program Files\Bonjour
2007-08-17 22:23:31 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-17 20:19:51 0 d-------- C:\Users\All Users\FLEXnet
2007-08-17 15:46:42 0 d-------- C:\Users\Tom\{b359c3d6-fc87-40a9-bfc4-84dd70141a06}
2007-08-17 14:10:43 0 d-------- C:\Program Files\DivX
2007-08-17 14:10:07 0 d-------- C:\Program Files\Combined Community Codec Pack
2007-08-17 14:09:37 765952 --a------ C:\Windows\system32\xvidcore.dll
2007-08-17 14:09:36 180224 --a------ C:\Windows\system32\xvidvfw.dll
2007-08-17 14:09:36 0 d-------- C:\Program Files\Xvid
2007-08-17 12:29:15 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-17 11:46:49 0 d-------- C:\Program Files\Ventrilo
2007-08-17 10:42:50 0 d-------- C:\QUARANTINE
2007-08-17 10:35:23 0 d-------- C:\Users\All Users\Adobe
2007-08-17 10:24:27 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-17 09:47:45 0 d-------- C:\Program Files\Guild Wars
2007-08-17 07:43:32 0 d-------- C:\Windows\Panther
2007-08-17 07:43:23 0 d--hs---- C:\Boot
2007-08-16 22:47:05 0 d-------- C:\Windows\SoftwareDistribution
2007-08-16 22:45:59 0 d-------- C:\Windows\Debug
2007-08-16 22:44:51 0 d-------- C:\Windows\Prefetch
2007-08-16 22:44:41 0 d--hs---- C:\System Volume Information
2007-08-16 21:17:47 0 d-------- C:\Program Files\THQ
2007-08-16 20:27:12 0 d-------- C:\Program Files\RivaTuner v2.02
2007-08-16 19:34:18 0 d-------- C:\Program Files\Yahoo!
2007-08-16 19:33:11 1495552 --a------ C:\Windows\system32\epoPGPsdk.dll <Not Verified; PGP Corporation; PGPsdk>
2007-08-16 19:33:10 0 d-------- C:\Program Files\Common Files\Cisco Systems
2007-08-16 19:33:08 0 d-------- C:\Users\All Users\McAfee
2007-08-16 19:32:38 0 d-------- C:\Program Files\McAfee
2007-08-16 19:32:38 0 d-------- C:\Program Files\Common Files\McAfee
2007-08-16 18:27:56 0 d-------- C:\Program Files\Stardock
2007-08-16 18:27:56 0 d-------- C:\Program Files\Common Files\Stardock
2007-08-16 18:27:37 409600 --a------ C:\Windows\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2007-08-16 18:27:37 114688 --a------ C:\Windows\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2007-08-16 18:25:46 0 d-------- C:\Windows\system32\Futuremark
2007-08-16 18:25:46 3972 --a------ C:\Windows\system32\drivers\PciBus.sys
2007-08-16 18:25:46 5632 --a------ C:\Windows\system32\drivers\Entech64.sys <Not Verified; EnTech Taiwan; EnTech.sys>
2007-08-16 18:25:46 21664 --a------ C:\Windows\system32\drivers\Entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
2007-08-16 18:24:31 0 d-------- C:\Program Files\Futuremark
2007-08-16 18:12:58 0 d-------- C:\Program Files\Azureus
2007-08-16 18:06:40 0 d-------- C:\Windows\system32\Macromed
2007-08-16 18:06:07 0 d-------- C:\Users\All Users\NVIDIA
2007-08-16 17:52:15 0 d-------- C:\Program Files\VideoLAN
2007-08-16 17:51:35 0 d-------- C:\Program Files\iPod
2007-08-16 17:51:33 0 d-------- C:\Program Files\iTunes
2007-08-16 17:50:50 0 d-------- C:\Program Files\QuickTime
2007-08-16 17:50:49 0 d-------- C:\Users\All Users\Apple Computer
2007-08-16 17:50:31 0 d-------- C:\Program Files\Apple Software Update
2007-08-16 17:49:14 0 d-------- C:\Program Files\Common Files\Apple
2007-08-16 17:49:12 0 d-------- C:\Users\All Users\Apple
2007-08-16 17:47:49 0 d-------- C:\Program Files\OpenOffice.org 2.2
2007-08-16 17:47:32 0 d-------- C:\Program Files\Java
2007-08-16 17:47:31 0 d-------- C:\Program Files\Common Files\Java
2007-08-16 17:42:42 0 d-------- C:\Program Files\Google
2007-08-16 17:39:48 0 d-------- C:\Program Files\Prime95
2007-08-16 17:30:56 0 d-------- C:\NVIDIA
2007-08-16 17:25:38 0 d-------- C:\Program Files\Wallpaper Changer
2007-08-16 17:04:23 0 --a------ C:\Windows\nsreg.dat
2007-08-16 16:39:06 0 d-------- C:\Program Files\D-Link
2007-08-16 16:18:12 0 d-------- C:\Program Files\U-ABIT
2007-08-16 16:17:41 0 d-------- C:\Program Files\Marvell
2007-08-16 16:17:23 0 d--hs---- C:\Windows\Installer
2007-08-16 16:16:58 0 d-------- C:\Windows\system32\RTCOM
2007-08-16 16:16:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-16 16:16:25 315392 --a------ C:\Windows\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2007-08-16 16:16:21 0 d-------- C:\Program Files\Common Files\InstallShield
2007-08-16 16:14:40 0 d-------- C:\Program Files\Intel
2007-08-16 16:14:31 0 d-------- C:\Intel
2007-08-16 15:53:29 0 dr------- C:\Users\Tom\Searches
2007-08-16 15:53:19 0 dr------- C:\Users\Tom\Contacts
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Videos
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Templates
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Start Menu
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\SendTo
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Saved Games
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Recent
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\PrintHood
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Pictures
2007-08-16 15:53:14 2883584 --ahs---- C:\Users\Tom\ntuser.dat
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\NetHood
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\My Documents
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Music
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Local Settings
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Links
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Favorites
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Downloads
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Documents
2007-08-16 15:53:14 0 dr------- C:\Users\Tom\Desktop
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Cookies
2007-08-16 15:53:14 0 d--hs---- C:\Users\Tom\Application Data
2007-08-16 15:53:14 0 d--h----- C:\Users\Tom\AppData
2007-07-26 03:53:34 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2007-07-26 03:50:34 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-07-26 03:50:34 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-07-26 03:50:22 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-07-26 03:50:22 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 03:50:22 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 03:50:22 740442 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 03:49:28 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll


-- Find3M Report ---------------------------------------------------------------

2007-08-24 15:05:52 0 d-------- C:\Users\Tom\AppData\Roaming\OpenOffice.org2
2007-08-23 19:44:59 0 d-------- C:\Users\Tom\AppData\Roaming\Ventrilo
2007-08-21 22:33:37 0 d-------- C:\Users\Tom\AppData\Roaming\Bioshock
2007-08-20 15:57:52 0 d-------- C:\Users\Tom\AppData\Roaming\Adobe
2007-08-19 11:06:53 0 d-------- C:\Users\Tom\AppData\Roaming\Azureus
2007-08-17 22:23:31 0 d-------- C:\Program Files\Common Files
2007-08-17 15:02:14 0 d-------- C:\Users\Tom\AppData\Roaming\DivX
2007-08-17 14:11:24 0 d-------- C:\Users\Tom\AppData\Roaming\WinRAR
2007-08-17 14:03:57 0 d-------- C:\Users\Tom\AppData\Roaming\vlc
2007-08-16 18:20:51 0 d-------- C:\Users\Tom\AppData\Roaming\Apple Computer
2007-08-16 18:08:02 0 d-------- C:\Users\Tom\AppData\Roaming\Macromedia
2007-08-16 18:02:21 0 d-------- C:\Program Files\Windows Mail
2007-08-16 18:02:21 0 d-------- C:\Program Files\Windows Defender
2007-08-16 17:04:29 0 d-------- C:\Users\Tom\AppData\Roaming\Talkback
2007-08-16 17:04:21 0 d-------- C:\Users\Tom\AppData\Roaming\Mozilla
2007-08-16 16:18:01 0 d-------- C:\Users\Tom\AppData\Roaming\InstallShield
2007-08-16 15:53:21 0 d-------- C:\Users\Tom\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="" []
"RtHDVCpl"="RtHDVCpl.exe" [09/08/2007 19:26 C:\Windows\RtHDVCpl.exe]
"Wallpaper"="" []
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [15/07/2005 22:48]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [31/07/2007 18:44]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [22/02/2007 20:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [19/12/2006 11:27]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [17/08/2007 16:23]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [17/08/2007 16:23]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [17/08/2007 16:23]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.02\RivaTuner.exe" [01/07/2007 20:20]
"CTHelper"="CTHELPER.EXE" [12/02/2007 19:47 C:\Windows\System32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [12/02/2007 19:47 C:\Windows\System32\CTXFIHLP.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [18/06/2003 01:00]
"CTSysVol"="C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [15/02/2005 16:10]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [16/06/2005 18:25]
"UpdReg"="C:\Windows\UpdReg.EXE" [11/05/2000 01:00]
"fcrnli"="c:\users\tom\appdata\local\microsoft\fcrnli.exe" [18/08/2007 00:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [02/11/2006 13:35]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02/11/2006 13:35]
"Steam"="" []

C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [16/08/2007 18:27:56]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [20/07/2007 18:57:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"=0 (0x0)
"NoClose"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

*Newly Created Service* - AVG_ANTI-SPYWARE_DRIVER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2007-08-26 14:34:13 ------------
TomD22
Regular Member
 
Posts: 19
Joined: August 20th, 2007, 8:57 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 115 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware