System Volume Information??
iHatePopUps
Singapore
My PC HDD as well as external HDD have this folder. It's hidden and I can't open it, but recently antivir guard has informed me of detecting a virus in the following folder:
K:\System Volume Information\_restore{1563BD03-5F95-4B27-B1CE-DF9B6E8AB96D}\RP244\A0067690.exe
And marked it out as the following Trojan:
TR/VB.aqt
This isn't the first time it has detected this, though it is the first time in quite a few months. The question i'd like to know is, is the System Volume Information folder supposed to be there? I've yet to come across a folder that is in my harddisk but can't be opened. Is it a Trojan Virus? I've been getting this virus quite recently, a low-risk trojan that adds Recycler and Recycled folders to my harddisks and overwrites the Open command in my R-click menu to Open(0). I've deleted the autorun.ini files and Recycled/Recycler folders and solved the Open(0) problem, but is this part of it too?
K:\System Volume Information\_restore{1563BD03-5F95-4B27-B1CE-DF9B6E8AB96D}\RP244\A0067690.exe
And marked it out as the following Trojan:
TR/VB.aqt
This isn't the first time it has detected this, though it is the first time in quite a few months. The question i'd like to know is, is the System Volume Information folder supposed to be there? I've yet to come across a folder that is in my harddisk but can't be opened. Is it a Trojan Virus? I've been getting this virus quite recently, a low-risk trojan that adds Recycler and Recycled folders to my harddisks and overwrites the Open command in my R-click menu to Open(0). I've deleted the autorun.ini files and Recycled/Recycler folders and solved the Open(0) problem, but is this part of it too?
0
This discussion has been closed.
Comments
Please Download HJTsetup.exe
Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Logfile of HijackThis v1.99.1
Scan saved at 10:09:31 AM, on 1/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} (CSViewer Control) - http://210.24.116.110:8080/CSViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8842474-7D8D-4371-9462-79560AC4808D}: NameServer = 218.186.1.58,218.186.1.88
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I've got Ad-Aware, Spybot-SD and SpywareBlaster all running. Ad-Aware & Spybot scans show nothing though. The Recycler folder keeps appearing back again, I think whenever I open my IE (this is just a guess). I was using my IE to access pandascan. I'm using Firefox as my browser. Here's the Panda Activescan results:
Incident Status Location
Potentially unwanted tool:application/need2find Not disinfected hkey_current_user\software\Need2Find
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/elitebar Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Adware:adware/block-checker Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gqqlgx8c.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gqqlgx8c.default\cookies.txt[.go.com/]
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected C:\Documents and Settings\Administrator\My Documents\Program Installers\sysreset253.exe[addons\moo.dll]
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected C:\Program Files\mIRC\MiRCfullPro\system\dll\moo.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\smitrem\smitRem\Process.exe
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected C:\sysreset\addons\moo.dll
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected K:\Anime\sysreset253.exe[addons\moo.dll]
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected K:\sysreset\addons\moo.dll
K drive is my external HDD.
Kaspersky On-line Scanner
When you are prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files
When the files finish downloading click on NEXT
Now click on Scan Settings
In Scan Settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This program will start and scan your system.
Online scan can take a long time to complete and the time is impacted by the speed of your internet connection. Be patient and let it run. It is best not to do anything else while the scan is running. This will help it to complete faster.
When the scan has completed, it will display whether your system has been infected or not
Click on the Save as Text button:
Save the file to your desktop or another folder where you can locate it later.
Attach this file to your next message.
Please Post a Fresh HJT-Log & Kaspersky Report
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 25, 2007 6:59:13 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 25/01/2007
Kaspersky Anti-Virus database records: 247123
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
I:\
Scan Statistics:
Total number of scanned objects: 145198
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:06:09
Infected Object Name / Virus Name / Last Action
C:\Anime\Shuffle! Memories\[Ayako] Shuffle! Memories 03 (XVID 768x432) [2C3C1EE8].avi.torrent Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gqqlgx8c.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gqqlgx8c.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\gqqlgx8c.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\gqqlgx8c.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\gqqlgx8c.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\gqqlgx8c.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007012520070126\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1563BD03-5F95-4B27-B1CE-DF9B6E8AB96D}\RP246\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\XXX.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\ZLT07a12.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT07a16.TMP Object is locked skipped
C:\WINDOWS\TempFile Object is locked skipped
Scan process completed.
New HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 7:00:18 PM, on 1/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} (CSViewer Control) - http://210.24.116.110:8080/CSViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8842474-7D8D-4371-9462-79560AC4808D}: NameServer = 218.186.1.58,218.186.1.88
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
cd\
cd Program Files
DIR /AD /B /P > ProgramFiles.txt
start ProgramFiles.txt
cls
exit
Double click find.bat and let it run for a minute. It will open up a report in notepad. Please copy that text and post it here in your next reply.
3DO
Ace Zip
Adobe
ADSL Utility
Ahead
Alcohol Soft
Alias
Altova
AnMing
AntiVir PersonalEdition Classic
Apache Group
ATI Technologies
Combined Community Codec Pack
Common Files
Creative
Cryo
CyberLink
D-Tools
Dante's Card Maker
Diablo
Diablo II
directx
Doom 3
DOSBox-0.63
e-Games
EA Games
ewido anti-malware
Firaxis Games
GameShadow
GIGABYTE
GLOBEtrotter Software Inc
Google
Guild Wars
Hijackthis
InstallShield Installation Information
Intel
InterActual
Internet Explorer
Java
KlipFolio
Lavasoft
LitexMedia
Macromedia
Magic Workstation
Marvell
Messenger
MicroProse
Microsoft ActiveSync
Microsoft AntiSpyware
Microsoft Games
Microsoft Office
Microsoft Visual Studio
mIRC
Motherboard Monitor 5
Movie Maker
Mozilla Firefox
MSN
MSN Apps
MSN Gaming Zone
MSN Messenger
MSN Toolbar
MSXML 4.0
Navel
NetMeeting
Nexon
Nokia
Online Services
Oracle
Outlook Express
QuickTime
Rainbow Technologies
Real
Realtek
Sierra
Sierra On-Line
Sonic Foundry
Sports Interactive
Spybot - Search & Destroy
SpywareBlaster
Starcraft
Traction Software
Uninstall Information
uTorrent
VideoLAN
Warcraft III
Winamp
Windows Media Player
Windows NT
WindowsUpdate
WinRAR
winupdates
WinZip
Wizards of the Coast
WMV9_VCM
XAudioTools
Xinox Software
XviD
Yahoo!
Zone Labs
Please do this:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
µTorrent
2d3 SteadyMove for Adobe Premiere Pro
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Photoshop CS
Adobe Premiere Pro
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.8
ADSL Utility
Apache HTTP Server 2.0.55
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HydraVision
Audio Conversion Wizard 1.8
Autodesk DirectConnect 2.0
Avira AntiVir PersonalEdition Classic
Combined Community Codec Pack 2005-09-23 (Remove Only)
Command & Conquer Generals
Creative System Information
Creative Zen Neeon (512MB, 1GB, 2GB)
DAEMON Tools
Dante's Card Maker
Diablo
Direct Show Ogg Vorbis Filter (remove only)
Director 8.5 Shockwave Studio
DivX
DivX Player
DriverCD
ewido anti-malware
Flash Player Update for Flash 8
Football Manager 2007
GLOBEtrotter FLEXid Drivers
Google Earth
Google Toolbar for Internet Explorer
Guild Wars
Heroes of Might and Magic III Complete
Heroes of Might and Magic® IV
High Definition Audio Driver Package - KB835221
Hijackthis 1.99.1
HijackThis 1.99.1
Homeworld
Homeworld2
InterActual Player
J2ME Wireless Toolkit 2.2
J2SE Development Kit 5.0 Update 4
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_11
Java 2 SDK, SE v1.4.2_05
JCreator LE 3.50
Kaspersky Online Scanner
Lavasoft VX2 Cleaner
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash MX
Macromedia Flash Player 8
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia FreeHand 10
Magic Workstation 0.94f
Marvell Miniport Driver
Maya 8.0
Maya 8.0 Documentation (en_US)
MechWarrior 3
MechWarrior 3 Pirate's Moon
Microsoft .NET Framework 1.1
Microsoft AppLocale
Microsoft Office XP Professional with FrontPage
Microsoft Visio Professional 2002 [English]
Microsoft Windows Application Compatibility Database
Microsoft Windows Media Video 9 VCM
mIRC
Mozilla Firefox (1.5.0.9)
MP3 To Ringtone Gold 3.16
MSN Toolbar
MSXML 4.0 SP2 Parser and SDK
MTG GamePack for Magic Workstation
Nero Suite
Nokia Connectivity Cable Driver
Nokia PC Suite
O2Jam (e-Games) v.3.50
Panda ActiveScan
PowerDVD
Really?Really!
RealPlayer
Realtek High Definition Audio Driver
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Sentinel System Driver
Sentinel System Driver
Shattered Galaxy 1.74
Sid Meier's Pirates!
Sonic Foundry Sound Forge 6.0
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Starcraft
Tick! Tack!
Total Commander (Remove or Repair)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
VideoLAN VLC media player 0.8.1
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip
XviD MPEG-4 Video Codec
Yahoo! Anti-Spy
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
ZoneAlarm
The RECYCLER hidden folder reappears inside my C drive from time to time, even when I've deleted the autorun.ini file. I'm deleting it everytime i see it. Just hope this can be solved soon.
And save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply.
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
"Administrator" - 07-01-28 18:15:49 Service Pack 2
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\Administrator"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\INSTALL.LOG
C:\Program Files\winupdates
((((((((((((((((((((((((((((((( Files Created from 2006-12-28 to 2007-01-28 ))))))))))))))))))))))))))))))))))
2007-01-26 00:15 90 --a
C:\find.bat
2007-01-24 10:09 <DIR> d
C:\Program Files\Hijackthis
2007-01-22 19:56 <DIR> d
C:\Program Files\EA Games
2007-01-09 20:42 <DIR> d
C:\DOCUME~1\ADMINI~1\Downloaded Files
2007-01-09 20:41 <DIR> d
C:\DOCUME~1\ADMINI~1\.SunDownloadManager
2007-01-09 20:39 <DIR> d
C:\WTK22
2007-01-09 20:39 <DIR> d
C:\WINDOWS\system32\Temp
2007-01-06 10:36 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\MSNInstaller
2007-01-06 10:30 <DIR> d
C:\DOCUME~1\ADMINI~1\Contacts
2007-01-06 10:29 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2006-12-30 23:16 <DIR> d
C:\temp
2006-12-30 20:34 5,248 --a
C:\WINDOWS\system32\drivers\Vax347s.sys
2006-12-30 20:34 159,616 --a
C:\WINDOWS\system32\drivers\Vax347b.sys
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-28 18:19
d
C:\DOCUME~1\ADMINI~1\Application Data\utorrent
2007-01-28 17:57
d
C:\Program Files\mozilla firefox
2007-01-28 08:02
d
C:\Program Files\antivir personaledition classic
2007-01-28 08:00
d--h
C:\Program Files\installshield installation information
2007-01-26 00:15 1328 --a
C:\Program Files\programfiles.txt
2007-01-24 08:46
d
C:\Program Files\utorrent
2007-01-24 08:35
d
C:\Program Files\ewido anti-malware
2007-01-24 08:34
d
C:\Program Files\d-tools
2007-01-24 00:09
d
C:\Program Files\spywareblaster
2007-01-16 15:39
d
C:\Program Files\warcraft iii
2007-01-09 20:50
d
C:\Program Files\java
2007-01-06 10:29
d
C:\Program Files\msn messenger
2007-01-03 16:58
d
C:\Program Files\winamp
2006-12-31 20:51
d
C:\Program Files\microsoft games
2006-12-25 15:01
d
C:\Program Files\firaxis games
2006-12-25 12:10
d
C:\DOCUME~1\ADMINI~1\Application Data\my games
2006-12-22 22:03
d
C:\Program Files\mirc
2006-12-22 16:34
d
C:\Program Files\diablo
2006-12-20 19:55
d
C:\Program Files\dante's card maker
2006-12-20 18:59 764416 --a
C:\WINDOWS\gpinstall.exe
2006-12-16 22:42
d
C:\Program Files\magic workstation
2006-12-15 07:44 34304 --a
C:\WINDOWS\system32\drivers\avgntdd.sys
2006-12-15 07:44 14848 --a
C:\WINDOWS\system32\drivers\avgntmgr.sys
2006-12-14 20:57
d
C:\Program Files\sports interactive
2006-12-13 14:43
d
C:\Program Files\navel
2006-12-11 17:01 39336 --a
C:\DOCUME~1\ADMINI~1\Application Data\gdipfontcachev1.dat
2006-12-11 01:57
d
C:\DOCUME~1\ADMINI~1\Application Data\adobe
2006-12-10 21:30
d
C:\Program Files\dosbox-0.63
2006-12-10 21:13
d
C:\DOCUME~1\ADMINI~1\Application Data\adobeum
2006-11-06 16:41 6656 --a
C:\WINDOWS\system32\haspvdd.dll
2006-11-06 16:41 383 --a
C:\WINDOWS\system32\haspdos.sys
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Webshots.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Webshots.lnk"
"backup"="C:\\WINDOWS\\pss\\Webshots.lnkStartup"
"location"="Startup"
"command"="C:\\Program Files\\Webshots\\Launcher.exe /t"
"item"="Webshots"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Xfire.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Xfire.lnk"
"backup"="C:\\WINDOWS\\pss\\Xfire.lnkStartup"
"location"="Startup"
"command"="C:\\Program Files\\Xfire\\Xfire.exe "
"item"="Xfire"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Monitor Apache Servers.lnk"
"backup"="C:\\WINDOWS\\pss\\Monitor Apache Servers.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\APACHE~1\\Apache2\\bin\\APACHE~1.EXE "
"item"="Monitor Apache Servers"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DataLayer"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\PCSuite\\DataLayer\\DataLayer.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DAP"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAP\\DAP.EXE\" /STARTUP"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HDAudPropShortcut"
"hkey"="HKLM"
"command"="HDAudPropShortcut.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMEKRMIG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KlipFolio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KlipFolio"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\KlipFolio\\KlipFolio.exe\" /BOOT"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ImScInst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LaunchApplication"
"hkey"="HKLM"
"command"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdS7_0_8 -reboot 1"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=dword:00000002
"SharedAccess"=dword:00000002
"OracleServiceNARU"=dword:00000002
"StarWindService"=dword:00000002
"WZCSVC"=dword:00000002
"OracleServiceBEN"=dword:00000002
"OracleOraHome92TNSListener"=dword:00000002
"MySql"=dword:00000002
"Apache2"=dword:00000002
"Adobe LM Service"=dword:00000003
"wuauserv"=dword:00000002
"wscsvc"=dword:00000002
"helpsvc"=dword:00000002
"TapiSrv"=dword:00000003
"ATI Smart"=dword:00000002
"Ati HotKey Poller"=dword:00000002
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\_AUTORUN\AUTORUN.EXE
Shell\instDX\command D:\directX\dxsetup.exe
Shell\readme\command notepad readme.txt
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{090a5c4f-112c-11db-a80c-806d6172696f}]
Shell\AutoRun\command D:\_AUTORUN\AUTORUN.EXE
Shell\instDX\command D:\directX\dxsetup.exe
Shell\readme\command notepad readme.txt
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0f39e98b-8ad7-11da-af9a-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0fe1fdfd-b1d6-11da-9b4f-806d6172696f}]
Shell\AutoRun\command D:\autorun.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{11f39701-6e39-11da-b60d-806d6172696f}]
Shell\AutoRun\command F:\autorun.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{15561f3f-3a16-11db-bb9b-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16af360b-8fa2-11da-996a-806d6172696f}]
Shell\AutoRun\command D:\SETUP.EXE
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{16d1f7bf-4dc8-11db-85ea-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1879469b-0a83-11db-8ef9-806d6172696f}]
Shell\AutoRun\command D:\OblivionLauncher.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1d2b68bf-0cde-11db-8a72-806d6172696f}]
Shell\AutoRun\command D:\OblivionLauncher.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1d443d99-5be0-11db-8f3e-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{278832e5-4fa3-11db-9f4e-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2a0e1c19-58d6-11db-90ab-806d6172696f}]
Shell\AutoRun\command D:\_AUTORUN\AUTORUN.EXE
Shell\instDX\command D:\directX\dxsetup.exe
Shell\readme\command notepad readme.txt
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2f28bae5-f965-11da-adf2-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{33fe0db1-9f62-11da-9d9a-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{347e6bcb-887b-11da-a07c-806d6172696f}]
Shell\AutoRun\command D:\_AUTORUN\AUTORUN.EXE
Shell\readme\command notepad readme.txt
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3704b7e5-7509-11da-b3ec-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3d10d257-c380-11da-94ac-806d6172696f}]
Shell\AutoRun\command D:\_AUTORUN\AUTORUN.EXE
Shell\instDX\command D:\directX\dxsetup.exe
Shell\readme\command notepad readme.txt
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f634f75-2fdd-11db-ae79-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f6589b1-8e39-11da-ba4e-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f97d63f-395d-11db-8f20-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45573665-0203-11db-8bd3-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45e74e0b-8ce9-11da-8ce1-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45e74e0d-8ce9-11da-8ce1-806d6172696f}]
Shell\AutoRun\command F:\autorun.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4a08a9b2-a851-11da-9410-806d6172696f}]
Shell\AutoRun\command E:\autorun.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4bf1973f-fd4f-11da-8e5c-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{50e03fb1-a120-11da-90eb-806d6172696f}]
Shell\AutoRun\command D:\_AUTORUN\AUTORUN.EXE
Shell\instDX\command D:\directX\dxsetup.exe
Shell\readme\command notepad readme.txt
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{54fdb631-99d8-11da-93b8-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{582233b1-c064-11da-a015-806d6172696f}]
Shell\AutoRun\command D:\_AUTORUN\AUTORUN.EXE
Shell\instDX\command D:\directX\dxsetup.exe
Shell\readme\command notepad readme.txt
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a8c9387-9c31-11da-b005-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5d209335-7020-11da-8cc7-806d6172696f}]
Shell\AutoRun\command F:\autorun.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6589393f-355f-11db-b917-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{775f083f-2c52-11db-bcf7-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{791ca219-0695-11db-a1c5-806d6172696f}]
Shell\AutoRun\command D:\OblivionLauncher.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a503431-9cf8-11da-b592-806d6172696f}]
Shell\AutoRun\command D:\autorun.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7b66a225-e595-11da-9f75-806d6172696f}]
Shell\AutoRun\command D:\_AUTORUN\AUTORUN.EXE
Shell\readme\command notepad readme.txt
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{80df3ed7-a725-11da-b305-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{83871057-a382-11da-a614-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87be70b1-c209-11da-a287-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{99a8459b-8504-11da-9929-806d6172696f}]
Shell\AutoRun\command D:\Cryo.exe -s Software\cryo\Millennium Racer\1.00 -f index.htm -i setup.exe -R MRacer.exe -hd MRacer.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9a97c4b1-9136-11da-ba55-806d6172696f}]
Shell\AutoRun\command D:\SETUP.EXE
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e35a5d1-6d41-11da-994d-000fea866a45}]
Shell\AutoRun\command F:\autorun.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab9b543f-30aa-11db-9987-806d6172696f}]
Shell\AutoRun\command D:\_AUTORUN\AUTORUN.EXE
Shell\instDX\command D:\directX\dxsetup.exe
Shell\readme\command notepad readme.txt
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b31dfd9b-735b-11da-90f8-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bfd7b0a5-e98e-11da-9cac-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c0a06127-6db6-11da-9451-806d6172696f}]
Shell\AutoRun\command F:\autorun.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c2ccbd57-c786-11da-8af7-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c51798bf-5995-11db-86e6-806d6172696f}]
Shell\AutoRun\command D:\_AUTORUN\AUTORUN.EXE
Shell\instDX\command D:\directX\dxsetup.exe
Shell\readme\command notepad readme.txt
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d4054657-cc2c-11da-a88b-806d6172696f}]
Shell\AutoRun\command D:\_AUTORUN\AUTORUN.EXE
Shell\instDX\command D:\directX\dxsetup.exe
Shell\readme\command notepad readme.txt
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d5ff290b-91fc-11da-987e-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d9e7548d-861b-11da-a0f5-806d6172696f}]
Shell\AutoRun\command F:\autorun.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dbc55a65-e402-11da-b6e8-806d6172696f}]
Shell\AutoRun\command D:\_AUTORUN\AUTORUN.EXE
Shell\readme\command notepad readme.txt
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e0c9b357-c450-11da-8973-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e844a959-1fa7-11db-ae6d-806d6172696f}]
Shell\AutoRun\command D:\autorun.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ea1a8efa-6e30-11db-ad2f-000fea866a45}]
Shell\1\Command H:\.\RECYCLER\RECYCLER\autorun.exe
Shell\2\Command H:\.\RECYCLER\RECYCLER\autorun.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eafa323f-425d-11db-8b0d-806d6172696f}]
Shell\AutoRun\command D:\_AUTORUN\AUTORUN.EXE
Shell\instDX\command D:\directX\dxsetup.exe
Shell\readme\command notepad readme.txt
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ed1630ff-0d42-11db-9e4c-806d6172696f}]
Shell\AutoRun\command D:\OblivionLauncher.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f797288d-7f4e-11da-a39e-806d6172696f}]
Shell\AutoRun\command F:\autorun.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fc58ff0b-bfc8-11da-a70d-806d6172696f}]
Shell\AutoRun\command D:\_AUTORUN\AUTORUN.EXE
Shell\instDX\command D:\directX\dxsetup.exe
Shell\readme\command notepad readme.txt
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fd547fd9-2e63-11db-b87d-806d6172696f}]
Shell\AutoRun\command D:\autoplay.exe
Completion time: 07-01-28 18:20:06
Again, the Recycler Folder appeared again. Deleted it yet again. Just to let you know.
Logfile of HijackThis v1.99.1
Scan saved at 9:31:13 AM, on 1/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} (CSViewer Control) - http://210.24.116.110:8080/CSViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8842474-7D8D-4371-9462-79560AC4808D}: NameServer = 218.186.1.58,218.186.1.88
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Folder appeared again. Deleted. While waiting for your reply I ran the ewido anti-malware scan and deleted the following:
ewido anti-malware - Scan report
+ Created on: 10:59:20 AM, 1/29/2007
+ Report-Checksum: 6F791490
+ Scan result:
:mozilla.24:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gqqlgx8c.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gqqlgx8c.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gqqlgx8c.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Shuffle Game\[18+] Shuffle! Hentai Game\ohthk10.zip/util/rlivepch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup
C:\Shuffle Game\[18+] Shuffle! Hentai Game\ohthk10.zip/util/rUGP54010pch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup
C:\Shuffle Game\[18+] Shuffle! Hentai Game\util\rlivepch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup
C:\Shuffle Game\[18+] Shuffle! Hentai Game\util\rUGP54010pch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup
::Report End
Kaspersky On-line Scanner
When you are prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files
When the files finish downloading click on NEXT
Now click on Scan Settings
In Scan Settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This program will start and scan your system.
Online scan can take a long time to complete and the time is impacted by the speed of your internet connection. Be patient and let it run. It is best not to do anything else while the scan is running. This will help it to complete faster.
When the scan has completed, it will display whether your system has been infected or not
Click on the Save as Text button:
Save the file to your desktop or another folder where you can locate it later.
Attach this file to your next message.
Please Post a Fresh HJT-Log & Kaspersky Report
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 01, 2007 12:25:04 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 31/01/2007
Kaspersky Anti-Virus database records: 248959
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
I:\
Scan Statistics:
Total number of scanned objects: 145562
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:39:36
Infected Object Name / Virus Name / Last Action
C:\Anime\Gundam Z\(W_B) Zeta Gundam 1-50\~uTorrentPartFile_2B4E64C31.dat Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007013120070201\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\f1b1.rra Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1563BD03-5F95-4B27-B1CE-DF9B6E8AB96D}\RP253\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\XXX.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\ZLT02aea.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT02af0.TMP Object is locked skipped
C:\WINDOWS\TempFile Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Let me know how things are running
Also, for the Active X files that Pandascan has installed in my pc, my AVG picked up a file called bumblebee and classified it as a trojan. What should i do about it?
Now, Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
Click Create a Restore Point, and then click Next.
Name your restore point.
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure
Use ATF Cleaner
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use AVG Anti-Spyware
Update it and scan your computer regularly with it.
Use CCleaner
It removes unused files from your system - allowing Windows to run faster and freeing up valuable hard disk space.
Install SpywareBlaster
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file
This prevents your computer from connecting to harmful sites.
Use Firefox browser
Firefox is faster, safer and better browser than Internet Explorer.
Keep your system up-to-date
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Please let me know how things are running.
This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.
Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
If you are not the user who started this thread, you must start a new Thread instead
Would you also be interested to join Short-Media (Team #93) with the Folding@Home Project? More information available here