Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

strange things happening.......

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

strange things happening.......

Unread postby MasterBlaster » September 13th, 2007, 6:27 pm

Must be a full moon.....
My month old Vista laptop is having some strange things happening.
a. winamp.exe disappeared from it's folder.
b. winmail.exe disappeared from it's folder.
c. IE browser crashes Vista most times.

Here's my hijackthis log.
Your inspection and recommendations are highly appreciated.
Many thanks for your splendid services and assistance.
MB

Logfile of HijackThis v1.99.1
Scan saved at 5:23:15 PM, on 9/13/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\BySoft FreeRAM\FreeRAM.exe
C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Depot\Utilitys\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BySoft FreeRAM] C:\Program Files\BySoft FreeRAM\FreeRAM.exe
O4 - Startup: Kremlin Sentry.LNK = C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: PFRVHY - Sysinternals - http://www.sysinternals.com - C:\Users\JAMESL~1\AppData\Local\Temp\PFRVHY.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
MasterBlaster
Active Member
 
Posts: 11
Joined: March 6th, 2007, 6:16 pm
Advertisement
Register to Remove

Unread postby silver » September 18th, 2007, 11:00 pm

Hi MasterBlaster,

Your log looks clean so I can't yet say whether the problems you are experiencing are caused by malware, if they are we will get to the bottom of it, if not then I'll advise you on getting further help.

Download Dr.WEB CureIt to your desktop from here:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
  • Right-click cureit.exe and choose Run as administrator to start the program. Allow the UAC prompt.
  • Press Start and then OK to start the Express scan
  • The Express scan takes just a few moments to finish, if something is found, click Yes to cure it
  • Once the short scan has finished, Click Options->Change settings
  • Choose the Scan tab and UN-CHECK Heuristic analysis
  • Choose the Actions tab and next to Infected objects select Move, then press OK to close the settings box.
  • Note: please ensure you have made the settings changes BEFORE scanning
  • Select all hard drives to be scanned by clicking on them - choose all drives - a red dot confirms they will be scanned
  • Click the green arrow on the right to start the scan
  • Click Yes to all if it asks if you want to move a file
  • Click File-> Save report list and save the report to your desktop
  • Close Dr.Web Cureit and reboot your computer (this is important as files may be moved/deleted during reboot)

Then download and install the latest version of HijackThis - you can download it from here:
http://downloads.malwareremoval.com/HJTInstall.exe

Once you have downloaded the new version, remove the old version via Control Panel->Programs and Features and then use Windows Explorer to delete the old program file:
C:\Depot\Utilitys\HijackThis\HijackThis.exe

Then run the new version's installer HJTInstall.exe and follow the prompts.
After installing, HijackThis will open automatically but close the program for now.
Use Windows Explorer to navigate to C:\Program Files\Trend Micro\HijackThis, right-click HijackThis.exe, choose the Compatibility tab, check the box next to Run this program as an administrator and press OK
Whenever you run HijackThis now you should get a UAC prompt which you have to Allow before the program starts

Next download Deckard's System Scanner (DSS)
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply


Once complete, please post the Dr Web report and both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby MasterBlaster » September 19th, 2007, 7:56 pm

MRU Master,
Thank you for your asssitance.


Dr. WEB output file:
MAXCACHE.REG;C:\Depot\Tech\Tips Tricks\MDGx Trix;VBS.Loding;Moved.;
Soundz.txt;C:\Depot\Tech\Win95;IRC.Generic.13;Moved.;
MAXCACHE.REG;C:\Documents and Settings\james l jackson\DoctorWeb\Quarantine;VBS.Loding;Moved.;
Soundz.txt;C:\Documents and Settings\james l jackson\DoctorWeb\Quarantine;IRC.Generic.13;Moved.;
defrag.js;C:\Program Files\Hewlett-Packard\HP Health Check\ActiveCheck\objects;Modification of VBS.Generic.217;;

(I did not delete the "defrag.js" because it is a HP original file which came with the PC, only 2 months old. Let me know if I need to delete it also.)

This is the defrag.js in text format:
/*
############ ## ############# # # ##### # # # ##### ##### #####
########## ## ########## # # # # # # # # # #
######## ## ######## ##### #### # # # # # #### # #
####### ###### ##### ####### # # ##### # # ##### ##### # #
####### ## ## ## ## #######
####### ## ## ###### ####### #### # ##### # # # #### ####
######## ## ######## # # # # # # ## # # # # # #
########## ## ########## #### ##### # ### # ##### #### # #
########### ## ############## # # # ##### # # # # # # ####

********** COPYRIGHT (C) 2004 HEWLETT-PACKARD BRASIL *********/

//****@@@1B.CPP****************************************************************
//
// MODULE : <defrag.js> PROJECT : <ActiveCheck>
//
// PURPOSE : <Run defrag>
//
//
//****@@@1E.CPP****************************************************************

//****@@@2B.CPP****************************************************************
//
// Version/Revision log :
// ====================
//
// VERSION DATE RESP DESCRIPTION
// 1.00.00 13/10/2004 Rafael Magrin Created
// 1.00.01 27/10/2004 Rafael Magrin Bug fixed: Crash when running
// without administrator privileges
// 1.00.02 12/08/2005 Rafael Magrin Bug fixed: Temporary file is not
// being defrag execution fails.
// 1.00.03 05/06/2006 Patrick Calvetti Added rotine to check the analysis defragmentation to Windows Vista
// 1.00.04 11/08/2006 Edison Dias Set working directory to write xml file.
//
//****@@@2E.CPP****************************************************************


// Constants
FIXED_DRIVE_FSO = 2;
WXP_STR = "Microsoft Windows XP";
WVISTA_STR = "Windows (TM) Vista Ultimate";
MAX_FRAGMENTATION_ALLOWED = 10;

var szWorkingDir = WScript.ScriptFullName;
szWorkingDir = szWorkingDir.replace(WScript.ScriptName,"");

// Variables
var szClassName, szGUID, szXMLFileName, infs=[], i=0;

// Functions
function AddZero(str)
{
if (str.length == 1)
str = "0"+str;
return str;
}

function GetModTime()
{
var d, s;
d = new Date();
s = d.getFullYear().toString();
s += AddZero((d.getMonth() + 1).toString());
s += AddZero(d.getDate().toString());
s += AddZero(d.getHours().toString());
s += AddZero(d.getMinutes().toString());
s += AddZero(d.getSeconds().toString());
return s;
}

function CreateHeader()
{
var szHeader;

szHeader = "<SIMPLEREQ>";
szHeader = szHeader + "<IMETHODCALL NAME=\"CreateInstance\">";
szHeader = szHeader + "<LOCALNAMESPACEPATH>";
szHeader = szHeader + "<NAMESPACE NAME=\"root\" />";
szHeader = szHeader + "<NAMESPACE NAME=\"cimv2\" />";
szHeader = szHeader + "</LOCALNAMESPACEPATH>";
szHeader = szHeader + "<IPARAMVALUE NAME=\"NewInstance\">";
szHeader = szHeader + "<INSTANCE CLASSNAME=\"" + szClassName + "\">";
szHeader = szHeader + "<QUALIFIER NAME=\"ModTime\" TYPE=\"datetime\">";
szHeader = szHeader + "<VALUE>" + GetModTime() + "</VALUE>";
szHeader = szHeader + "</QUALIFIER>";

return szHeader;
}

function CreateFooter()
{
var szFooter;

szFooter = "</INSTANCE>";
szFooter = szFooter + "</IPARAMVALUE>";
szFooter = szFooter + "</IMETHODCALL>";
szFooter = szFooter + "</SIMPLEREQ>";

return szFooter;
}

function CreateProperty(szPropName, szPropType, szPropValue)
{
var szProp;
szProp = "<PROPERTY NAME=\"" + szPropName + "\" TYPE=\"" + szPropType + "\">";
szProp = szProp + "<VALUE>" + szPropValue + "</VALUE>";
szProp = szProp + "</PROPERTY>";

return szProp;
}

function CreateXMLFile()
{
if (infs.length > 0)
{
var fso2 = new ActiveXObject("Scripting.FileSystemObject");
var tf = fso2.CreateTextFile(szWorkingDir + szXMLFileName, true);

for (i=0; i < infs.length; i+=3)
{
tf.WriteLine(CreateHeader());
tf.WriteLine(CreateProperty("Index", "uint32",eval(i/3)));
tf.WriteLine(CreateProperty("GUID", "string", szGUID));
tf.WriteLine(CreateProperty("Type", "string", "EXE"));
tf.WriteLine(CreateProperty("Partition", "string", infs[i]));
tf.WriteLine(CreateProperty("Fragmented", "string", infs[i+1]));
tf.WriteLine(CreateProperty("Percentage", "string", infs[i+2]));
tf.WriteLine(CreateFooter());
}
tf.Close();
}
}

function GetMandatoryArgs()
{
objArgs = WScript.Arguments;

if (objArgs.length >= 3)
{
szClassName = objArgs(objArgs.length-3);
szGUID = objArgs(objArgs.length-2);
szXMLFileName = objArgs(objArgs.length-1);
return true;
}

return false;
}

// Main
if (GetMandatoryArgs())
{
var WshShell = WScript.CreateObject ("WScript.Shell");

// Verify in the registry if windows version is XP
var regKey = "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName";
var winStr = "";

// If windows version is lower then 5.0 (Windows 2000) it won´t find the registry key
try
{
winStr = WshShell.RegRead(regKey);
}
catch(NULL) { winStr=""; }

//To Window XP
if (winStr==WXP_STR)
{
// Get temp dir location
var userEnv = WshShell.Environment("USER");
var tempDir = userEnv("TEMP");
var stdOut = tempDir + "\\dfrg.txt"
var expStdOut = WshShell.ExpandEnvironmentStrings(stdOut);

// Create drives list
var fso = new ActiveXObject("Scripting.FileSystemObject");
var drives = new Enumerator(fso.Drives);
var drive;

// Run defrag for all fixed drives
for (; !drives.atEnd(); drives.moveNext())
{
drive = drives.item();
if (drive.DriveType==FIXED_DRIVE_FSO) // Test if drive is fixed
{

// Execute defrag analyze mode
var strCommand = "%systemroot%\\system32\\cmd /C %systemroot%\\system32\\defrag.exe " + drive + " -a > \"" + stdOut +"\"";
var errorCode = WshShell.Run(strCommand,0,true);

// Check if there weren't errors during defrag execution
if (errorCode==0)
{
// Open stdOut file
var stdOutFile = fso.OpenTextFile(expStdOut,1,false);
var stdOutData = stdOutFile.ReadALL();
stdOutFile.close();

// Look for fragmentation status
var pos1 = stdOutData.search("\%");

if (stdOutData.length > pos1)
{
pos1 += 1;
var pos2 = stdOutData.indexOf("\%",pos1);
}
else
{
var pos2 = -1;
}


var percentStr = "";

if (stdOutData.charAt(pos2-1).search(/[0-9]/)!=-1)
{
if (stdOutData.charAt(pos2-2).search(/[0-9]/)!=-1)
{
percentStr = stdOutData.charAt(pos2-2);
}
percentStr += stdOutData.charAt(pos2-1);
}
else
{
Return; // Didn´t found number before %
}

// Test if drive fragmentation is higher then 10%
if (percentStr>=MAX_FRAGMENTATION_ALLOWED)
{
//WScript.Echo(drive + " need to be defragmented!!"); // For debug

infs[i]=drive;
infs[i+1]="true";
infs[i+2]=percentStr;
i+=3;
}
else
{
//WScript.Echo(drive + " don´t need to be defragmented!!"); // For debug
}
}

try
{
// Delete stdOut file
fso.DeleteFile(expStdOut);
}
catch (e) { /* File doesn't exist */ }
}
}
}

//To Windows Vista
if (winStr==WVISTA_STR)
{
// Get temp dir location
var userEnv = WshShell.Environment("USER");
var tempDir = userEnv("TEMP");
var stdOut = tempDir + "\\dfrg.txt"
var expStdOut = WshShell.ExpandEnvironmentStrings(stdOut);

// Create drives list
var fso = new ActiveXObject("Scripting.FileSystemObject");
var drives = new Enumerator(fso.Drives);
var drive;

// Run defrag for all fixed drives
for (; !drives.atEnd(); drives.moveNext())
{
drive = drives.item();
if (drive.DriveType==FIXED_DRIVE_FSO) // Test if drive is fixed
{
// Execute defrag analyze mode
var strCommand = "%systemroot%\\system32\\cmd /C %systemroot%\\system32\\defrag.exe " + drive + " -a > \"" + stdOut +"\"";
var errorCode = WshShell.Run(strCommand,0,true);

// Check if there weren't errors during defrag execution
if (errorCode==0)
{
// Open stdOut file
var stdOutFile = fso.OpenTextFile(expStdOut,1,false);
var stdOutData = stdOutFile.ReadALL();
stdOutFile.close();

// Looking for Total Fragmentation status
var pos1 = stdOutData.search("\%");
var percentStr = "";

//Exists a blank space between the number and the percent
//Two before positions
if (stdOutData.charAt(pos1-2).search(/[0-9]/)!=-1)
{
//Three before positions
if (stdOutData.charAt(pos1-3).search(/[0-9]/)!=-1)
{
percentStr = stdOutData.charAt(pos1-3);
}
percentStr += stdOutData.charAt(pos1-2);
}
else
{
Return; // Didn´t found number before %
}

// Test if drive fragmentation is higher then 10%
if (percentStr>=MAX_FRAGMENTATION_ALLOWED)
{
//WScript.Echo(drive + " need to be defragmented!!"); // For debug

infs[i]=drive;
infs[i+1]="true";
infs[i+2]=percentStr;
i+=3;
}
else
{
//WScript.Echo(drive + " don´t need to be defragmented!!"); // For debug
}
}

try
{
// Delete stdOut file
fso.DeleteFile(expStdOut);
}
catch (e) { /* File doesn't exist */ }
}
}
}
//else
//{
// WScript.Echo("This computer doesn´t have Windows XP"); // For debug
//}
CreateXMLFile();
}
---

Deckard's System Scanner v20070905.67
Run by james l jackson on 2007-09-19 18:44:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 958 MiB (1024 MiB recommended).


-- HijackThis (run as james l jackson.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:17 PM, on 9/19/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\BySoft FreeRAM\FreeRAM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
C:\Windows\System32\mobsync.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\Maxtor\MANAGE~1\OneTouch.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\james l jackson\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JAMESL~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BySoft FreeRAM] C:\Program Files\BySoft FreeRAM\FreeRAM.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Kremlin Sentry.LNK = C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: PFRVHY - Unknown owner - C:\Users\JAMESL~1\AppData\Local\Temp\PFRVHY.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8483 bytes

-- Files created between 2007-08-19 and 2007-09-19 -----------------------------

2007-09-19 08:26:15 0 d-------- C:\Users\james l jackson\DoctorWeb
2007-09-19 08:11:59 0 d-------- C:\Program Files\Trend Micro
2007-09-17 16:37:04 0 d-------- C:\Users\All Users\eSellerate
2007-09-17 15:39:01 0 d-------- C:\Program Files\MSECache
2007-09-17 06:56:00 0 d-------- C:\Users\All Users\MailFrontier
2007-09-16 20:59:47 512 --a------ C:\ScanSectorLog.dat
2007-09-16 18:53:03 4791840 --ahs---- C:\Windows\system32\drivers\fidbox.dat
2007-09-16 18:47:46 11264 --a------ C:\Windows\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2007-09-16 18:46:58 0 d-------- C:\Windows\system32\ZoneLabs
2007-09-16 18:46:58 0 d-------- C:\Users\All Users\CheckPoint
2007-09-16 18:31:16 0 d-------- C:\Windows\Internet Logs
2007-09-15 05:32:16 0 d-------- C:\Program Files\TrojanHunter 5.0
2007-09-13 14:55:57 44716735 --a------ C:\Windows\system32\BMSDCWI
2007-09-13 14:40:55 0 d-------- C:\Program Files\Avira GmbH
2007-09-13 14:30:54 0 d-------- C:\Program Files\RootKit Hook Analyzer
2007-09-13 11:56:15 0 d-------- C:\Users\james l jackson\Pavark
2007-09-13 11:54:47 0 d-------- C:\Program Files\Sophos
2007-09-13 05:38:08 0 d-------- C:\Program Files\Alleycode
2007-09-12 17:03:32 0 d-------- C:\Program Files\KompoZer 0.7.10
2007-09-12 08:17:05 0 d-------- C:\d30fc999c5605d1cd7e21655
2007-09-09 11:38:46 0 d--hs---- C:\Windows\ftpcache
2007-09-08 16:59:22 0 d-------- C:\Windows\TweakVI
2007-09-07 13:29:49 0 d-------- C:\Users\james l jackson\.idlerc
2007-09-06 19:26:26 0 d-------- C:\Program Files\Paint.NET
2007-09-06 16:25:03 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-08-31 07:28:22 0 d-------- C:\Program Files\BySoft Network Monitor
2007-08-29 07:15:36 0 d-------- C:\Program Files\BySoft FreeRAM


-- Find3M Report ---------------------------------------------------------------

2007-09-19 18:22:16 13495 --a------ C:\Users\james l jackson\AppData\Roaming\nvModes.dat
2007-09-19 18:22:16 13495 --a------ C:\Users\james l jackson\AppData\Roaming\nvModes.001
2007-09-19 18:09:53 12 --a------ C:\Windows\bthservsdp.dat
2007-09-18 12:19:29 0 d-------- C:\Users\james l jackson\AppData\Roaming\OpenOffice.org2
2007-09-17 18:59:33 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-17 16:37:08 10552 --a------ C:\Users\james l jackson\AppData\Roaming\docXConverter.ini
2007-09-17 16:37:08 134 --ah----- C:\Users\james l jackson\AppData\Roaming\brara1985.sys
2007-09-16 19:15:58 0 d-------- C:\Users\james l jackson\AppData\Roaming\MailFrontier
2007-09-16 18:37:45 0 d-------- C:\Program Files\Common Files
2007-09-15 07:05:45 0 d-------- C:\Users\james l jackson\AppData\Roaming\TrojanHunter
2007-09-14 11:48:01 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-13 15:24:53 0 d-------- C:\Program Files\Winamp
2007-09-13 14:40:54 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-13 10:31:57 0 d-------- C:\Program Files\Windows Mail
2007-09-12 17:13:49 0 d-------- C:\Users\james l jackson\AppData\Roaming\KompoZer
2007-09-10 06:17:07 0 d-------- C:\Users\james l jackson\AppData\Roaming\Blumentals
2007-09-09 14:45:15 174 --ahs---- C:\Program Files\desktop.ini
2007-09-09 14:41:29 0 d-------- C:\Program Files\Windows Calendar
2007-09-09 14:41:25 0 d-------- C:\Program Files\Windows Defender
2007-09-08 16:13:17 0 d-------- C:\Program Files\FireTune
2007-09-08 16:13:04 737280 --a------ C:\Windows\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-09-07 09:34:05 0 d-------- C:\Program Files\Apple Software Update
2007-09-07 09:33:27 0 d-------- C:\Program Files\Audacity
2007-09-06 21:17:21 0 d-------- C:\Users\james l jackson\AppData\Roaming\gtk-2.0
2007-09-06 21:10:25 0 d-------- C:\Users\james l jackson\AppData\Roaming\Inkscape
2007-09-06 16:07:11 0 d-------- C:\Users\james l jackson\AppData\Roaming\Talkback
2007-09-06 16:06:45 0 d-------- C:\Users\james l jackson\AppData\Roaming\Mozilla
2007-09-06 16:06:43 0 d-------- C:\Users\james l jackson\AppData\Roaming\Thunderbird
2007-08-29 09:03:30 0 d-------- C:\Users\james l jackson\AppData\Roaming\Vso
2007-08-24 20:05:37 0 d-------- C:\Users\james l jackson\AppData\Roaming\Real
2007-08-16 19:43:51 0 d-------- C:\Users\james l jackson\AppData\Roaming\dvdcss
2007-08-15 18:16:09 0 d-------- C:\Program Files\VSO
2007-08-13 13:38:14 4 --a------ C:\Windows\system32\659FF0
2007-08-12 16:27:07 20898 --a------ C:\Windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2007-08-12 16:27:07 164352 --a------ C:\Windows\system32\SpoonUninstall.exe
2007-08-11 16:52:23 0 d-------- C:\Program Files\Lavasoft
2007-08-11 16:51:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-10 18:24:48 0 d-------- C:\Program Files\Hewlett-Packard
2007-08-09 12:31:08 0 d-------- C:\Program Files\Maxtor
2007-08-09 12:29:40 0 d-------- C:\Users\james l jackson\AppData\Roaming\InstallShield
2007-08-09 12:28:54 0 d-------- C:\Program Files\Common Files\Crystal Decisions
2007-08-09 12:28:15 0 d-------- C:\Program Files\Common Files\InstallShield
2007-08-09 12:02:06 0 d-------- C:\Users\james l jackson\AppData\Roaming\Roxio
2007-08-03 18:17:25 0 d-------- C:\Users\james l jackson\AppData\Roaming\Hewlett-Packard
2007-08-01 05:56:55 0 d-------- C:\Program Files\Online Services
2007-07-29 17:25:10 0 d-------- C:\Program Files\Illustrate
2007-07-29 16:07:49 0 d-------- C:\Program Files\Safer Networking
2007-07-29 06:16:00 0 d-------- C:\Program Files\Wimpy FLV Player
2007-07-28 14:25:41 29239 --a------ C:\Users\james l jackson\AppData\Roaming\UserTile.png
2007-07-28 08:00:53 0 d-------- C:\Program Files\Mach5 Software
2007-07-27 13:06:02 0 d-------- C:\Program Files\Common Files\Adobe
2007-07-27 10:30:47 0 d-------- C:\Users\james l jackson\AppData\Roaming\Adobe
2007-07-27 07:05:26 0 d-------- C:\Users\james l jackson\AppData\Roaming\Winamp
2007-07-27 06:44:11 0 d-------- C:\Users\james l jackson\AppData\Roaming\CyberLink
2007-07-26 19:59:44 0 d-------- C:\Program Files\Common Files\xing shared
2007-07-26 19:59:35 0 d-------- C:\Program Files\Common Files\Real
2007-07-26 19:59:13 0 d-------- C:\Program Files\Real
2007-07-26 17:39:55 0 d-------- C:\Users\james l jackson\AppData\Roaming\vlc
2007-07-26 17:39:04 0 d-------- C:\Program Files\VideoLAN
2007-07-26 07:10:05 0 d-------- C:\Users\james l jackson\AppData\Roaming\HP
2007-07-26 06:32:23 0 d-------- C:\Program Files\QuickTime
2007-07-26 05:49:31 0 d-------- C:\Program Files\Google
2007-07-25 21:19:26 0 d-------- C:\Users\james l jackson\AppData\Roaming\Google
2007-07-25 18:16:03 0 d-------- C:\Program Files\PhotoImpact Viewer 4.0
2007-07-25 18:15:42 0 -rahs---- C:\MSDOS.SYS
2007-07-25 18:15:42 0 -rahs---- C:\IO.SYS
2007-07-25 17:01:01 0 d-------- C:\Program Files\Belarc
2007-07-25 17:00:27 0 d-------- C:\Users\james l jackson\AppData\Roaming\SUPERAntiSpyware.com
2007-07-25 16:43:37 0 d-------- C:\Program Files\Microsoft Works
2007-07-25 09:41:19 0 d-------- C:\Program Files\Rhapsody
2007-07-25 08:25:32 0 d-------- C:\Program Files\Calc98
2007-07-24 21:58:06 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-24 21:46:35 0 d-------- C:\Program Files\OpenOffice.org 2.2
2007-07-24 21:43:22 0 d-------- C:\Program Files\7-Zip
2007-07-24 21:43:10 0 d-------- C:\Program Files\FileZilla
2007-07-24 21:42:40 0 d-------- C:\Program Files\CCleaner
2007-07-24 20:07:38 0 --a------ C:\Windows\nsreg.dat
2007-07-24 19:11:09 0 d-------- C:\Program Files\MSXML 4.0
2007-07-24 14:35:18 0 d-------- C:\Program Files\Java
2007-07-24 11:14:55 0 d-------- C:\Users\james l jackson\AppData\Roaming\Identities
2007-07-24 11:10:23 0 d-------- C:\Users\james l jackson\AppData\Roaming\Macromedia
2007-07-24 11:05:56 81 --a------ C:\Windows\system32\LOG


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [09/09/2007 02:38 PM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [02/28/2007 01:26 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [02/28/2007 01:26 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [02/28/2007 01:26 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [06/08/2007 01:14 AM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [02/17/2005 01:11 AM]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [03/28/2007 07:45 PM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [02/13/2007 01:38 PM]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [06/05/2007 09:12 AM]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [03/01/2007 03:18 PM]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [01/10/2007 06:12 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/26/2007 07:59 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [03/25/2007 04:44 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [05/14/2007 05:22 PM]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [09/09/2007 09:31 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [06/04/2007 05:24 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [07/25/2007 09:19 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 07:35 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [09/11/2006 04:56 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 07:36 AM]
"BySoft FreeRAM"="C:\Program Files\BySoft FreeRAM\FreeRAM.exe" [12/17/2004 03:44 PM]

C:\Users\james l jackson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Kremlin Sentry.LNK - C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe [7/28/2007 8:00:54 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2007-09-19 18:45:01 ------------

There was no "extra.txt" produced by Deckard. I ran it twice, no extra.txt
MasterBlaster
Active Member
 
Posts: 11
Joined: March 6th, 2007, 6:16 pm

Unread postby silver » September 19th, 2007, 9:17 pm

Hi MasterBlaster,

Firstly, it appears that your antivirus program has been uninstalled. Without antivirus software your computer is very vulnerable and can easily be infected at any time so it it is essential you have one active at all times.

If you do not like the Symantec package for any reason, there are plenty of other choices including several free packages, two of the most popular are here:
Antivir: http://www.free-av.com/
AVG Antivirus: http://free.grisoft.com/doc/1

If you have no antivirus program installed then please install one immediately, update the definitions and set the program to automatically update itself.


All the files Dr Web picked up appear to be false positives, to move those files back to their original locations please first find the relocated files in this folder:
C:\Users\james l jackson\DoctorWeb\Quarantine

Then move them back to their original locations:
C:\Depot\Tech\Tips Tricks\MDGx Trix\MAXCACHE.REG
C:\Depot\Tech\Win95\Soundz.txt



Next, open HijackThis and choose Open the Misc Tools section
Click the Delete an NT service button
Type/copy this into the box:
PFRVHY
Press OK and Yes to any prompts, allow your computer to be rebooted.


The DSS extra.txt log will probably have been created the first time DSS was executed.

You should find the original extra.txt located in this folder or a subfolder under it named with the date and time of the scan:
C:\Deckard\System Scanner

If required, you can produce another one as follows:
  • Make sure DSS.exe is on your Desktop
  • Press the Start orb and copy/paste the following command into the search box and press enter:
    "%userprofile%\desktop\dss.exe" /config
  • A configuration box will appear, click the Check All button then then press Scan!
  • The extra report will be minimized so please look for it's window on the taskbar


Once complete, please post a new HijackThis log and the DSS extra.txt report.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby MasterBlaster » September 19th, 2007, 10:08 pm

I forgot to mention, the Norton Internet Security expired 2 days ago, and I uninstalled it, then installed ZoneAlarm Internet Security Suite v7.1 (retail).

I removed the "PFRVHY" per HijackThis.
But, when I clicked OK, it did not ask to reboot, so I rebooted manually.

The DSS extra.txt was not under C:\Deckard\System Scanner, I checked earlier.
I tried to create one per your suggestion, it did not work as search did not find it. I even did the advanced search under C:\, nothing.

Here's a new HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:29 PM, on 9/19/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\BySoft FreeRAM\FreeRAM.exe
C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\Maxtor\MANAGE~1\OneTouch.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BySoft FreeRAM] C:\Program Files\BySoft FreeRAM\FreeRAM.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Kremlin Sentry.LNK = C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: PFRVHY - Unknown owner - C:\Users\JAMESL~1\AppData\Local\Temp\PFRVHY.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8427 bytes



Many thanks for your efforts.
MB
MasterBlaster
Active Member
 
Posts: 11
Joined: March 6th, 2007, 6:16 pm

Unread postby MasterBlaster » September 19th, 2007, 10:23 pm

I fixed my original post by doing this:
1. Copy WinMail.exe (388KB) from C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227
To: C:\Program Files\Windows Mail\ folder.
2. On the Desktop Taskbar, redirect the "WinMail" quicklink to "C:\Program Files\Windows Mail\WinMail.exe".

I also reinstalled WimAmp.
MasterBlaster
Active Member
 
Posts: 11
Joined: March 6th, 2007, 6:16 pm

Unread postby silver » September 19th, 2007, 11:53 pm

Hi MasterBlaster,

I noticed you installed Zone Alarm but I could not see the antivirus module running - please double-check that it is active.

I'm glad you fixed the mail and WinAmp problem, however I can't see any malware-related explanation from what I've seen so far, in fact your machine appears to be clean. Just a couple of things left to do:

Sorry the instructions for the DSS report didn't work, I don't know why that might be. Please try this:

Check that dss.exe is on your Desktop - this won't work unless it is there.
Open a new Notepad document (press Start, type notepad in the search box and enter) and copy/paste the following into it:
sc stop PFRVHY
sc delete PFRVHY
"%userprofile%\desktop\dss.exe" /config

Go to the menu at the top of the Notepad File and Save as
Save it to your Desktop as "runme.bat" (you MUST include the quotes)
Then right-click runme.bat and choose Run as administrator
Hopefully, the DSS configuration page should open, click the Check All button then then press Scan!
The extra report will be minimized so please look for it's window on the taskbar.

