Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Reply
 
Topic Tools
  #1  
Old July 31st, 2008, 10:16 AM
WayneWhitty's Avatar
WayneWhitty WayneWhitty is offline
Member
 
Join Date: Dec 2006
Posts: 58
Big problem that I can't seem to solve. Conhook.I

My computer is infected with what Windows Defender calls Conhook.I. A trojan downloader that also uses a BHO (wants me to start gambling online by the look of things). Could somebody please have a look at this? I've tried to get rid of it but even Windows Defender throws up an error message upon trying to remove said Trojan. Heres a hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:09, on 31/07/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Apache\bin\ApacheMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\explorer.exe
C:\Apache\bin\httpd.exe
C:\Windows\system32\conime.exe
C:\Apache\bin\httpd.exe
C:\MySQL\mysql-4.1.22-win32\bin\mysqld.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myhorse.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ie/ig/dell?hl=en&c...ie&ibd=0070805
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {4B0D465E-FC29-4634-88E7-E31D01518F4D} - C:\Windows\system32\byXNheFw.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {E3D076D7-6BD4-4D39-81B2-09A26EB4C3F4} - C:\Windows\system32\xxyyxWQh.dll (file missing)
O2 - BHO: (no name) - {F1079574-5D98-4990-9ECB-36AE259CB2C8} - C:\Windows\system32\opnKdArp.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\opnKdArp.dll,#1
O4 - HKLM\..\Run: [74fdad2d] rundll32.exe "C:\Windows\system32\kkarmaeg.dll",b
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [BM77ce9eb1] Rundll32.exe "C:\Windows\system32\kkqloapl.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Monitor Apache Servers.lnk = C:\Apache\bin\ApacheMonitor.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TeamViewer 3 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer3\TeamViewer_Host.exe

--
End of file - 9904 bytes


Notice: O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\opnKdArp.dll,#1

Any help with the removal of this is appreciated.
Reply With Quote


  #2  
Old August 1st, 2008, 04:43 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,254
Hello WayneWhitty,

There's more infection showing than just the item you hilighted. Let's get a more detailed look and then start some repairs.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Options, place a check next to the following:

Backup Registry Hives

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)

You can use extra posts here if needed for that.
Reply With Quote
  #3  
Old August 1st, 2008, 10:00 AM
WayneWhitty's Avatar
WayneWhitty WayneWhitty is offline
Member
 
Join Date: Dec 2006
Posts: 58
Main.txt Part 1

Run by myhorse on 2008-08-01 09:52:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
27: 2008-07-31 23:00:09 UTC - RP416 - Scheduled Checkpoint
26: 2008-07-31 09:19:18 UTC - RP415 - Removed SonicStage
25: 2008-07-31 08:56:38 UTC - RP413 - Removed Nokia Connectivity Cable Driver
24: 2008-07-31 08:56:01 UTC - RP412 - Installed AVG Free 8.0
23: 2008-07-31 08:53:33 UTC - RP411 - Removed AVG Free 8.0


-- First Restore Point --
1: 2008-07-24 08:31:55 UTC - RP378 - Last known good configuration


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 1022 MiB (1024 MiB recommended).


-- HijackThis (run as myhorse.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:55:31, on 01/08/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Apache\bin\ApacheMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\explorer.exe
C:\Windows\system32\conime.exe
C:\MySQL\mysql-4.1.22-win32\bin\mysqld.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe
C:\Apache\bin\httpd.exe
C:\Apache\bin\httpd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\myhorse\Desktop\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\myhorse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myhorse.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ie/ig/dell?hl=en&c...ie&ibd=0070805
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {4B0D465E-FC29-4634-88E7-E31D01518F4D} - C:\Windows\system32\byXNheFw.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {E3D076D7-6BD4-4D39-81B2-09A26EB4C3F4} - C:\Windows\system32\xxyyxWQh.dll (file missing)
O2 - BHO: (no name) - {F1079574-5D98-4990-9ECB-36AE259CB2C8} - C:\Windows\system32\opnKdArp.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [74fdad2d] rundll32.exe "C:\Windows\system32\kkarmaeg.dll",b
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [BM77ce9eb1] Rundll32.exe "C:\Windows\system32\kkqloapl.dll",s
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\opnKdArp.dll,#1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Monitor Apache Servers.lnk = C:\Apache\bin\ApacheMonitor.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acunetix WVS Scheduler v5 (AcuWVSSchedulerv5) - Acunetix Ltd. - C:\Program Files\Acunetix\Web Vulnerability Scanner 5\WVSScheduler.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TeamViewer 3 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer3\TeamViewer_Host.exe

--
End of file - 9927 bytes
Reply With Quote
  #4  
Old August 1st, 2008, 10:01 AM
WayneWhitty's Avatar
WayneWhitty WayneWhitty is offline
Member
 
Join Date: Dec 2006
Posts: 58
Main.txt Part 2

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080731-102459-356 O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\opnKdArp.dll,#1
backup-20080731-102521-496 O2 - BHO: (no name) - {F1079574-5D98-4990-9ECB-36AE259CB2C8} - C:\Windows\system32\opnKdArp.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 DSproct - \??\c:\program files\dellsupport\gtaction\triggers\dsproct.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AcuWVSSchedulerv5 (Acunetix WVS Scheduler v5) - "c:\program files\acunetix\web vulnerability scanner 5\wvsscheduler.exe" <Not Verified; Acunetix Ltd.; Acunetix Vulnerability Editor>
R2 Adobe Version Cue CS2 - "c:\program files\adobe\adobe version cue cs2\bin\versioncuecs2.exe" -win32service <Not Verified; Adobe Systems Incorporated; Adobe Version Cue CS2>

S3 DSBrokerService - "c:\program files\dellsupport\brkrsvc.exe" <Not Verified; ; Gteko BrkrSvc Application>
S3 PACSPTISVR - "c:\program files\common files\sony shared\avlib\pacsptisvr.exe" <Not Verified; ; PACSPTISVR Module>
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Nokia N95 8GB
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia N95 8GB
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-07-31 10:04:51 0 d-------- C:\Program Files\Trend Micro
2008-07-31 09:11:19 36352 --a------ C:\Windows\system32\opnKdArp.dll
2008-07-30 17:58:31 36352 --a------ C:\Windows\system32\mlJyxWoL.dll
2008-07-30 17:29:11 0 --a------ C:\Windows\system32\ssqPfcaY.dll
2008-07-30 17:07:50 89600 --a------ C:\Windows\system32\kkqloapl.dll
2008-07-30 17:07:05 388122 --ahs---- C:\Windows\system32\wFehNXyb.ini2
2008-07-29 17:40:55 0 d-------- C:\cygwin
2008-07-28 17:47:36 770048 --a------ C:\Windows\system32\CDDBUISony.dll <Not Verified; Gracenote; CDDBUIControl Module>
2008-07-28 17:47:35 532480 --a------ C:\Windows\system32\CddbPlaylist2Sony.dll <Not Verified; ; CddbPlaylist2 Module>
2008-07-28 17:47:35 589824 --a------ C:\Windows\system32\CddbMusicIDSony.dll <Not Verified; Gracenote; CddbMusicID Module>
2008-07-28 17:47:35 73728 --a------ C:\Windows\system32\CddbLinkSony.dll <Not Verified; Gracenote; CddbLink Module>
2008-07-28 17:47:34 655360 --a------ C:\Windows\system32\CDDBControlSony.dll <Not Verified; Gracenote, Inc.; CDDBControl Core Module>
2008-07-28 17:40:29 0 d-------- C:\Users\All Users\Sony Corporation
2008-07-28 17:34:44 0 d-a------ C:\Users\All Users\TEMP
2008-07-28 17:34:44 0 d-------- C:\Program Files\Sony
2008-07-28 17:34:42 0 d-------- C:\Windows\system32\Iosubsys
2008-07-28 17:31:25 0 d-------- C:\Program Files\Common Files\Sony Shared
2008-07-24 11:08:54 0 d-------- C:\Program Files\Windows Live Safety Center
2008-07-24 10:59:52 345 --ahs---- C:\Windows\system32\tCccfNpo.ini2
2008-07-24 10:07:02 0 d--h----- C:\$AVG8.VAULT$
2008-07-24 09:35:05 80384 --a------ C:\Windows\system32\kkarmaeg.dll
2008-07-24 09:34:25 91136 --a------ C:\Windows\system32\yahnycba.dll
2008-07-24 09:29:03 392743 --ahs---- C:\Windows\system32\hQWxyyxx.ini2
2008-07-24 09:23:45 0 d-------- C:\Users\All Users\avg8
2008-07-24 09:23:45 0 d-------- C:\Program Files\AVG
2008-07-23 16:11:15 0 d-------- C:\Program Files\0x90.org
2008-07-23 12:09:34 345 --ahs---- C:\Windows\system32\cLkSAJjl.ini2
2008-07-23 12:04:15 36352 --a------ C:\Windows\system32\rqRJCVMd.dll
2008-07-23 09:51:44 0 d-------- C:\Users\myhorse\AcunetixScanner
2008-07-23 09:51:23 0 d-------- C:\Program Files\Acunetix
2008-07-21 09:49:47 0 d-------- C:\Windows\pss
2008-07-21 09:17:39 0 d-------- C:\Users\All Users\Lavasoft
2008-07-17 13:36:43 0 d-------- C:\Program Files\TeamViewer3
2008-07-17 13:36:28 0 d-------- C:\Users\myhorse\temp
2008-07-17 12:47:22 0 d-------- C:\Program Files\UltraVNC
2008-07-17 11:58:42 0 d-------- C:\Program Files\RealVNC
2008-07-17 09:45:26 58904 --a------ C:\Windows\system32\sysfolderazipcnt.dll
2008-07-17 09:45:26 58904 --a------ C:\Windows\system32\azipcontmn.dll
2008-07-17 09:45:23 0 d-------- C:\Program Files\AlphaZIP
2008-07-14 15:24:11 0 d-------- C:\Users\All Users\Nokia
2008-07-14 15:24:09 0 d-------- C:\Program Files\Common Files\Nokia
2008-07-14 15:23:14 0 d-------- C:\Users\All Users\PC Suite
2008-07-14 15:21:45 0 d-------- C:\Program Files\Common Files\PCSuite
2008-07-14 15:14:12 0 d-------- C:\Program Files\PC Connectivity Solution
2008-07-14 15:10:40 90624 --a------ C:\Windows\system32\nmwcdcls.dll <Not Verified; Nokia; >
2008-07-14 15:10:40 0 d-------- C:\Program Files\Nokia