Once complete, please post both DSS reports.
If DSS doesn't work then please post a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby MasterBlaster » September 20th, 2007, 8:37 am

silver,
ZoneAlarm antivirus is fully functional, the entire suite is working per the control panel.

I created "runme.bat" per your instructions, it worked this time.
Below are the 2 Deckard output files.
Thanks,
MB.

What is the "PFRVHY" file we deleted earlier?

Main.txt:
Deckard's System Scanner v20070905.67
Run by james l jackson on 2007-09-20 07:22:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Performed disk cleanup.

Total Physical Memory: 958 MiB (1024 MiB recommended).


-- HijackThis (run as james l jackson.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:00 AM, on 9/20/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Maxtor\MANAGE~1\OneTouch.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\BySoft FreeRAM\FreeRAM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\cmd.exe
C:\Users\james l jackson\desktop\dss.exe
C:\Windows\system32\DllHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JAMESL~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BySoft FreeRAM] C:\Program Files\BySoft FreeRAM\FreeRAM.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Kremlin Sentry.LNK = C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8445 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R1 SASDIFSV - \??\c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - \??\c:\program files\superantispyware\saskutil.sys
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>

S3 SASENUM - \??\c:\program files\superantispyware\sasenum.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CLCapSvc (CyberLink Background Capture Service (CBCS)) - "c:\program files\hp\quickplay\kernel\tv\clcapsvc.exe" <Not Verified; ; CLCapSvc Module>
R2 CLSched (CyberLink Task Scheduler (CTS)) - "c:\program files\hp\quickplay\kernel\tv\clsched.exe" <Not Verified; ; CLSched Module>
R2 HP Health Check Service - "c:\program files\hewlett-packard\hp health check\hphc_service.exe" <Not Verified; Hewlett-Packard; HP Health Check Service>
R2 MaxBackServiceInt - "c:\program files\maxtor\maxtor backup\maxbackserviceint.exe" <Not Verified; ; MaxBackServiceInt Module>

S3 Com4Qlb - "c:\program files\hewlett-packard\hp quick launch buttons\com4qlb.exe" <Not Verified; Hewlett-Packard Development Company, L.P.; HP Quick Launch Buttons>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0000
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0000
Service: tunnel


-- Process Modules -------------------------------------------------------------

C:\Windows\explorer.exe (pid 2352)
2007-03-20 18:01:02 106496 --a------ C:\Program Files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll <Not Verified; HP; MediaLamp>
2007-02-27 12:39:26 61440 --a------ C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware Context Menu Extension>
2004-08-16 09:00:00 5120 --a------ C:\Program Files\WinZip\WZSHLSTB.DLL <Not Verified; WinZip Computing, Inc.; WinZip>
2007-09-08 17:25:28 408064 --a------ C:\Program Files\TrojanHunter 5.0\contmenu.dll
1998-04-27 19:42:20 24064 -----n--- C:\Program Files\Mach5 Software\Kremlin\KremShl.dll
1998-04-27 19:39:06 102400 -----n--- C:\Program Files\Mach5 Software\Kremlin\KremDLL.dll
1998-04-27 09:51:18 111104 -----n--- C:\Program Files\Mach5 Software\Kremlin\KremSDK.dll
2001-11-03 14:39:42 278528 --a------ C:\Windows\System32\ShellExt\Cryptext.dll
2007-07-11 04:07:16 152576 --a------ C:\Program Files\7-Zip\7-zip.dll <Not Verified; Igor Pavlov; 7-Zip>


-- Files created between 2007-08-20 and 2007-09-20 -----------------------------

2007-09-19 08:26:15 0 d-------- C:\Users\james l jackson\DoctorWeb
2007-09-19 08:11:59 0 d-------- C:\Program Files\Trend Micro
2007-09-17 16:37:04 0 d-------- C:\Users\All Users\eSellerate
2007-09-17 15:39:01 0 d-------- C:\Program Files\MSECache
2007-09-17 06:56:00 0 d-------- C:\Users\All Users\MailFrontier
2007-09-16 20:59:47 512 --a------ C:\ScanSectorLog.dat
2007-09-16 18:53:03 4791840 --ahs---- C:\Windows\system32\drivers\fidbox.dat
2007-09-16 18:47:46 11264 --a------ C:\Windows\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2007-09-16 18:46:58 0 d-------- C:\Windows\system32\ZoneLabs
2007-09-16 18:46:58 0 d-------- C:\Users\All Users\CheckPoint
2007-09-16 18:31:16 0 d-------- C:\Windows\Internet Logs
2007-09-15 05:32:16 0 d-------- C:\Program Files\TrojanHunter 5.0
2007-09-13 14:55:57 44716735 --a------ C:\Windows\system32\BMSDCWI
2007-09-13 14:40:55 0 d-------- C:\Program Files\Avira GmbH
2007-09-13 14:30:54 0 d-------- C:\Program Files\RootKit Hook Analyzer
2007-09-13 11:56:15 0 d-------- C:\Users\james l jackson\Pavark
2007-09-13 11:54:47 0 d-------- C:\Program Files\Sophos
2007-09-13 05:38:08 0 d-------- C:\Program Files\Alleycode
2007-09-12 17:03:32 0 d-------- C:\Program Files\KompoZer 0.7.10
2007-09-12 08:17:05 0 d-------- C:\d30fc999c5605d1cd7e21655
2007-09-09 11:38:46 0 d--hs---- C:\Windows\ftpcache
2007-09-08 16:59:22 0 d-------- C:\Windows\TweakVI
2007-09-07 13:29:49 0 d-------- C:\Users\james l jackson\.idlerc
2007-09-06 19:26:26 0 d-------- C:\Program Files\Paint.NET
2007-09-06 16:25:03 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-08-31 07:28:22 0 d-------- C:\Program Files\BySoft Network Monitor
2007-08-29 07:15:36 0 d-------- C:\Program Files\BySoft FreeRAM


-- Find3M Report ---------------------------------------------------------------

2007-09-20 07:06:24 13495 --a------ C:\Users\james l jackson\AppData\Roaming\nvModes.dat
2007-09-20 07:06:23 13495 --a------ C:\Users\james l jackson\AppData\Roaming\nvModes.001
2007-09-19 22:02:29 12 --a------ C:\Windows\bthservsdp.dat
2007-09-18 12:19:29 0 d-------- C:\Users\james l jackson\AppData\Roaming\OpenOffice.org2
2007-09-17 18:59:33 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-17 16:37:08 10552 --a------ C:\Users\james l jackson\AppData\Roaming\docXConverter.ini
2007-09-17 16:37:08 134 --ah----- C:\Users\james l jackson\AppData\Roaming\brara1985.sys
2007-09-16 19:15:58 0 d-------- C:\Users\james l jackson\AppData\Roaming\MailFrontier
2007-09-16 18:37:45 0 d-------- C:\Program Files\Common Files
2007-09-15 07:05:45 0 d-------- C:\Users\james l jackson\AppData\Roaming\TrojanHunter
2007-09-14 11:48:01 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-13 15:24:53 0 d-------- C:\Program Files\Winamp
2007-09-13 14:40:54 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-13 10:31:57 0 d-------- C:\Program Files\Windows Mail
2007-09-12 17:13:49 0 d-------- C:\Users\james l jackson\AppData\Roaming\KompoZer
2007-09-10 06:17:07 0 d-------- C:\Users\james l jackson\AppData\Roaming\Blumentals
2007-09-09 14:45:15 174 --ahs---- C:\Program Files\desktop.ini
2007-09-09 14:41:29 0 d-------- C:\Program Files\Windows Calendar
2007-09-09 14:41:25 0 d-------- C:\Program Files\Windows Defender
2007-09-08 16:13:17 0 d-------- C:\Program Files\FireTune
2007-09-08 16:13:04 737280 --a------ C:\Windows\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-09-07 09:34:05 0 d-------- C:\Program Files\Apple Software Update
2007-09-07 09:33:27 0 d-------- C:\Program Files\Audacity
2007-09-06 21:17:21 0 d-------- C:\Users\james l jackson\AppData\Roaming\gtk-2.0
2007-09-06 21:10:25 0 d-------- C:\Users\james l jackson\AppData\Roaming\Inkscape
2007-09-06 16:07:11 0 d-------- C:\Users\james l jackson\AppData\Roaming\Talkback
2007-09-06 16:06:45 0 d-------- C:\Users\james l jackson\AppData\Roaming\Mozilla
2007-09-06 16:06:43 0 d-------- C:\Users\james l jackson\AppData\Roaming\Thunderbird
2007-08-29 09:03:30 0 d-------- C:\Users\james l jackson\AppData\Roaming\Vso
2007-08-24 20:05:37 0 d-------- C:\Users\james l jackson\AppData\Roaming\Real
2007-08-16 19:43:51 0 d-------- C:\Users\james l jackson\AppData\Roaming\dvdcss
2007-08-15 18:16:09 0 d-------- C:\Program Files\VSO
2007-08-13 13:38:14 4 --a------ C:\Windows\system32\659FF0
2007-08-12 16:27:07 20898 --a------ C:\Windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat <SPOONU~1.DAT>
2007-08-12 16:27:07 164352 --a------ C:\Windows\system32\SpoonUninstall.exe <SPOONU~1.EXE>
2007-08-11 16:52:23 0 d-------- C:\Program Files\Lavasoft
2007-08-11 16:51:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-10 18:24:48 0 d-------- C:\Program Files\Hewlett-Packard
2007-08-09 12:31:08 0 d-------- C:\Program Files\Maxtor
2007-08-09 12:29:40 0 d-------- C:\Users\james l jackson\AppData\Roaming\InstallShield
2007-08-09 12:28:54 0 d-------- C:\Program Files\Common Files\Crystal Decisions
2007-08-09 12:28:15 0 d-------- C:\Program Files\Common Files\InstallShield
2007-08-09 12:02:06 0 d-------- C:\Users\james l jackson\AppData\Roaming\Roxio
2007-08-03 18:17:25 0 d-------- C:\Users\james l jackson\AppData\Roaming\Hewlett-Packard
2007-08-01 05:56:55 0 d-------- C:\Program Files\Online Services
2007-07-29 17:25:10 0 d-------- C:\Program Files\Illustrate
2007-07-29 16:07:49 0 d-------- C:\Program Files\Safer Networking
2007-07-29 06:16:00 0 d-------- C:\Program Files\Wimpy FLV Player
2007-07-28 14:25:41 29239 --a------ C:\Users\james l jackson\AppData\Roaming\UserTile.png
2007-07-28 08:00:53 0 d-------- C:\Program Files\Mach5 Software
2007-07-27 13:06:02 0 d-------- C:\Program Files\Common Files\Adobe
2007-07-27 10:30:47 0 d-------- C:\Users\james l jackson\AppData\Roaming\Adobe
2007-07-27 07:05:26 0 d-------- C:\Users\james l jackson\AppData\Roaming\Winamp
2007-07-27 06:44:11 0 d-------- C:\Users\james l jackson\AppData\Roaming\CyberLink
2007-07-26 19:59:44 0 d-------- C:\Program Files\Common Files\xing shared
2007-07-26 19:59:35 0 d-------- C:\Program Files\Common Files\Real
2007-07-26 19:59:13 0 d-------- C:\Program Files\Real
2007-07-26 17:39:55 0 d-------- C:\Users\james l jackson\AppData\Roaming\vlc
2007-07-26 17:39:04 0 d-------- C:\Program Files\VideoLAN
2007-07-26 07:10:05 0 d-------- C:\Users\james l jackson\AppData\Roaming\HP
2007-07-26 06:32:23 0 d-------- C:\Program Files\QuickTime
2007-07-26 05:49:31 0 d-------- C:\Program Files\Google
2007-07-25 21:19:26 0 d-------- C:\Users\james l jackson\AppData\Roaming\Google
2007-07-25 18:16:03 0 d-------- C:\Program Files\PhotoImpact Viewer 4.0
2007-07-25 18:15:42 0 -rahs---- C:\MSDOS.SYS
2007-07-25 18:15:42 0 -rahs---- C:\IO.SYS
2007-07-25 17:01:01 0 d-------- C:\Program Files\Belarc
2007-07-25 17:00:27 0 d-------- C:\Users\james l jackson\AppData\Roaming\SUPERAntiSpyware.com
2007-07-25 16:43:37 0 d-------- C:\Program Files\Microsoft Works
2007-07-25 09:41:19 0 d-------- C:\Program Files\Rhapsody
2007-07-25 08:25:32 0 d-------- C:\Program Files\Calc98
2007-07-24 21:58:06 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-24 21:46:35 0 d-------- C:\Program Files\OpenOffice.org 2.2
2007-07-24 21:43:22 0 d-------- C:\Program Files\7-Zip
2007-07-24 21:43:10 0 d-------- C:\Program Files\FileZilla
2007-07-24 21:42:40 0 d-------- C:\Program Files\CCleaner
2007-07-24 20:07:38 0 --a------ C:\Windows\nsreg.dat
2007-07-24 19:11:09 0 d-------- C:\Program Files\MSXML 4.0
2007-07-24 14:35:18 0 d-------- C:\Program Files\Java
2007-07-24 11:14:55 0 d-------- C:\Users\james l jackson\AppData\Roaming\Identities
2007-07-24 11:10:23 0 d-------- C:\Users\james l jackson\AppData\Roaming\Macromedia
2007-07-24 11:05:56 81 --a------ C:\Windows\system32\LOG


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [09/09/2007 02:38 PM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [02/28/2007 01:26 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [02/28/2007 01:26 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [02/28/2007 01:26 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [06/08/2007 01:14 AM]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [02/17/2005 01:11 AM]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [03/28/2007 07:45 PM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [02/13/2007 01:38 PM]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [06/05/2007 09:12 AM]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [03/01/2007 03:18 PM]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [01/10/2007 06:12 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/26/2007 07:59 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [03/25/2007 04:44 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [05/14/2007 05:22 PM]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [09/09/2007 09:31 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [06/04/2007 05:24 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [07/25/2007 09:19 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 07:35 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [09/11/2006 04:56 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 07:36 AM]
"BySoft FreeRAM"="C:\Program Files\BySoft FreeRAM\FreeRAM.exe" [12/17/2004 03:44 PM]

C:\Users\james l jackson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Kremlin Sentry.LNK - C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe [7/28/2007 8:00:54 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2007-09-20 07:27:38 ------------


Extra.txt:
Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) 64 X2 Dual Core Processor TK-53
Percentage of Memory in Use: 68%
Physical Memory (total/avail): 958 MiB / 302.26 MiB
Pagefile Memory (total/avail): 2171.85 MiB / 1291.43 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1945.25 MiB