-- Find3M Report ---------------------------------------------------------------

2008-08-01 09:50:00 0 d-------- C:\Users\myhorse\AppData\Roaming\Skype
2008-08-01 08:02:55 0 d-------- C:\Users\myhorse\AppData\Roaming\skypePM
2008-07-31 09:18:29 0 d-------- C:\Program Files\PHP Editor
2008-07-31 08:58:41 0 d-------- C:\Program Files\activePDF
2008-07-31 08:56:40 0 d-------- C:\Program Files\Common Files
2008-07-30 11:44:59 0 d-------- C:\Users\myhorse\AppData\Roaming\LimeWire
2008-07-28 17:48:49 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-28 17:31:27 0 d-------- C:\Users\myhorse\AppData\Roaming\Sony Corporation
2008-07-23 10:24:29 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-21 11:00:44 0 d-------- C:\Users\myhorse\AppData\Roaming\Opera
2008-07-17 13:42:39 0 d-------- C:\Users\myhorse\AppData\Roaming\Adobe
2008-07-17 13:36:47 0 d-------- C:\Users\myhorse\AppData\Roaming\TeamViewer
2008-07-17 11:18:25 0 d-------- C:\Users\myhorse\AppData\Roaming\WinRAR
2008-07-14 15:26:01 0 d-------- C:\Users\myhorse\AppData\Roaming\Nokia
2008-07-14 15:23:19 0 d-------- C:\Users\myhorse\AppData\Roaming\PC Suite
2008-07-10 03:09:16 174 --ahs---- C:\Program Files\desktop.ini
2008-07-10 03:00:55 0 d-------- C:\Program Files\Windows Mail
2008-06-26 15:28:09 0 d-------- C:\Program Files\Google
2008-06-25 11:05:13 1160 --a------ C:\Windows\mozver.dat
2008-06-23 16:25:36 0 d-------- C:\Users\myhorse\AppData\Roaming\Macromedia
2008-06-17 14:56:33 0 d-------- C:\Program Files\Macromedia
2008-06-17 14:53:36 0 d-------- C:\Program Files\Common Files\Macromedia
2008-06-17 09:10:06 0 d-------- C:\Program Files\ubcam
2008-06-16 17:53:54 0 d-------- C:\Program Files\Softland
2008-06-16 14:16:19 0 d-------- C:\Program Files\Apache Software Foundation
2008-06-13 15:01:52 4874301 --a------ C:\Windows\system32\php5ts.dll <Not Verified; The PHP Group; PHP Script Interpreter>
2008-06-13 15:01:47 2076672 --a------ C:\Windows\system32\libmysql.dll
2008-06-13 13:03:55 0 --a------ C:\Windows\nsreg.dat
2008-06-13 13:03:49 0 d-------- C:\Users\myhorse\AppData\Roaming\Mozilla
2008-06-13 11:22:04 56 --ah----- C:\Windows\system32\ezsidmv.dat
2008-06-13 10:49:13 0 d-------- C:\Users\myhorse\AppData\Roaming\Google
2008-06-13 10:33:55 0 d-------- C:\Program Files\Skype
2008-06-13 10:33:53 0 d-------- C:\Program Files\Common Files\Skype
2008-06-13 09:25:02 0 d-------- C:\Users\myhorse\AppData\Roaming\SmartFTP
2008-06-13 09:24:35 0 d-------- C:\Program Files\SmartFTP Client
2008-06-13 09:23:29 0 d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-06-13 09:17:20 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B0D465E-FC29-4634-88E7-E31D01518F4D}]
C:\Windows\system32\byXNheFw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3D076D7-6BD4-4D39-81B2-09A26EB4C3F4}]
C:\Windows\system32\xxyyxWQh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1079574-5D98-4990-9ECB-36AE259CB2C8}]
23/07/2008 12:04 36352 --a------ C:\Windows\system32\opnKdArp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [05/08/2007 19:50]
"RtHDVCpl"="RtHDVCpl.exe" [14/05/2007 10:03 C:\Windows\RtHDVCpl.exe]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [05/08/2007 12:10]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [03/10/2006 11:37]
"@"="" []
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [05/11/2006 11:22]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [20/10/2006 17:23]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [15/11/2007 10:24]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [14/12/2004 02:12]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [04/04/2005 18:58]
"74fdad2d"="C:\Windows\system32\kkarmaeg.dll" [24/07/2008 09:35]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\i suspm.exe" [03/10/2006 11:35]
"BM77ce9eb1"="C:\Windows\system32\kkqloapl.dll " [30/07/2008 17:07]
"MSServer"="C:\Windows\system32\opnKdArp.dll" [23/07/2008 12:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [15/03/2007 12:09]
"@"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10/11/2006 12:35]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/05/2008 15:54]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [02/11/2006 13:34]

C:\Users\myhorse\AppData\Roaming\Microsoft\Windows \Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - C:\Apache\bin\ApacheMonitor.exe [18/01/2008 00:38:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{F1079574-5D98-4990-9ECB-36AE259CB2C8}"= C:\Windows\system32\opnKdArp.dll [23/07/2008 12:04 36352]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\byXNheFw

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Micros oft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Micros oft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\Windows\pss\Adobe Gamma Loader.exe.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Micros oft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\Windows\pss\Adobe Gamma.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Micros oft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Micros oft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\Windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
"C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ubcam]
"C:\Program Files\ubcam\ubcam_gui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {65E6362A-B878-4A7B-86DA-D16F8DBD75C7} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-08-01 09:58:24 ------------
Reply With Quote
  #5  
Old August 1st, 2008, 10:01 AM
WayneWhitty's Avatar
WayneWhitty WayneWhitty is offline
Member
 
Join Date: Dec 2006
Posts: 58
extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Basic (build 6000)
Architecture: X86; Language: English

CPU 0: Genuine Intel(R) CPU 2140 @ 1.60GHz
Percentage of Memory in Use: 73%
Physical Memory (total/avail): 1021.56 MiB / 265.75 MiB
Pagefile Memory (total/avail): 2291.24 MiB / 999.89 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1921.43 MiB

C: is Fixed (NTFS) - 288.03 GiB total, 242.3 GiB free.
D: is Fixed (NTFS) - 10 GiB total, 6.86 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3320620AS ATA Device - 298.09 GiB - 3 partitions
\PARTITION0 - Unknown - 62.72 MiB
\PARTITION1 - Installable File System - 10 GiB - D:
\PARTITION2 (bootable) - Installable File System - 288.03 GiB - C:

\\.\PHYSICALDRIVE1 - TEAC USB HS-CF Card USB Device

\\.\PHYSICALDRIVE3 - TEAC USB HS-MS Card USB Device

\\.\PHYSICALDRIVE4 - TEAC USB HS-SD Card USB Device

\\.\PHYSICALDRIVE2 - TEAC USB HS-xD/SM USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AS: Spyware Doctor v6.0.0.362 (PC Tools)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\DomainProfile\Authoriz edApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\StandardProfile\Author izedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\myhorse\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MYHORSE-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\myhorse
LOCALAPPDATA=C:\Users\myhorse\AppData\Local
LOGONSERVER=\\MYHORSE-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\Windows\system32;C:\Windows;C:\Window s\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WS F;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\myhorse\AppData\Local\Temp
TMP=C:\Users\myhorse\AppData\Local\Temp
USERDOMAIN=myhorse-PC
USERNAME=myhorse
USERPROFILE=C:\Users\myhorse
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

myhorse (admin)
Office (new local, admin, net ready)


-- Add/Remove Programs ---------------------------------------------------------

--> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
--> msiexec /i {46548E80-0409-0000-7E8A-45000F855001}
--> msiexec /I {B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}
--> msiexec /I{7F4C8163-F259-49A0-A018-2857A90578BC}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
Acunetix Web Vulnerability Scanner 5.1 --> "C:\Program Files\Acunetix\Web Vulnerability Scanner 5\unins000.exe"
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Creative Suite 2 --> C:\PROGRA~1\INSTAL~1\{0134A~1\setup.exe /relaunched/rootloc=e:\adobe creative suite 2.0/lang=0409
Adobe Flash Player 9 ActiveX --> C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activ eX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop 6.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 6.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 6.0\Uninst.dll"
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Apache HTTP Server 2.2.8 --> MsiExec.exe /I{85262A06-2D8C-4BC1-B6ED-5A705D09CFFC}
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\ 01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x9
Belkin 54g USB Network Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\Belkin\Belkin Wireless Network Utility\setup.exe" -l0x9
Dell Support Center --> MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
Dell System Customization Wizard --> MsiExec.exe /I{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
doPDF 6.0 printer --> "C:\Program Files\Softland\doPDF 6\unins000.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel(R) PRO Network Connections 12.1.11.0 --> MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
Intel(R) PRO Network Connections 12.1.11.0 --> MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
Java(TM) SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Macromedia Dreamweaver MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Macromedia Fireworks MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{930B2432-43D4-11D5-9871-00C04F8EEB39}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
Macromedia FreeHand 10 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D826618-59C6-11D4-976E-00C04F8EEB39}\Setup.exe" -l0x9 UNINSTALL
Microsoft Office 2000 Standard --> MsiExec.exe /I{00020409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows Media Video 9 VCM --> RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\wmv9vcm.inf, Uninstall
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Nokia Lifeblog 2.5 --> MsiExec.exe /I{E94603CA-2996-4154-8EE2-A5FCD4BFB500}
Nokia NSeries Application Installer --> MsiExec.exe /I{FD349381-D79C-4E5C-8980-015DFFB962D5}
Nokia NSeries Content Copier --> MsiExec.exe /X{F779EC8D-6703-4C4A-817C-37B07898E647}
Nokia NSeries Multimedia Player --> MsiExec.exe /I{FA25FAF6-3097-43C9-BBB2-A77CE8AF1881}
Nokia NSeries One Touch Access --> MsiExec.exe /I{F4EE8763-EAA8-4BC1-8594-8501F5F00414}
Nokia NSeries System Utilities --> MsiExec.exe /X{F1932E56-8A95-40E0-A15B-E06B45969845}
Nokia Software Launcher --> MsiExec.exe /I{B53F4598-B3D9-41DF-911E-523FA91EE464}
Nokia Software Updater --> MsiExec.exe /X{20BCD471-7897-481D-ACF2-CB9BABF6A6CF}
OpenMG Limited Patch 4.7-07-14-05-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.7-07-14-05-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.7.00 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1 \IDriver.exe /M{CCD663AE-610D-4BDF-AAB0-E914B044527D} UNINSTALL
PC Connectivity Solution --> MsiExec.exe /I{6094AB91-4CC8-498E-9DFF-134CC0B159DE}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\ 00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{281ECE39-F043-492B-8337-F2E546B5604A}\Setup.exe" -l0x9 -cluninstall
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Roxio Creator Audio --> MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator BDAV Plugin --> MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
Roxio Creator Copy --> MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data --> MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator DE --> MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools --> MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD DE --> MsiExec.exe /I{D639085F-4B6E-4105-9F37-A0DBB023E2FB}
Roxio Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Skype™ 3.8 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SmartFTP Client --> MsiExec.exe /I{6F23C1A3-9F62-470C-BD12-B83F04E67865}
SmartFTP Client 3.0 Setup Files (remove only) --> C:\Program Files\SmartFTP Client 3.0 Setup Files\uninst-sftp.exe
Sonic Activation Module --> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Suite Specific --> MsiExec.exe /I{C49DAA9C-5BA8-459A-8244-E57B69DF0F04}
TeamViewer 3 --> C:\Program Files\TeamViewer3\uninstall.exe
ubcam --> C:\Program Files\ubcam\uninstall.exe
URL Assistant --> regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
User's Guides --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"
Windows Live OneCare safety scanner --> "C:\Program Files\Windows Live Safety Center\UnInstall.exe"
Windows Live OneCare safety scanner --> MsiExec.exe /X{FE0646A7-19D0-41B4-A2BB-2C35D644270D}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
YHT 303 PC CAMERA (Vimicro301 Neptune) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\070 0\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE3B8E96-B0AF-4871-9178-1519B58E3A93}\Setup.exe" -l0x9


-- Application Event Log -------------------------------------------------------

Event Record #/Type21112 / Error
Event Submitted/Written: 07/31/2008 10:19:17 AM
Event ID/Source: 8194 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {1d2f8eae-ac7f-4c75-979e-cb684e9c4880}

Event Record #/Type21092 / Error
Event Submitted/Written: 07/31/2008 09:33:58 AM
Event ID/Source: 8194 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {1d2f8eae-ac7f-4c75-979e-cb684e9c4880}

Event Record #/Type21090 / Error
Event Submitted/Written: 07/31/2008 09:16:09 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application Explorer.EXE, version 6.0.6000.16549, time stamp 0x46d230c5, faulting module kkarmaeg.dll, version 0.0.0.0, time stamp 0x4885a083, exception code 0xc0000005, fault offset 0x0000d729,
process id 0x96c, application start time 0xExplorer.EXE0.

Event Record #/Type21086 / Error
Event Submitted/Written: 07/31/2008 09:11:19 AM
Event ID/Source: 5007 / WerSvc
Event Description:
The target file for the Windows Feedback Platform (a DLL file containing the list of problems on this computer that require additional data collection for diagnosis) could not be parsed. The error code was 8014FFF9.

Event Record #/Type21077 / Success
Event Submitted/Written: 07/31/2008 09:10:20 AM
Event ID/Source: 5617 / WinMgmt
Event Description:




-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type84298 / Error
Event Submitted/Written: 08/01/2008 09:48:29 AM
Event ID/Source: 14365 / WMPNetworkSvc
Event Description:
0x80004004-1

Event Record #/Type84296 / Error
Event Submitted/Written: 08/01/2008 09:44:16 AM
Event ID/Source: 14365 / WMPNetworkSvc
Event Description:
0x80004004-1

Event Record #/Type84294 / Warning
Event Submitted/Written: 08/01/2008 09:10:19 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp. The time service will not update the local system time until it is able to synchronize with a time source. If the local system is configured to act as a time server for clients, it will stop advertising as a time source to clients. The time service will continue to retry and sync time with its time sources. Check system event log for other W32time events for more details. Run 'w32tm /resync' to force an instant time synchronization.

Event Record #/Type84291 / Error
Event Submitted/Written: 08/01/2008 01:52:00 AM
Event ID/Source: 1008 / WinDefend
Event Description:
%NT AUTHORITY27 has encountered an error when taking action on spyware or other potentially unwanted software.

For more information please see the following:
%NT AUTHORITY275

Scan ID: {CC613F4C-445F-4CCE-ACD6-C532CEFBC198}

Scan Type: %NT AUTHORITY02

User: NT AUTHORITY\NETWORK SERVICE

Name: %NT AUTHORITY271

ID: %NT AUTHORITY272

Severity ID: %NT AUTHORITY273

Category ID: %NT AUTHORITY274

Path: %NT AUTHORITY276

Action: 1.1.1505.00

Error Code: 1.1.1505.01

Error description: 1.1.1505.02

Event Record #/Type84289 / Warning
Event Submitted/Written: 08/01/2008 01:51:50 AM
Event ID/Source: 1006 / WinDefend
Event Description:
%NT AUTHORITY27 scan has detected spyware or other potentially unwanted software.

For more information please see the following:
%NT AUTHORITY275

Scan ID: {CC613F4C-445F-4CCE-ACD6-C532CEFBC198}

Scan Type: %NT AUTHORITY01

Scan Parameters: %NT AUTHORITY09

User: NT AUTHORITY\NETWORK SERVICE

Name: %NT AUTHORITY271

ID: %NT AUTHORITY272

Severity ID: %NT AUTHORITY273

Category ID: %NT AUTHORITY274

Path Found: %NT AUTHORITY276

Detection Type: 1.1.1505.02



-- End of Deckard's System Scanner: finished at 2008-08-01 09:58:24 ------------
Reply With Quote
  #6  
Old August 1st, 2008, 10:02 AM
WayneWhitty's Avatar
WayneWhitty WayneWhitty is offline
Member
 
Join Date: Dec 2006
Posts: 58
Thanks for the help.
Reply With Quote
  #7  
Old August 1st, 2008, 05:02 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,254
A fair amound of infection there, so let's scan some out then do more manual repairs after.


Then To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Download Malwarebytes' Anti-Malware from Here or Here.

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

============================

Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Extra Log, uncheck all the boxes.


Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post that along with the Malwarebytes log please.
Reply With Quote
  #8  
Old August 7th, 2008, 09:27 AM
WayneWhitty's Avatar
WayneWhitty WayneWhitty is offline
Member
 
Join Date: Dec 2006
Posts: 58
Sorry for the delay guys. Mbam log

Malwarebytes' Anti-Malware 1.24
Database version: 1030
Windows 6.0.6000

09:25:45 07/08/2008
mbam-log-8-7-2008 (09-25-45).txt

Scan type: Quick Scan
Objects scanned: 37818
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\kkarmaeg.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\xxyxYsPh.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\ojvfvnvw.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\nNeBtrqp.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{f22f719a-d273-446e-80f6-be6b207894af} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f22f719a-d273-446e-80f6-be6b207894af} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{f1079574-5d98-4990-9ecb-36ae259cb2c8} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f1079574-5d98-4990-9ecb-36ae259cb2c8} (Trojan.BHO) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvid er (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\bm77ce9eb1 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\MSServer (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{f1079574-5d98-4990-9ecb-36ae259cb2c8} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxyxysph -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxyxysph -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\xxyxYsPh.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\hPsYxyxx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\hPsYxyxx.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\kkarmaeg.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\geamrakk.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ojvfvnvw.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\nNeBtrqp.dll (Trojan.BHO) -> Delete on reboot.
C:\Windows\System32\kkqloapl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\yahnycba.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\rqRJCVMd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\mlJyxWoL.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ssqPfcaY.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
Reply With Quote
  #9  
Old August 7th, 2008, 09:30 AM
WayneWhitty's Avatar
WayneWhitty WayneWhitty is offline
Member
 
Join Date: Dec 2006
Posts: 58
main.txt 1 of 2

Deckard's System Scanner v20071014.68
Run by myhorse on 2008-08-07 09:28:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 1022 MiB (1024 MiB recommended).


-- HijackThis (run as myhorse.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:28:38, on 07/08/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Apache\bin\ApacheMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\explorer.exe
C:\Windows\system32\conime.exe
C:\Apache\bin\httpd.exe
C:\Apache\bin\httpd.exe
C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\cmd.exe
C:\Users\myhorse\desktop\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\myhorse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myhorse.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ie/ig/dell?hl=en&c...ie&ibd=0070805
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {4B0D465E-FC29-4634-88E7-E31D01518F4D} - C:\Windows\system32\byXNheFw.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {E3D076D7-6BD4-4D39-81B2-09A26EB4C3F4} - C:\Windows\system32\xxyyxWQh.dll (file missing)
O2 - BHO: (no name) - {F1079574-5D98-4990-9ECB-36AE259CB2C8} - C:\Windows\system32\nNeBtrqp.dll
O2 - BHO: (no name) - {F22F719A-D273-446E-80F6-BE6B207894AF} - C:\Windows\system32\xxyxYsPh.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\nNeBtrqp.dll,#1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Monitor Apache Servers.lnk = C:\Apache\bin\ApacheMonitor.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acunetix WVS Scheduler v5 (AcuWVSSchedulerv5) - Acunetix Ltd. - C:\Program Files\Acunetix\Web Vulnerability Scanner 5\WVSScheduler.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TeamViewer 3 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer3\TeamViewer_Host.exe

--
End of file - 10002 bytes
Reply With Quote
  #10  
Old August 7th, 2008, 09:31 AM
WayneWhitty's Avatar
WayneWhitty WayneWhitty is offline
Member
 
Join Date: Dec 2006
Posts: 58
2 of 2

-- Files created between 2008-07-07 and 2008-08-07 -----------------------------

2008-08-07 09:09:55 0 d-------- C:\Users\All Users\Malwarebytes
2008-08-07 09:09:55 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 17:21:18 36352 -----n--- C:\Windows\system32\nNeBtrqp.dll
2008-08-06 17:06:11 93184 -----n--- C:\Windows\system32\ojvfvnvw.dll
2008-08-06 17:05:26 246272 -----n--- C:\Windows\system32\xxyxYsPh.dll
2008-08-01 10:35:45 0 d-------- C:\Program Files\Ares
2008-07-31 10:04:51 0 d-------- C:\Program Files\Trend Micro
2008-07-30 17:07:05 388122 --ahs---- C:\Windows\system32\wFehNXyb.ini2
2008-07-29 17:40:55 0 d-------- C:\cygwin
2008-07-28 17:47:36 770048 --a------ C:\Windows\system32\CDDBUISony.dll <Not Verified; Gracenote; CDDBUIControl Module>
2008-07-28 17:47:35 532480 --a------ C:\Windows\system32\CddbPlaylist2Sony.dll <Not Verified; ; CddbPlaylist2 Module>
2008-07-28 17:47:35 589824 --a------ C:\Windows\system32\CddbMusicIDSony.dll <Not Verified; Gracenote; CddbMusicID Module>
2008-07-28 17:47:35 73728 --a------ C:\Windows\system32\CddbLinkSony.dll <Not Verified; Gracenote; CddbLink Module>
2008-07-28 17:47:34 655360 --a------ C:\Windows\system32\CDDBControlSony.dll <Not Verified; Gracenote, Inc.; CDDBControl Core Module>
2008-07-28 17:40:29 0 d-------- C:\Users\All Users\Sony Corporation
2008-07-28 17:34:44 0 d-a------ C:\Users\All Users\TEMP
2008-07-28 17:34:44 0 d-------- C:\Program Files\Sony
2008-07-28 17:34:42 0 d-------- C:\Windows\system32\Iosubsys
2008-07-28 17:31:25 0 d-------- C:\Program Files\Common Files\Sony Shared
2008-07-24 11:08:54 0 d-------- C:\Program Files\Windows Live Safety Center
2008-07-24 10:59:52 345 --ahs---- C:\Windows\system32\tCccfNpo.ini2
2008-07-24 10:07:02 0 d--h----- C:\$AVG8.VAULT$
2008-07-24 09:35:05 80384 -----n--- C:\Windows\system32\kkarmaeg.dll
2008-07-24 09:29:03 392743 --ahs---- C:\Windows\system32\hQWxyyxx.ini2
2008-07-24 09:23:45 0 d-------- C:\Users\All Users\avg8
2008-07-24 09:23:45 0 d-------- C:\Program Files\AVG
2008-07-23 16:11:15 0 d-------- C:\Program Files\0x90.org
2008-07-23 12:09:34 345 --ahs---- C:\Windows\system32\cLkSAJjl.ini2
2008-07-23 09:51:44 0 d-------- C:\Users\myhorse\AcunetixScanner <ACUNET~1>
2008-07-23 09:51:23 0 d-------- C:\Program Files\Acunetix
2008-07-21 09:49:47 0 d-------- C:\Windows\pss
2008-07-21 09:17:39 0 d-------- C:\Users\All Users\Lavasoft
2008-07-17 13:36:43 0 d-------- C:\Program Files\TeamViewer3
2008-07-17 13:36:28 0 d-------- C:\Users\myhorse\temp
2008-07-17 12:47:22 0 d-------- C:\Program Files\UltraVNC
2008-07-17 11:58:42 0 d-------- C:\Program Files\RealVNC
2008-07-17 09:45:26 58904 --a------ C:\Windows\system32\sysfolderazipcnt.dll
2008-07-17 09:45:26 58904 --a------ C:\Windows\system32\azipcontmn.dll
2008-07-17 09:45:23 0 d-------- C:\Program Files\AlphaZIP
2008-07-14 15:24:11 0 d-------- C:\Users\All Users\Nokia
2008-07-14 15:24:09 0 d-------- C:\Program Files\Common Files\Nokia
2008-07-14 15:23:14 0 d-------- C:\Users\All Users\PC Suite
2008-07-14 15:21:45 0 d-------- C:\Program Files\Common Files\PCSuite
2008-07-14 15:14:12 0 d-------- C:\Program Files\PC Connectivity Solution
2008-07-14 15:10:40 90624 --a------ C:\Windows\system32\nmwcdcls.dll <Not Verified; Nokia; >
2008-07-14 15:10:40 0 d-------- C:\Program Files\Nokia


-- Find3M Report ---------------------------------------------------------------

2008-08-07 09:22:24 0 d-------- C:\Users\myhorse\AppData\Roaming\Skype
2008-08-07 09:10:06 0 d-------- C:\Users\myhorse\AppData\Roaming\Malwarebytes
2008-08-07 08:02:35 0 d-------- C:\Users\myhorse\AppData\Roaming\skypePM
2008-07-31 09:18:29 0 d-------- C:\Program Files\PHP Editor
2008-07-31 08:58:41 0 d-------- C:\Program Files\activePDF
2008-07-31 08:56:40 0 d-------- C:\Program Files\Common Files
2008-07-30 11:44:59 0 d-------- C:\Users\myhorse\AppData\Roaming\LimeWire
2008-07-28 17:48:49 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-28 17:31:27 0 d-------- C:\Users\myhorse\AppData\Roaming\Sony Corporation
2008-07-23 10:24:29 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-21 11:00:44 0 d-------- C:\Users\myhorse\AppData\Roaming\Opera
2008-07-17 13:42:39 0 d-------- C:\Users\myhorse\AppData\Roaming\Adobe
2008-07-17 13:36:47 0 d-------- C:\Users\myhorse\AppData\Roaming\TeamViewer
2008-07-17 11:18:25 0 d-------- C:\Users\myhorse\AppData\Roaming\WinRAR
2008-07-14 15:26:01 0 d-------- C:\Users\myhorse\AppData\Roaming\Nokia
2008-07-14 15:23:19 0 d-------- C:\Users\myhorse\AppData\Roaming\PC Suite
2008-07-10 03:09:16 174 --ahs---- C:\Program Files\desktop.ini
2008-07-10 03:00:55 0 d-------- C:\Program Files\Windows Mail
2008-06-26 15:28:09 0 d-------- C:\Program Files\Google
2008-06-25 11:05:13 1160 --a------ C:\Windows\mozver.dat
2008-06-23 16:25:36 0 d-------- C:\Users\myhorse\AppData\Roaming\Macromedia
2008-06-17 14:56:33 0 d-------- C:\Program Files\Macromedia
2008-06-17 14:53:36 0 d-------- C:\Program Files\Common Files\Macromedia
2008-06-17 09:10:06 0 d-------- C:\Program Files\ubcam
2008-06-16 17:53:54 0 d-------- C:\Program Files\Softland
2008-06-16 14:16:19 0 d-------- C:\Program Files\Apache Software Foundation
2008-06-13 15:01:52 4874301 --a------ C:\Windows\system32\php5ts.dll <Not Verified; The PHP Group; PHP Script Interpreter>
2008-06-13 15:01:47 2076672 --a------ C:\Windows\system32\libmysql.dll
2008-06-13 13:03:55 0 --a------ C:\Windows\nsreg.dat
2008-06-13 13:03:49 0 d-------- C:\Users\myhorse\AppData\Roaming\Mozilla
2008-06-13 11:22:04 56 --ah----- C:\Windows\system32\ezsidmv.dat
2008-06-13 10:49:13 0 d-------- C:\Users\myhorse\AppData\Roaming\Google
2008-06-13 10:33:55 0 d-------- C:\Program Files\Skype
2008-06-13 10:33:53 0 d-------- C:\Program Files\Common Files\Skype
2008-06-13 09:25:02 0 d-------- C:\Users\myhorse\AppData\Roaming\SmartFTP
2008-06-13 09:24:35 0 d-------- C:\Program Files\SmartFTP Client
2008-06-13 09:23:29 0 d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-06-13 09:17:20 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B0D465E-FC29-4634-88E7-E31D01518F4D}]
C:\Windows\system32\byXNheFw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3D076D7-6BD4-4D39-81B2-09A26EB4C3F4}]
C:\Windows\system32\xxyyxWQh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1079574-5D98-4990-9ECB-36AE259CB2C8}]
23/07/2008 12:04 36352 --------- C:\Windows\system32\nNeBtrqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F22F719A-D273-446E-80F6-BE6B207894AF}]
06/08/2008 17:05 246272 --------- C:\Windows\system32\xxyxYsPh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [05/08/2007 19:50]
"RtHDVCpl"="RtHDVCpl.exe" [14/05/2007 10:03 C:\Windows\RtHDVCpl.exe]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [05/08/2007 12:10]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [03/10/2006 11:37]
"@"="" []
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [05/11/2006 11:22]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [20/10/2006 17:23]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [15/11/2007 10:24]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [14/12/2004 02:12]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [04/04/2005 18:58]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\i suspm.exe" [03/10/2006 11:35]
"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [30/07/2008 20:07]
"MSServer"="C:\Windows\system32\nNeBtrqp.dll" [23/07/2008 12:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [15/03/2007 12:09]
"@"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10/11/2006 12:35]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/05/2008 15:54]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [02/11/2006 13:34]
"ares"="C:\Program Files\Ares\Ares.exe" [20/02/2008 15:33]

C:\Users\myhorse\AppData\Roaming\Microsoft\Windows \Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - C:\Apache\bin\ApacheMonitor.exe [18/01/2008 00:38:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{F1079574-5D98-4990-9ECB-36AE259CB2C8}"= C:\Windows\system32\nNeBtrqp.dll [23/07/2008 12:04 36352]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\xxyxYsPh

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Micros oft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Micros oft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\Windows\pss\Adobe Gamma Loader.exe.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Micros oft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\Windows\pss\Adobe Gamma.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Micros oft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Micros oft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\Windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
"C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ubcam]
"C:\Program Files\ubcam\ubcam_gui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {65E6362A-B878-4A7B-86DA-D16F8DBD75C7} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-08-07 09:29:19 ------------
Reply With Quote
  #11  
Old August 7th, 2008, 01:51 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,254
Was a bit of a delay. The results are not quite as thorough as I had anticipated from the Malwarebytes scan. I am assuming you did reboot when prompted, right?


To be sure here, open Malwarebytes again and do an update.
* Once the program has loaded, select "Perform Complete Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

============================

Then still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Extra Log, uncheck all the boxes except this one:

Security Center

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post that along with the Malwarebytes log please.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 02:09 PM.