C: is Fixed (NTFS) - 103.61 GiB total, 64.91 GiB free.
D: is Fixed (NTFS) - 8.17 GiB total, 1.73 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK1237GSX SCSI Disk Device - 111.79 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 103.61 GiB - C:
\PARTITION1 - Installable File System - 8.17 GiB - D:

\\.\PHYSICALDRIVE1 - Brother MFC-420CN USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: ZoneAlarm Security Suite Firewall v7.1.078.000 (Check Point, LTD.)
AV: ZoneAlarm Security Suite Antivirus v7.1.078.000 (Check Point, LTD.)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\james l jackson\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HPPDV9000Z
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\james l jackson
LOCALAPPDATA=C:\Users\james l jackson\AppData\Local
LOGONSERVER=\\HPPDV9000Z
NUMBER_OF_PROCESSORS=2
OnlineServices=Online Services
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PCBRAND=Pavilion
PLATFORM=MCD
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 104 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=6801
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\JAMESL~1\AppData\Local\Temp
TMP=C:\Users\JAMESL~1\AppData\Local\Temp
tvdumpflags=8
USERDOMAIN=hppdv9000z
USERNAME=james l jackson
USERPART=E:
USERPROFILE=C:\Users\james l jackson
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

james l jackson


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
7-Zip 4.49 beta --> "C:\Program Files\7-Zip\Uninstall.exe"
Activation Assistant for the 2007 Microsoft Office suites --> "C:\ProgramData\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Alleycode HTML Editor 2.2.1 --> "C:\Program Files\Alleycode\unins000.exe"
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
AVG Anti-Rootkit Free --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
Avira RootKit Detection --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FD25FCD-6F39-4686-AFBB-7056EBAE5E68}\setup.exe" -l0x9
Belarc Advisor 7.2 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
BySoft FreeRAM 4.0 --> C:\Program Files\BySoft FreeRAM\uninst.exe
BySoft Network Monitor 1.2 --> C:\Program Files\BySoft Network Monitor\uninst.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Conexant HD Audio --> C:\Program Files\CONEXANT\CNXT_HDAUDIO\UIU32a.exe -U -IwisR30B7.inf
Cryptext (Remove Only) --> rundll32 setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\Windows\system32\ShellExt\Cryptext.inf
dBpowerAMP Music Converter --> "C:\Windows\system32\SpoonUninstall.exe" <uninstall>C:\Windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
ESU for Microsoft Vista --> MsiExec.exe /X{39523EA4-F914-4447-A551-2513766095F5}
FileAlyzer --> "C:\Program Files\Safer Networking\FileAlyzer\unins000.exe"
FileZilla (remove only) --> "C:\Program Files\FileZilla\uninstall.exe"
FireTune --> C:\Windows\iun6002.exe "C:\Program Files\FireTune\irunin.ini"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Hewlett-Packard Active Check --> MsiExec.exe /X{254C37AA-6B72-4300-84F6-98A82419187E}
Hewlett-Packard Asset Agent for Health Check --> MsiExec.exe /X{669D4A35-146B-4314-89F1-1AC3D7B88367}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Active Support Library --> C:\Program Files\InstallShield Installation Information\{E59A46D4-699C-4DC8-969F-DAC3395B4543}\setup.exe -runfromtemp -l0x0409
HP Active Support Library 32 bit components --> MsiExec.exe /I{6D3DB611-D5E8-4E4B-8952-0D3F549F9CC6}
HP Active Support Library 32 bit components --> MsiExec.exe /I{FAB0C302-CB18-4A7A-BA03-C3DC23101A68}
HP Customer Experience Enhancements --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB5E289E-76BF-4251-9F3F-9B763F681AE0}\setup.exe" -l0x9 -removeonly
HP Easy Setup - Frontend --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40F7AED3-0C7D-4582-99F6-484A515C73F2}\setup.exe" -l0x9 -removeonly
HP Help and Support --> MsiExec.exe /I{584B0895-8EF3-4175-8E80-1B68BFA04636}
HP Pavilion Webcam Driver for Vista v061.001.00005 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CA81D12-9EC2-4082-972B-43ECA63F41F2}\setup.exe" -l0x9 -removeonly
HP Photosmart Essential 2.0 --> C:\Program Files\Hewlett-Packard\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Quick Launch Buttons 6.20 B1 --> C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\setup.exe -runfromtemp -l0x0009 uninst
HP QuickPlay 3.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\setup.exe" -uninstall
HP Total Care Advisor --> MsiExec.exe /X{F6B29003-A078-4491-AFBE-62EFB6CFFE19}
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
HP User Guide 0042 --> MsiExec.exe /I{B0F97FBF-9F98-4522-B65D-8980FE38C726}
HP Wireless Assistant --> MsiExec.exe /I{D32067CD-7409-4792-BFA0-1469BCD8F0C8}
HPNetworkAssistant --> MsiExec.exe /I{228C6B46-64E2-404E-898A-EF0830603EF4}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Kremlin 2.21 --> "C:\Program Files\Mach5 Software\Kremlin\Remove.exe" /U:"C:\Program Files\Mach5 Software\Kremlin\Remove.log"
Maxtor Backup --> C:\Program Files\InstallShield Installation Information\{9C3F9580-F5CF-4288-894E-9FF0EB24A21C}\setup.exe -runfromtemp -l0x0409
Maxtor OneTouch III --> C:\Program Files\InstallShield Installation Information\{FF268652-B3E8-494F-8343-1FC6DD0FF523}\setup.exe -runfromtemp -l0x0409
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.6) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSCU for Microsoft Vista --> MsiExec.exe /X{3FFB3B34-D639-4384-9AE9-DDE58430D86F}
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
muvee autoProducer 6.0 --> C:\Program Files\InstallShield Installation Information\{0BFC200F-C45D-4271-AF34-4CA969225DEB}\setup.exe -runfromtemp -l0x0009 -removeonly
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
OpenOffice.org 2.2 --> MsiExec.exe /I{3CCBC9FF-7F35-4220-B66D-B60E2E7AB4E2}
Paint.NET v3.10 --> MsiExec.exe /X{5E749AEB-5A19-43BA-BB20-3CBB37539FE4}
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody --> C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\INSTALL.LOG
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
RootKit Hook Analyzer 3.02 --> "C:\Program Files\RootKit Hook Analyzer\unins000.exe"
Roxio Activation Module --> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Roxio Creator Audio --> MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator Basic v9 --> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Copy --> MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data --> MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator EasyArchive --> MsiExec.exe /I{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
Roxio Creator Tools --> MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Express Labeler 3 --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD Basic v9 --> MsiExec.exe /I{33C65B6A-5D73-4E3E-A1F9-127C27BD3F72}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_5045&SUBSYS_103C30B7\HXFSETUP.EXE -U -Iwis30B7z.inf
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TrojanHunter 5.0 --> "C:\Program Files\TrojanHunter 5.0\unins000.exe"
Ulead PhotoImpact Viewer 4.0 Freeware Version --> C:\Windows\ULEAD.DAT\WUSETUP.EXE /f:PIVWR40.INF
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
VSO Image Resizer 1.1.16 --> "C:\Program Files\VSO\Image Resizer\unins000.exe"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
ZoneAlarm Security Suite --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type9900 / Success
Event Submitted/Written: 09/20/2007 07:05:03 AM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type9899 / Success
Event Submitted/Written: 09/20/2007 07:04:56 AM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type9894 / Success
Event Submitted/Written: 09/20/2007 07:03:32 AM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type9884 / Warning
Event Submitted/Written: 09/19/2007 10:02:19 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
2 user registry handles leaked from \Registry\User\S-1-5-21-1359518864-879702272-371608493-1000_Classes:
Process 968 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1359518864-879702272-371608493-1000_CLASSES
Process 1960 (\Device\HarddiskVolume1\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-1359518864-879702272-371608493-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Event Record #/Type9883 / Warning
Event Submitted/Written: 09/19/2007 10:02:18 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
3 user registry handles leaked from \Registry\User\S-1-5-21-1359518864-879702272-371608493-1000:
Process 968 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1359518864-879702272-371608493-1000
Process 1308 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1359518864-879702272-371608493-1000\Software\Policies
Process 1308 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1359518864-879702272-371608493-1000\Software



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type21218 / Warning
Event Submitted/Written: 09/20/2007 07:23:22 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%hppdv9000z27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %hppdv9000z27 can't undo changes that you allow.

For more information please see the following:
%hppdv9000z275

Scan ID: {E21EBB3B-C2F0-4FC7-A7CB-433D8446AE05}

User: hppdv9000z\james l jackson

Name: %hppdv9000z271

ID: %hppdv9000z272

Severity ID: %hppdv9000z273

Category ID: %hppdv9000z274

Path Found: %hppdv9000z276

Alert Type: %hppdv9000z278

Detection Type: 1.1.1505.02

Event Record #/Type21217 / Warning
Event Submitted/Written: 09/20/2007 07:23:22 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%hppdv9000z27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %hppdv9000z27 can't undo changes that you allow.

For more information please see the following:
%hppdv9000z275

Scan ID: {D9D31EDD-97AD-4CD0-BF57-1FF9D906D79F}

User: hppdv9000z\james l jackson

Name: %hppdv9000z271

ID: %hppdv9000z272

Severity ID: %hppdv9000z273

Category ID: %hppdv9000z274

Path Found: %hppdv9000z276

Alert Type: %hppdv9000z278

Detection Type: 1.1.1505.02

Event Record #/Type21216 / Warning
Event Submitted/Written: 09/20/2007 07:23:22 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%hppdv9000z27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %hppdv9000z27 can't undo changes that you allow.

For more information please see the following:
%hppdv9000z275

Scan ID: {205E358F-8F77-4474-8801-3BB2030CB716}

User: hppdv9000z\james l jackson

Name: %hppdv9000z271

ID: %hppdv9000z272

Severity ID: %hppdv9000z273

Category ID: %hppdv9000z274

Path Found: %hppdv9000z276

Alert Type: %hppdv9000z278

Detection Type: 1.1.1505.02

Event Record #/Type21215 / Warning
Event Submitted/Written: 09/20/2007 07:23:19 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%hppdv9000z27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %hppdv9000z27 can't undo changes that you allow.

For more information please see the following:
%hppdv9000z275

Scan ID: {41ED1506-67E1-4DC8-A8FC-6F9D13F9E8DC}

User: hppdv9000z\james l jackson

Name: %hppdv9000z271

ID: %hppdv9000z272

Severity ID: %hppdv9000z273

Category ID: %hppdv9000z274

Path Found: %hppdv9000z276

Alert Type: %hppdv9000z278

Detection Type: 1.1.1505.02

Event Record #/Type21214 / Warning
Event Submitted/Written: 09/20/2007 07:23:19 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%hppdv9000z27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %hppdv9000z27 can't undo changes that you allow.

For more information please see the following:
%hppdv9000z275

Scan ID: {49DFCE49-1774-4AD8-A480-635794997342}

User: hppdv9000z\james l jackson

Name: %hppdv9000z271

ID: %hppdv9000z272

Severity ID: %hppdv9000z273

Category ID: %hppdv9000z274

Path Found: %hppdv9000z276

Alert Type: %hppdv9000z278

Detection Type: 1.1.1505.02



-- End of Deckard's System Scanner: finished at 2007-09-20 07:27:38 ------------
MasterBlaster
Active Member
 
Posts: 11
Joined: March 6th, 2007, 6:16 pm

Unread postby silver » September 20th, 2007, 9:34 am

Hi MasterBlaster,

"PFRVHY" was a leftover from running Rootkit Revealer, a service is sometimes left behind when the program is stopped before it is finished cleaning up.

Great that you got DSS working, just a couple of things to tidy up:

Check that dss.exe is on your Desktop - this won't work unless it is there.
Open a new Notepad document (press Start, type notepad in the search box and enter) and copy/paste the following into it:
reg export HKCR\cplfile "%userprofile%\backup.reg"
"%userprofile%\desktop\dss.exe" /daft

Go to the menu at the top of the Notepad File and Save as
Save it to your Desktop as "runme2.bat" (you MUST include the quotes)
Then right-click runme2.bat and choose Run as administrator
DSS will open, press OK to the disclaimer(s) and then press Scan
Place checkmarks in any boxes that appear and press Fix
Then close Deckard's System Scanner

Next, please open Start->Control Panel->Programs and Features/Uninstall a Program and remove this:
Java(TM) SE Runtime Environment 6

This is outdated and is now a security risk. You already have the latest Java installed (Java 6 Update 2) - don't remove this one.

Once complete, please post a new HijackThis log and let me know how your computer is running.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby MasterBlaster » September 20th, 2007, 9:52 am

silver,
ran runme2.bat
fixed 1 problem.

deleted java 6

here's the hijackthis.log
Thanks again,
MB

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:29 AM, on 9/20/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Maxtor\MANAGE~1\OneTouch.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\BySoft FreeRAM\FreeRAM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BySoft FreeRAM] C:\Program Files\BySoft FreeRAM\FreeRAM.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Kremlin Sentry.LNK = C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8300 bytes
MasterBlaster
Active Member
 
Posts: 11
Joined: March 6th, 2007, 6:16 pm

Unread postby MasterBlaster » September 20th, 2007, 9:53 am

silver,
i forgot.
it's running fine now.
thanks for all your splendid assistance.
MB
MasterBlaster
Active Member
 
Posts: 11
Joined: March 6th, 2007, 6:16 pm

Unread postby silver » September 20th, 2007, 10:01 am

Hi MasterBlaster,

Sounds great :) I don't really know why you were having the problems you describe, but we've had a close look at your machine and found no evidence of malware on it - and I'm very glad to hear it's running better.

You can now delete cureit.exe, dss.exe and the runme.bat files from your Desktop.

Here are some tips to help keep your computer clean:

You have plenty of protection software installed however please ensure it is kept up to date. Check that your antivirus and antispyware programs are set to automatically update themselves daily, and that your firewall is the latest version.

Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

Please take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware - this includes allowing websites to install browser plug-ins orActiveX controls. Before downloading, it is crucial to check whether the source is reputable.
One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.

Find out more about how to prevent infection in the future
http://forum.malwareremoval.com/viewtopic.php?p=33687

Please post back to let me know that you have read this, and if there are any further issues.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby MasterBlaster » September 20th, 2007, 11:00 am

silver,
Thanks for reminding me about the HOSTS file, this laptop is new and I had not gotten around to installing that yet, too much going on.
I just remedied that.

Thanks again,
MB
MasterBlaster
Active Member
 
Posts: 11
Joined: March 6th, 2007, 6:16 pm

Unread postby silver » September 20th, 2007, 9:01 pm

You're most welcome and I hope you enjoy your new machine!
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby Elrond » September 21st, 2007, 2:26 am

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 161 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware