Problem with some spyware

Unknown · April 2008

It started when I downloaded a torrent from mininova that was filled with viruses and certain spyware programs, of course norton antivirus couldnt detect any of them.

I downloaded avg and ran it found around 30+ viruses/trojans. Ran spybot and found alot of malware and removed that as well. When I try to run adaware, during the deep registry scan I get a blue screen and computer reboots instantly before I can read anything.

I wouldnt mind this normally but theres an additional problem, after I got the malware on my computer there are certain websites I cant visit or certain parts of a website, like I can visit google.com but I cant search, when I click search button it just stops responding like I lost internet connection. It seems the problem is only while browsing, same with firefox/internet explorer on same websites,

I can play games online with no problems and also host ventrilo servers with no problems. And its always the same websites or same parts of it. Anyone got any idea what this could be?

Thomas · April 2008

Welcome to Icrontic Spectral10,

Even going to the Minova website is risky enough, but downloading anything from there is a guarantee of infection at some point. Icrontic does not assist in situations where the presence or use of illegal software is involved, and it does sound like you were actively doing some downloading of perhaps cracked versions for all of what you describe to occur. If so, I can offer that your system is still infected, and scans like those you describe will not correct that. You will need to reformat and reinstall the operating system to remove the infection.

If you were not stealing software, and none is on the system that might show in subsequent scans we do here (check some other request threads to get an idea of those), then let me know and we can take a more detailed look at things there.

Spectral10 · April 2008

Just cause I used mininova Im a pirate? okay...

Anyhow heres the hijackthis log from my computer, I couldnt make any sense of it :/
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:59:13, on 13.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programfiler\Fellesfiler\Logitech\LCD Manager\lcdmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Programfiler\Fellesfiler\Logitech\G-series Software\LGDCore.exe
C:\Programfiler\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programfiler\NetLimiter 2 Lite\nlsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\Fellesfiler\Logitech\LCD Manager\Applets\LCDClock.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programfiler\Fellesfiler\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\DynDNS Updater\DynDNS.exe
C:\Programfiler\Fellesfiler\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Programfiler\Fellesfiler\Logitech\LCD Manager\Applets\LCDMedia.exe
D:\Programfiler\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
C:\Programfiler\NetLimiter 2 Lite\NLClient.exe
F:\PROGRA~2\MOZILL~1\FIREFOX.EXE
C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programfiler\WC3Banlist\WC3Banlist.exe
F:\Programfiler\Winamp\winamp.exe
C:\Programfiler\VentSrv\ventrilo_srv.exe
C:\Programfiler\Ventrilo\Ventrilo.exe
C:\Programfiler\Windows Live\Messenger\msnmsgr.exe
C:\Programfiler\Windows Live\Messenger\usnsvc.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.online.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: (no name) - {01a33d85-4706-452a-b71a-99510ada8c0c} - C:\WINDOWS\system32\opnonoPG.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {d79b04f0-b1e7-cb9a-e454-9a4a8dc88597} - {79588cd8-a4a9-454e-a9bc-7e1b0f40b97d} - C:\WINDOWS\system32\rnnfelpg.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {f51b76a3-16d5-4be9-a08f-f58fa41af3e2} - C:\WINDOWS\system32\mlJCUoOG.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Programfiler\Fellesfiler\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Programfiler\Fellesfiler\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [XboxStat] "C:\Programfiler\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [advap32] c:\ncolyrif.exe/r
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1645.exe 61A847B5BBF72813349F3D466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BM4f2258fc] Rundll32.exe "C:\WINDOWS\system32\lfnesmrr.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Programfiler\DynDNS Updater\DynDNS.exe"
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT Startup: My_AutoWarkey_Script.lnk = D:\Programfiler\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe (User 'Default user')
O4 - .DEFAULT Startup: Registration Assassin's Creed.LNK = D:\spill\Assassin's Creed\Register\RegistrationReminder.exe (User 'Default user')
O4 - Startup: My_AutoWarkey_Script.lnk = D:\Programfiler\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O4 - Startup: Registration Assassin's Creed.LNK = D:\spill\Assassin's Creed\Register\RegistrationReminder.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196863513979
O20 - Winlogon Notify: opnonoPG - opnonoPG.dll (file missing)
O20 - Winlogon Notify: wlctrl32 - WLCtrl32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatisk LiveUpdate-planlegging - Unknown owner - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (avg7alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (avg7updsvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (avgems) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Programfiler\NetLimiter 2 Lite\nlsvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programfiler\WinPcap\rpcapd.exe

--
End of file - 9090 bytes

Thomas · April 2008

Just cause I used mininova Im a pirate?

No, Minova use just says you take risks on downloads, and logs showing the gaming tweaks usually also suggests that. The software theft point is just to let you know upfront all assistance ends if that become evident in these log files.

Infection is showing, so let's start repairs.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Download SDFix.exe and save it to your desktop.

Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now.

===================================================

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).

In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.

Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.

=============================

After the reboot reconnect to net access and Download Malwarebytes' Anti-Malware from Here or Here.

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

============================

Then Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Options, place a check next to the following:

Backup Registry Hives

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)

Post those along with the MBAM log and the SDFix report.txt log please.

Spectral10 · April 2008

Heres the report.txt log to begin with at least, from the sdfix program:

SDFix: Version 1.171
Run by Administrator on 14.04.2008 at 10:42

Microsoft Windows XP [Versjon 5.1.2600]
Running From: C:\sdfiks\SDFix

Checking Services :

Name:
zeqbqwp

Path:
\??\C:\WINDOWS\zeqbqwp.sys

zeqbqwp - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\CBOCR.DLL - Deleted
C:\127621~1 - Deleted
C:\WINDOWS\zeqbqwp.sys - Deleted

Folder C:\Programfiler\Helper - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 10:44:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"="C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\SPILL\\Crytek\\Crysis\\Bin32\\Crysis.exe"="C:\\SPILL\\Crytek\\Crysis\\Bin32\\Crysis.exe:*:Enabled:Crysis_32"
"C:\\SPILL\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="C:\\SPILL\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"D:\\spill\\Battlefield 2\\BF2.exe"="D:\\spill\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Programfiler\\uTorrent\\uTorrent.exe"="C:\\Programfiler\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"D:\\spill\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="D:\\spill\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Programfiler\\Bonjour\\mDNSResponder.exe"="C:\\Programfiler\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Programfiler\\iTunes\\iTunes.exe"="C:\\Programfiler\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"D:\\spill\\Neverwinter Nights 2\\nwn2main.exe"="D:\\spill\\Neverwinter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"D:\\spill\\Neverwinter Nights 2\\nwn2main_amdxp.exe"="D:\\spill\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"D:\\spill\\Neverwinter Nights 2\\nwupdate.exe"="D:\\spill\\Neverwinter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"D:\\spill\\Neverwinter Nights 2\\nwn2server.exe"="D:\\spill\\Neverwinter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"D:\\spill\\Assassin's Creed\\AssassinsCreed_Dx9.exe"="D:\\spill\\Assassin's Creed\\AssassinsCreed_Dx9.exe:*:Enabled:Assassin's Creed Dx9"
"D:\\spill\\Assassin's Creed\\AssassinsCreed_Dx10.exe"="D:\\spill\\Assassin's Creed\\AssassinsCreed_Dx10.exe:*:Enabled:Assassin's Creed Dx10"
"D:\\spill\\Assassin's Creed\\AssassinsCreed_Launcher.exe"="D:\\spill\\Assassin's Creed\\AssassinsCreed_Launcher.exe:*:Enabled:Assassin's Creed Update"
"C:\\Programfiler\\Grisoft\\AVG7\\avginet.exe"="C:\\Programfiler\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Programfiler\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Programfiler\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Programfiler\\Grisoft\\AVG7\\avgcc.exe"="C:\\Programfiler\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Programfiler\\Grisoft\\AVG7\\avgemc.exe"="C:\\Programfiler\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\VENT 2.1\\ventrilo_srv.exe"="C:\\VENT 2.1\\ventrilo_srv.exe:*:Enabled:ventrilo_srv"
"F:\\Programfiler\\Valve\\Steam\\SteamApps\\pop-dog@online.no\\team fortress 2\\hl2.exe"="F:\\Programfiler\\Valve\\Steam\\SteamApps\\pop-dog@online.no\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Documents and Settings\\Cr33p\\Lokale innstillinger\\Temp\\WZSE0.TMP\\SymNRT.exe"="C:\\Documents and Settings\\Cr33p\\Lokale innstillinger\\Temp\\WZSE0.TMP\\SymNRT.exe:*:Enabled:Symantec Removal Utility"
"D:\\spill\\Warcraft III\\war3.exe"="D:\\spill\\Warcraft III\\war3.exe:*:Enabled:Warcraft III"
"C:\\Programfiler\\VentSrv\\ventrilo_srv.exe"="C:\\Programfiler\\VentSrv\\ventrilo_srv.exe:*:Enabled:ventrilo_srv"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"="C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\sdfiks\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 11 Dec 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 7 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 24 Mar 2008 211,968 A..H. --- "C:\Documents and Settings\Cr33p\Lokale innstillinger\Temp\~1D.tmp"
Thu 13 Mar 2008 209,408 A..H. --- "C:\Documents and Settings\Cr33p\Lokale innstillinger\Temp\~2E.tmp"
Thu 24 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4844df1d57a292079101da42a26d7d72\BITE.tmp"
Thu 24 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BITF.tmp"

Finished!

Thomas · April 2008

C:\sdfiks\SDFix\backups\backups.zip

Changing the procedures changes outcomes. A handy cleanup tool we can use in the end to remove much of what we add will not know to find "sdfiks".

Post the rest of the logs, and let's keep going with the repairs.

Spectral10 · April 2008

From DSS main.txt

Deckard's System Scanner v20071014.68
Run by Cr33p on 2008-04-14 11:51:30
Computer is in Normal Mode.

Backed up registry hives.

-- HijackThis (run as Cr33p.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:48, on 14.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\CTHELPER.EXE
C:\Programfiler\NetLimiter 2 Lite\nlsvc.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
C:\Programfiler\Fellesfiler\Logitech\LCD Manager\lcdmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Programfiler\Fellesfiler\Logitech\G-series Software\LGDCore.exe
C:\Programfiler\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programfiler\Fellesfiler\Logitech\LCD Manager\Applets\LCDClock.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programfiler\Fellesfiler\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Fellesfiler\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Programfiler\DynDNS Updater\DynDNS.exe
C:\Programfiler\Fellesfiler\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Programfiler\NetLimiter 2 Lite\NLClient.exe
D:\Programfiler\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
F:\Programfiler\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Cr33p\skrivebord\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Cr33p.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.online.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {d79b04f0-b1e7-cb9a-e454-9a4a8dc88597} - {79588cd8-a4a9-454e-a9bc-7e1b0f40b97d} - C:\WINDOWS\system32\rnnfelpg.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {f51b76a3-16d5-4be9-a08f-f58fa41af3e2} - C:\WINDOWS\system32\mlJCUoOG.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Programfiler\Fellesfiler\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Programfiler\Fellesfiler\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [XboxStat] "C:\Programfiler\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Programfiler\DynDNS Updater\DynDNS.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: My_AutoWarkey_Script.lnk = D:\Programfiler\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Registration Assassin's Creed.LNK = D:\spill\Assassin's Creed\Register\RegistrationReminder.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: My_AutoWarkey_Script.lnk = D:\Programfiler\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe (User 'Default user')
O4 - .DEFAULT Startup: Registration Assassin's Creed.LNK = D:\spill\Assassin's Creed\Register\RegistrationReminder.exe (User 'Default user')
O4 - Startup: My_AutoWarkey_Script.lnk = D:\Programfiler\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O4 - Startup: Registration Assassin's Creed.LNK = D:\spill\Assassin's Creed\Register\RegistrationReminder.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196863513979
O20 - Winlogon Notify: opnonoPG - opnonoPG.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatisk LiveUpdate-planlegging - Unknown owner - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (avg7alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (avg7updsvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (avgems) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Programfiler\NetLimiter 2 Lite\nlsvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programfiler\WinPcap\rpcapd.exe

--
End of file - 8919 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

backup-20080413-005604-489 O23 - Service: iPod Service - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
backup-20080413-005604-572 O23 - Service: Bonjour Service - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe

-- File Associations

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

S0 cay55 - c:\windows\system32\drivers\cay55.sys (file missing)
S0 cem66 - c:\windows\system32\drivers\cem66.sys (file missing)
S0 dve66 - c:\windows\system32\drivers\dve66.sys (file missing)
S0 fve66 - c:\windows\system32\drivers\fve66.sys (file missing)
S0 iyx33 - c:\windows\system32\drivers\iyx33.sys (file missing)
S0 lct55 - c:\windows\system32\drivers\lct55.sys (file missing)
S0 oyq44 - c:\windows\system32\drivers\oyq44.sys (file missing)
S0 pvr55 - c:\windows\system32\drivers\pvr55.sys (file missing)
S0 sxw11 - c:\windows\system32\drivers\sxw11.sys (file missing)
S0 wud00 - c:\windows\system32\drivers\wud00.sys (file missing)
S3 catchme - c:\docume~1\cr33p\lokale~1\temp\catchme.sys (file missing)
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 RivaTuner32 - f:\programfiler\rivatuner v2.05\rivatuner32.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R2 Apple Mobile Device - "c:\programfiler\fellesfiler\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 ForceWare Intelligent Application Manager (IAM) - c:\programfiler\nvidia corporation\networkaccessmanager\bin\nsvcappflt.exe <Not Verified; ; app_filter Module>
R2 nlsvc (NetLimiter) - "c:\programfiler\netlimiter 2 lite\nlsvc.exe" <Not Verified; Locktime Software; NetLimiter 2 Lite>

S2 Automatisk LiveUpdate-planlegging - "c:\programfiler\symantec\liveupdate\aluschedulersvc.exe" (file missing)
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\programfiler\winpcap\rpcapd.exe" -d -f "c:\programfiler\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>
S4 Bonjour Service - c:\programfiler\bonjour\mdnsresponder.exe (file missing)

-- Device Manager: Disabled

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_10DE&DEV_0371&SUBSYS_C55E10DE&REV_A2\3&2411E6FE&0&79
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_10DE&DEV_0371&SUBSYS_C55E10DE&REV_A2\3&2411E6FE&0&79
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&19933FE2&0&00
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller #2
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&19933FE2&0&00
Service: NVENETFD

-- Scheduled Tasks

2008-04-14 11:19:01 252 --a

C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job

-- Files created between 2008-03-14 and 2008-04-14

2008-04-14 10:41:04 0 d

C:\WINDOWS\ERUNT
2008-04-14 10:40:38 0 d

C:\sdfiks
2008-04-13 00:49:01 0 d

C:\Programfiler\Trend Micro
2008-04-12 23:06:01 0 dr-h

C:\$VAULT$.AVG
2008-04-12 21:52:11 0 d

C:\Programfiler\Lavasoft
2008-04-11 11:10:01 233003 --ahs---- C:\WINDOWS\system32\GOoUCJlm.ini2
2008-04-11 11:05:39 0 d

C:\Programfiler\asd
2008-03-27 22:58:56 0 d

C:\Programfiler\Ventrilo
2008-03-27 19:04:47 0 d

C:\Programfiler\IrfanView
2008-03-22 03:30:26 0 d

C:\Programfiler\Solar System Technologies
2008-03-22 02:15:37 0 d

C:\Incomplete
2008-03-19 17:05:59 0 d

C:\Programfiler\Telenor

-- Find3M Report

2008-04-14 10:54:31 0 d

C:\Documents and Settings\Cr33p\Programdata\Malwarebytes
2008-04-14 10:46:08 0 d

C:\Programfiler\DynDNS Updater
2008-04-13 20:47:29 0 d

C:\Documents and Settings\Cr33p\Programdata\uTorrent
2008-04-13 07:57:14 0 d

C:\Programfiler\WC3Banlist
2008-04-13 02:40:22 0 d

C:\Programfiler\Fellesfiler\Symantec Shared
2008-04-13 00:53:49 0 d

C:\Documents and Settings\Cr33p\Programdata\AVG7
2008-04-13 00:53:26 0 d

C:\Programfiler\Bonjour
2008-04-12 22:36:09 0 d

C:\Programfiler\Fellesfiler
2008-04-12 22:07:20 444792 --a

C:\WINDOWS\system32\perfh014.dat
2008-04-12 22:07:20 80074 --a

C:\WINDOWS\system32\perfc014.dat
2008-04-12 21:51:34 0 d

C:\Programfiler\Fellesfiler\Wise Installation Wizard
2008-04-11 23:09:44 0 d

C:\Documents and Settings\Cr33p\Programdata\Ubisoft
2008-04-11 22:22:52 0 d--h

C:\Programfiler\InstallShield Installation Information
2008-04-11 22:22:23 0 d

C:\Documents and Settings\Cr33p\Programdata\InstallShield
2008-03-27 22:59:28 0 d

C:\Programfiler\VentSrv
2008-03-22 03:28:11 0 d

C:\Documents and Settings\Cr33p\Programdata\FreeCap
2008-03-13 05:06:07 0 d

C:\Documents and Settings\Cr33p\Programdata\Locktime
2008-03-13 05:04:06 0 d

C:\Programfiler\NetLimiter 2 Lite
2008-03-03 12:59:30 0 d

C:\Documents and Settings\Cr33p\Programdata\Google
2008-03-03 12:58:44 0 d

C:\Programfiler\Google
2008-02-26 13:51:13 0 d

C:\Documents and Settings\Cr33p\Programdata\Kana Solution
2008-02-22 01:41:49 0 d

C:\Programfiler\Microsoft Xbox 360 Accessories
2008-02-09 23:32:04 0 --a

C:\Documents and Settings\Cr33p\Programdata\AVSDVDPlayer.m3u
2008-02-07 00:58:07 67460 --a

C:\WINDOWS\War3Unin.dat

-- Registry Dump

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79588cd8-a4a9-454e-a9bc-7e1b0f40b97d}]
C:\WINDOWS\system32\rnnfelpg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f51b76a3-16d5-4be9-a08f-f58fa41af3e2}]
C:\WINDOWS\system32\mlJCUoOG.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05.12.2007 02:41]
"CTHelper"="CTHELPER.EXE" [17.08.2006 12:32 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [17.08.2006 12:32 C:\WINDOWS\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [25.09.2007 02:11]
"Launch LCDMon"="C:\Programfiler\Fellesfiler\Logitech\LCD Manager\lcdmon.exe" [26.04.2007 17:54]
"Launch LGDCore"="C:\Programfiler\Fellesfiler\Logitech\G-series Software\LGDCore.exe" [26.04.2007 18:22]
"QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [10.01.2008 16:27]
"XboxStat"="C:\Programfiler\Microsoft Xbox 360 Accessories\XboxStat.exe" [26.09.2007 19:05]
"nwiz"="nwiz.exe" [05.12.2007 02:41 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05.12.2007 02:41]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12.04.2008 22:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [13.10.2004 18:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [29.09.2004 16:52]
"DynDNS Updater"="C:\Programfiler\DynDNS Updater\DynDNS.exe" [17.09.2006 11:32]

C:\Documents and Settings\Cr33p\Start-meny\Programmer\Oppstart\
My_AutoWarkey_Script.lnk - D:\Programfiler\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [19.07.2007 16:05:22]
Registration Assassin's Creed.LNK - D:\spill\Assassin's Creed\Register\RegistrationReminder.exe [11.04.2008 22:35:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnonoPG]
opnonoPG.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlJCUoOG

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cay55.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cem66.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dve66.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\fve66.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iyx33.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lct55.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\oyq44.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pvr55.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sxw11.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wud00.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^XFCE Menu (andLinux).lnk]
path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\XFCE Menu (andLinux).lnk
backup=C:\WINDOWS\pss\XFCE Menu (andLinux).lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Cr33p^Start-meny^Programmer^Oppstart^Warkeys Update.exe.lnk]
path=C:\Documents and Settings\Cr33p\Start-meny\Programmer\Oppstart\Warkeys Update.exe.lnk
backup=C:\WINDOWS\pss\Warkeys Update.exe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Cr33p^Start-meny^Programmer^Oppstart^Warkeys Update.lnk]
path=C:\Documents and Settings\Cr33p\Start-meny\Programmer\Oppstart\Warkeys Update.lnk
backup=C:\WINDOWS\pss\Warkeys Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clipdiary]
C:\Programfiler\Clipdiary\clipdiary.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
"C:\Programfiler\Electronic Arts\EADM\Core.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Programfiler\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Programfiler\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
F:\Programfiler\Winamp\winampa.exe

-- End of Deckard's System Scanner: finished at 2008-04-14 11:52:10

Spectral10 · April 2008

extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

-- System Information

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Norwegian

CPU 0: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
CPU 1: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
CPU 2: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
CPU 3: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
Percentage of Memory in Use: 25%
Physical Memory (total/avail): 2046.46 MiB / 1525.93 MiB
Pagefile Memory (total/avail): 3938.79 MiB / 3558.79 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1924.58 MiB

C: is Fixed (NTFS) - 97.65 GiB total, 37.63 GiB free.
D: is Fixed (NTFS) - 368.1 GiB total, 120.9 GiB free.
E: is CDROM (UDF)
F: is Fixed (NTFS) - 176.53 GiB total, 18.87 GiB free.
G: is Fixed (NTFS) - 9.77 GiB total, 9.72 GiB free.

\\.\PHYSICALDRIVE1 - WDC WD2000JD-00GBB0 - 186.31 GiB - 2 partitions
\PARTITION0 (bootable) - Installerbart filsystem - 176.53 GiB - F:
\PARTITION1 - Utvidet med Extended Int 13 - 9.77 GiB - G:

\\.\PHYSICALDRIVE0 - WDC WD5000AAKS-00YGA0 - 465.76 GiB - 2 partitions
\PARTITION0 (bootable) - Installerbart filsystem - 97.65 GiB - C:
\PARTITION1 - Utvidet med Extended Int 13 - 368.1 GiB - D:

-- Security Center

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.519 v7.5.519 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"="C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"="C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\SPILL\\Crytek\\Crysis\\Bin32\\Crysis.exe"="C:\\SPILL\\Crytek\\Crysis\\Bin32\\Crysis.exe:*:Enabled:Crysis_32"
"C:\\SPILL\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="C:\\SPILL\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"D:\\spill\\Battlefield 2\\BF2.exe"="D:\\spill\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Programfiler\\uTorrent\\uTorrent.exe"="C:\\Programfiler\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"D:\\spill\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="D:\\spill\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Programfiler\\Bonjour\\mDNSResponder.exe"="C:\\Programfiler\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Programfiler\\iTunes\\iTunes.exe"="C:\\Programfiler\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"D:\\spill\\Neverwinter Nights 2\\nwn2main.exe"="D:\\spill\\Neverwinter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"D:\\spill\\Neverwinter Nights 2\\nwn2main_amdxp.exe"="D:\\spill\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"D:\\spill\\Neverwinter Nights 2\\nwupdate.exe"="D:\\spill\\Neverwinter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"D:\\spill\\Neverwinter Nights 2\\nwn2server.exe"="D:\\spill\\Neverwinter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"D:\\spill\\Assassin's Creed\\AssassinsCreed_Dx9.exe"="D:\\spill\\Assassin's Creed\\AssassinsCreed_Dx9.exe:*:Enabled:Assassin's Creed Dx9"
"D:\\spill\\Assassin's Creed\\AssassinsCreed_Dx10.exe"="D:\\spill\\Assassin's Creed\\AssassinsCreed_Dx10.exe:*:Enabled:Assassin's Creed Dx10"
"D:\\spill\\Assassin's Creed\\AssassinsCreed_Launcher.exe"="D:\\spill\\Assassin's Creed\\AssassinsCreed_Launcher.exe:*:Enabled:Assassin's Creed Update"
"C:\\Programfiler\\Grisoft\\AVG7\\avginet.exe"="C:\\Programfiler\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Programfiler\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Programfiler\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Programfiler\\Grisoft\\AVG7\\avgcc.exe"="C:\\Programfiler\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Programfiler\\Grisoft\\AVG7\\avgemc.exe"="C:\\Programfiler\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\VENT 2.1\\ventrilo_srv.exe"="C:\\VENT 2.1\\ventrilo_srv.exe:*:Enabled:ventrilo_srv"
"F:\\Programfiler\\Valve\\Steam\\SteamApps\\pop-dog@online.no\\team fortress 2\\hl2.exe"="F:\\Programfiler\\Valve\\Steam\\SteamApps\\pop-dog@online.no\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Documents and Settings\\Cr33p\\Lokale innstillinger\\Temp\\WZSE0.TMP\\SymNRT.exe"="C:\\Documents and Settings\\Cr33p\\Lokale innstillinger\\Temp\\WZSE0.TMP\\SymNRT.exe:*:Enabled:Symantec Removal Utility"
"D:\\spill\\Warcraft III\\war3.exe"="D:\\spill\\Warcraft III\\war3.exe:*:Enabled:Warcraft III"
"C:\\Programfiler\\VentSrv\\ventrilo_srv.exe"="C:\\Programfiler\\VentSrv\\ventrilo_srv.exe:*:Enabled:ventrilo_srv"

-- Environment Variables

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Cr33p\Programdata
CLASSPATH=.;C:\Programfiler\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Programfiler\Fellesfiler
COMPUTERNAME=CREEP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Cr33p
LOGONSERVER=\\CREEP
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Programfiler\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramFiles=C:\Programfiler
PROMPT=$P$G
QTJAVA=C:\Programfiler\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Cr33p\LOKALE~1\Temp
TMP=C:\DOCUME~1\Cr33p\LOKALE~1\Temp
USERDOMAIN=CREEP
USERNAME=Cr33p
USERPROFILE=C:\Documents and Settings\Cr33p
windir=C:\WINDOWS

-- User Profiles

Cr33p (admin)
Administrator (new local, admin)

-- Add/Remove Programs

--> MsiExec /X{65F1CF63-31E0-450B-96F3-4A88BE7361A6}
--> RunDll32 C:\PROGRA~1\FELLES~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programfiler\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\FELLES~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programfiler\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\FELLES~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programfiler\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{786547F9-59BB-4FA3-B2D8-327FF1F14870}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Advanced Batch Converter --> "C:\Programfiler\Advanced Batch Converter\uninstall.exe"
AGEIA PhysX v7.07.09 --> MsiExec.exe /X{65F1CF63-31E0-450B-96F3-4A88BE7361A6}
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Assassin's Creed --> C:\Programfiler\InstallShield Installation Information\{8CFA9151-6404-409A-AF22-4632D04582FD}\setup.exe -runfromtemp -l0x0009 -removeonly
µTorrent --> "C:\Programfiler\uTorrent\uTorrent.exe" /UNINSTALL
AVG 7.5 --> C:\Programfiler\Grisoft\AVG7\setup.exe /UNINSTALL
AVS DVD Player version 2.4 --> "D:\Programfiler\AVSMedia\DVDPlayer\unins000.exe"
Battlefield 2(TM) --> RunDll32 C:\PROGRA~1\FELLES~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Programfiler\InstallShield Installation Information\{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}\setup.exe" -l0x9 -removeonly
Battlefield 2: Special Forces --> RunDll32 C:\PROGRA~1\FELLES~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Programfiler\InstallShield Installation Information\{50D4CB89-AF34-4978-96DC-C3034062E901}\setup.exe" -l0x9 -removeonly
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Call of Duty(R) 4 - Modern Warfare(TM) --> C:\Programfiler\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Clipdiary 1.4 --> C:\Programfiler\Clipdiary\uninst.exe
Creative Audio Console --> RunDll32 C:\PROGRA~1\FELLES~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programfiler\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9 /remove
Crysis(R) --> MsiExec.exe /I{000E79B7-E725-4F01-870A-C12942B7F8E4}
Disc2Phone --> MsiExec.exe /I{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}
DynDNS Updater 3.1 --> "C:\Programfiler\DynDNS Updater\unins000.exe"
EA Download Manager --> C:\PROGRA~1\FELLES~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{EF7E931D-DC84-471B-8DB6-A83358095474} /l1033
EAX4 Unified Redist --> MsiExec.exe /X{89661B04-C646-4412-B6D3-5E19F02F1F37}
Eternal Silence Beta 2.3 --> f:\programfiler\valve\steam\SteamApps\SourceMods\esmod\uninst.exe
EVE-ONLINE (remove only) --> D:\spill\eve\Uninstall.exe
Fraps (remove only) --> "D:\Fraps\uninstall.exe"
Freelancer --> "D:\spill\Freelancer\UNINSTAL.EXE" /runtemp /addremove
GameSpy Arcade --> D:\PROGRA~1\GAMESP~1\UNWISE.EXE D:\PROGRA~1\GAMESP~1\INSTALL.LOG
Garry's Mod --> "F:\Programfiler\Valve\Steam\steam.exe" steam://uninstall/4000
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Half-Life 2: Deathmatch --> "F:\Programfiler\Valve\Steam\steam.exe" steam://uninstall/320
Half-Life 2: Episode One --> "F:\Programfiler\Valve\Steam\steam.exe" steam://uninstall/380
Half-Life 2: Episode Two --> "F:\Programfiler\Valve\Steam\steam.exe" steam://uninstall/420
Half-Life 2: Lost Coast --> "F:\Programfiler\Valve\Steam\steam.exe" steam://uninstall/340
Half-Life Deathmatch: Source --> "F:\Programfiler\Valve\Steam\steam.exe" steam://uninstall/360
Highlight Viewer (Windows Live Toolbar) --> MsiExec.exe /X{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}
HijackThis 2.0.2 --> "C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hurtigreparasjon for Windows XP (KB914440) --> "C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
IrfanView (remove only) --> C:\Programfiler\IrfanView\iv_uninstall.exe
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LimeWire 4.14.12 --> "C:\Programfiler\LimeWire\uninstall.exe"
Logitech G15 Keyboard Software 1.04 --> MsiExec.exe /X{3E354FBA-C7CE-402A-BB0D-225230BB1918}
Malwarebytes' Anti-Malware --> "D:\Programfiler\Malwarebytes' Anti-Malware\unins000.exe"
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Xbox 360 Accessories 1.1 --> MsiExec.exe /X{66F0AC35-4805-44BC-A3D4-347D4196F9B3}
mIRC --> "F:\NN2\mirc.exe" -uninstall
Mozilla Firefox (2.0.0.13) --> F:\Programfiler\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (2.0.0.4) --> C:\Programfiler\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NetLimiter 2 Lite (remove only) --> "C:\Programfiler\NetLimiter 2 Lite\nl2uninst.exe"
Neverwinter Nights 2 --> RunDll32 C:\PROGRA~1\FELLES~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Programfiler\InstallShield Installation Information\{F20C1251-1D0A-4944-B2AE-678581B33B19}\SETUP.exe" -l0x9 -removeonly
NVIDIA Drivers --> C:\WINDOWS\system32\nvuide.exe UninstallGUI
NVIDIA ForceWare Network Access Manager --> C:\PROGRA~1\FELLES~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{1F6423DE-7959-4178-80E0-023C7EAA5347} /l1044
Oppdatering for Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB925720) --> "C:\WINDOWS\$NtUninstallKB925720$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB933360) --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB942840) --> "C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Oppdatering for Windows XP (KB946627) --> "C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe"
Portal --> "F:\Programfiler\Valve\Steam\steam.exe" steam://uninstall/400
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Sikkerhetsoppdatering for Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB923789) --> C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Sikkerhetsoppdatering for Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB937894) --> "C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB938127) --> "C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB939653) --> "C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB941644) --> "C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB941693) --> "C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB942615) --> "C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB943055) --> "C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB943485) --> "C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB945553) --> "C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB946026) --> "C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB948590) --> "C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Sikkerhetsoppdatering for Windows XP (KB948881) --> "C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
Source SDK Base 2007 --> "F:\Programfiler\Valve\Steam\steam.exe" steam://uninstall/218
Tom Clancy's Splinter Cell Chaos Theory --> RunDll32 C:\PROGRA~1\FELLES~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Programfiler\InstallShield Installation Information\{BABAEBE4-9FFB-4B5D-9453-64FF11517CA2}\setup.exe" -l0x9 -removeonly
Tom Clancy's Splinter Cell Double Agent --> RunDll32 C:\PROGRA~1\FELLES~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Programfiler\InstallShield Installation Information\{CAD1691A-FA24-4B95-9009-3257B8440ECC}\setup.exe" -l0x9 -removeonly
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Ventrilo Server --> MsiExec.exe /I{1D46A3A0-B37D-423A-91C2-101A49E2FF80}
VentriloMIX --> C:\Program Files\VentriloMIX\Uninstal.exe
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
Warkeys 1.5.2.0b --> d:\Programfiler\Warkeys\uninst.exe
WC3Banlist --> "C:\Programfiler\WC3Banlist\unins000.exe"
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Toolbar --> "C:\Programfiler\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Presentation Foundation Language Pack (NOR) --> MsiExec.exe /X{B0534960-A7E2-4FFD-8E27-51B4B188633F}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows Workflow Foundation NO Language Pack --> MsiExec.exe /I{42F46A4E-1662-473F-A210-C5BB3BD385CC}
Windows XP hurtigreparasjon - KB873339 --> C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP hurtigreparasjon - KB885835 --> C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP hurtigreparasjon - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP hurtigreparasjon - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP hurtigreparasjon - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP hurtigreparasjon - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP hurtigreparasjon - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP hurtigreparasjon - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
WinPcap 3.1 --> C:\Programfiler\WinPcap\uninstall.exe
WinRAR archiver --> C:\Programfiler\WinRAR\uninstall.exe
XML Paper Specification Shared Components Language Pack 1.0 --> "C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->

-- Application Event Log

Event Record #/Type11756 / Error
Event Submitted/Written: 04/14/2008 10:52:51 AM
Event ID/Source: 100 / AVG7
Event Description:
2008-04-14 08:52:51,891 CREEP [001632:001644] ERROR 000 AVG7.AM.rules.CPluginCfgAttributes loading of attribute "krnl.alert_manager.plugins.avgaminternal.email.graylist" failedParameteren er feil (87) %KEY% = "krnl.alert_manager.plugins.avgaminternal.email.graylist"

Event Record #/Type11755 / Error
Event Submitted/Written: 04/14/2008 10:52:51 AM
Event ID/Source: 100 / AVG7
Event Description:
2008-04-14 08:52:51,891 CREEP [001632:001644] ERROR 000 AVG7.AM.rules.CPluginCfgAttributes loading of attribute "krnl.alert_manager.plugins.avgaminternal.email.default.to" failedParameteren er feil (87) %KEY% = "krnl.alert_manager.plugins.avgaminternal.email.default.to"

Event Record #/Type11754 / Error
Event Submitted/Written: 04/14/2008 10:52:51 AM
Event ID/Source: 100 / AVG7
Event Description:
2008-04-14 08:52:51,891 CREEP [001632:001644] ERROR 000 AVG7.AM.rules.CPluginCfgAttributes loading of attribute "krnl.alert_manager.plugins.avgaminternal.email.default.subject" failedParameteren er feil (87) %KEY% = "krnl.alert_manager.plugins.avgaminternal.email.default.subject"

Event Record #/Type11753 / Error
Event Submitted/Written: 04/14/2008 10:52:51 AM
Event ID/Source: 100 / AVG7
Event Description:
2008-04-14 08:52:51,891 CREEP [001632:001644] ERROR 000 AVG7.AM.rules.CPluginCfgAttributes loading of attribute "krnl.alert_manager.plugins.avgaminternal.email.default.smtp.server" failedParameteren er feil (87) %KEY% = "krnl.alert_manager.plugins.avgaminternal.email.default.smtp.server"

Event Record #/Type11752 / Error
Event Submitted/Written: 04/14/2008 10:52:51 AM
Event ID/Source: 100 / AVG7
Event Description:
2008-04-14 08:52:51,891 CREEP [001632:001644] ERROR 000 AVG7.AM.rules.CPluginCfgAttributes loading of attribute "krnl.alert_manager.plugins.avgaminternal.email.default.smtp.port" failedParameteren er feil (87) %KEY% = "krnl.alert_manager.plugins.avgaminternal.email.default.smtp.port"

-- Security Event Log

No Errors/Warnings found.

-- System Event Log

Event Record #/Type29597 / Error
Event Submitted/Written: 04/14/2008 04:24:19 AM
Event ID/Source: 10016 / DCOM
Event Description:
Innstillingene for maskinstandard-tillatelse gir ikke Lokal Aktivering-tillatelse for COM Server-programmet med CLSID
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
til brukeren NT-MYNDIGHET\LOKAL TJENESTE SID (S-1-5-19). Denne sikkerhetstillatelsen kan endres ved hjelp av det administrative verktøyet Komponenttjenester.

Event Record #/Type29596 / Error
Event Submitted/Written: 04/14/2008 04:23:45 AM
Event ID/Source: 10016 / DCOM
Event Description:
Innstillingene for maskinstandard-tillatelse gir ikke Lokal Aktivering-tillatelse for COM Server-programmet med CLSID
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
til brukeren NT-MYNDIGHET\LOKAL TJENESTE SID (S-1-5-19). Denne sikkerhetstillatelsen kan endres ved hjelp av det administrative verktøyet Komponenttjenester.

Event Record #/Type29595 / Error
Event Submitted/Written: 04/14/2008 03:27:29 AM
Event ID/Source: 10016 / DCOM
Event Description:
Innstillingene for maskinstandard-tillatelse gir ikke Lokal Aktivering-tillatelse for COM Server-programmet med CLSID
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
til brukeren NT-MYNDIGHET\LOKAL TJENESTE SID (S-1-5-19). Denne sikkerhetstillatelsen kan endres ved hjelp av det administrative verktøyet Komponenttjenester.

Event Record #/Type29594 / Error
Event Submitted/Written: 04/14/2008 03:27:29 AM
Event ID/Source: 10016 / DCOM
Event Description:
Innstillingene for maskinstandard-tillatelse gir ikke Lokal Aktivering-tillatelse for COM Server-programmet med CLSID
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
til brukeren NT-MYNDIGHET\LOKAL TJENESTE SID (S-1-5-19). Denne sikkerhetstillatelsen kan endres ved hjelp av det administrative verktøyet Komponenttjenester.

Event Record #/Type29593 / Error
Event Submitted/Written: 04/14/2008 02:29:33 AM
Event ID/Source: 10016 / DCOM
Event Description:
Innstillingene for maskinstandard-tillatelse gir ikke Lokal Aktivering-tillatelse for COM Server-programmet med CLSID
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
til brukeren NT-MYNDIGHET\LOKAL TJENESTE SID (S-1-5-19). Denne sikkerhetstillatelsen kan endres ved hjelp av det administrative verktøyet Komponenttjenester.

-- End of Deckard's System Scanner: finished at 2008-04-14 11:52:10

Spectral10 · April 2008

Malware bytes anti malware log:

Malwarebytes' Anti-Malware 1.11
Database version: 623

Scan type: Full Scan (C:\|D:\|F:\|G:\|)
Objects scanned: 208966
Time elapsed: 45 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 22
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{01a33d85-4706-452a-b71a-99510ada8c0c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01a33d85-4706-452a-b71a-99510ada8c0c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{01a33d85-4706-452a-b71a-99510ada8c0c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM4f2258fc (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Programfiler\Bat (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Programdata\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.

Files Infected:
C:\Programfiler\Bat\un_BatSetup_15041.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\Programfiler\Bat\Bat.dll.intermediate.manifest (Adware.Batco) -> Quarantined and deleted successfully.
C:\Programfiler\Bat\Bat.info (Adware.Batco) -> Quarantined and deleted successfully.
C:\Programfiler\Bat\Bat.original (Adware.Batco) -> Quarantined and deleted successfully.
C:\Programfiler\Bat\un_BatSetup_15041.txt (Adware.Batco) -> Quarantined and deleted successfully.
C:\Programfiler\Bat\X_Bat.log (Adware.Batco) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lfnesmrr.dll (Trojan.Agent) -> Delete on reboot.

Spectral10 · April 2008

It actually works to access those netsites now that I was denied access to earlier.

I posted log if you wanted to look through it and see if there was something else left or such.

Thanx alot for your help :-)

Spectral10 · April 2008

Btw 1 more thing, what gaming tweak did you mean you saw in my first log? is it my auto warkey script? It only makes me being able to change hotkeys in wc3 for the numpad so I can bind actions to my mouse.

Thomas · April 2008

Anything from that to PunkBuster are tweaks. More infection to repair, so let's do that now.

Download The Avenger by Swandog from here and save it to your Desktop.

Disconnect from net access, close all open programs and unzip the downloaded avenger.zip file. Then in the new avenger folder created locate and click on avenger.exe to run the tool.

Okay the warning. When the Avenger display opens copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.

Drivers to delete:
cay55
cem66
dve66
fve66
iyx33
lct55
oyq44
pvr55
sxw11
wud00
Files to delete:
C:\WINDOWS\system32\GOoUCJlm.ini2
C:\WINDOWS\system32\opnonoPG.dll 
C:\WINDOWS\system32\rnnfelpg.dll
C:\WINDOWS\system32\mlJCUoOG.dll
Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79588cd8-a4a9-454e-a9bc-7e1b0f40b97d}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f51b76a3-16d5-4be9-a08f-f58fa41af3e2}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnonoPG
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cay55.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cem66.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dve66.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\fve66.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iyx33.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lct55.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\oyq44.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pvr55.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sxw11.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wud00.sys

Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt.

Then reconnect to net access and go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Extra Log, uncheck all the boxes.

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post back the that log along with the Kaspersky log and the avenger.txt log please.

Spectral10 · April 2008

PnkbstrA.exe and pnkbstr.exe is a process for battlefield 2 and battlefield 2142, which runs 24/7 for some reason. If its uninstalled you wont be able to play either game, just an FYI

Heres the avenger.txt log

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "cay55" deleted successfully.
Driver "cem66" deleted successfully.
Driver "dve66" deleted successfully.
Driver "fve66" deleted successfully.
Driver "iyx33" deleted successfully.
Driver "lct55" deleted successfully.
Driver "oyq44" deleted successfully.
Driver "pvr55" deleted successfully.
Driver "sxw11" deleted successfully.
Driver "wud00" deleted successfully.
File "C:\WINDOWS\system32\GOoUCJlm.ini2" deleted successfully.

Error: file "C:\WINDOWS\system32\opnonoPG.dll" not found!
Deletion of file "C:\WINDOWS\system32\opnonoPG.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\rnnfelpg.dll" not found!
Deletion of file "C:\WINDOWS\system32\rnnfelpg.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\mlJCUoOG.dll" not found!
Deletion of file "C:\WINDOWS\system32\mlJCUoOG.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cay55.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cem66.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dve66.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\fve66.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iyx33.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lct55.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\oyq44.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pvr55.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sxw11.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wud00.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79588cd8-a4a9-454e-a9bc-7e1b0f40b97d}" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f51b76a3-16d5-4be9-a08f-f58fa41af3e2}" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnonoPG" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Spectral10 · April 2008

Log from kapersky OS:

c

KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 15, 2008 3:17:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/04/2008
Kaspersky Anti-Virus database records: 706125

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 172676
Number of viruses found: 6
Number of infected objects: 10
Number of suspicious objects: 2
Duration of the scan process: 02:12:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Skrivebord\catchme.zip/zeqbqwp.sys Infected: Trojan-Clicker.Win32.Costrat.fn skipped
C:\Documents and Settings\Administrator\Skrivebord\catchme.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Programdata\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy\Recovery\WinSmallazl1.zip/mrofinu1645.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy\Recovery\WinSmallazl1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Cr33p\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Cr33p\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cr33p\Lokale innstillinger\Programdata\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Cr33p\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Cr33p\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Cr33p\Lokale innstillinger\Programdata\Mozilla\Firefox\Profiles\pvp8c7ef.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Cr33p\Lokale innstillinger\Programdata\Mozilla\Firefox\Profiles\pvp8c7ef.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Cr33p\Lokale innstillinger\Programdata\Mozilla\Firefox\Profiles\pvp8c7ef.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Cr33p\Lokale innstillinger\Programdata\Mozilla\Firefox\Profiles\pvp8c7ef.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Cr33p\Lokale innstillinger\Programdata\Mozilla\Firefox\Profiles\pvp8c7ef.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\Cr33p\Lokale innstillinger\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Cr33p\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cr33p\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Cr33p\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Cr33p\Programdata\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Documents and Settings\Cr33p\Programdata\Mozilla\Firefox\Profiles\pvp8c7ef.default\cert8.db Object is locked skipped
C:\Documents and Settings\Cr33p\Programdata\Mozilla\Firefox\Profiles\pvp8c7ef.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Cr33p\Programdata\Mozilla\Firefox\Profiles\pvp8c7ef.default\history.dat Object is locked skipped
C:\Documents and Settings\Cr33p\Programdata\Mozilla\Firefox\Profiles\pvp8c7ef.default\key3.db Object is locked skipped
C:\Documents and Settings\Cr33p\Programdata\Mozilla\Firefox\Profiles\pvp8c7ef.default\parent.lock Object is locked skipped
C:\Documents and Settings\Cr33p\Programdata\Mozilla\Firefox\Profiles\pvp8c7ef.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Cr33p\Programdata\Mozilla\Firefox\Profiles\pvp8c7ef.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{5C0819B8-440D-483B-A5AE-4ACFD8634412}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\NetLimit.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\nmp.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Cookies\index.dat Object is locked skipped
C:\WINDOWS\Temp\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\Temp\History\History.IE5\MSHist012008041520080416\index.dat Object is locked skipped
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\NN2\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
F:\R.O.T\Div. Programmer\mirc617.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
F:\R.O.T\Div. Programmer\mirc617.exe mIRC: infected - 1 skipped
F:\R.O.T\Div. Programmer\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
F:\R.O.T\Div. Programmer\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
F:\R.O.T\Div. Programmer\mirc621.exe NSIS: infected - 2 skipped
F:\R.O.T\Div. Programmer\Nero-8.1.1.0b_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
F:\R.O.T\Div. Programmer\Nero-8.1.1.0b_eng_trial.exe 7-Zip: infected - 1 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Spectral10 · April 2008

And finally the DSS log

Deckard's System Scanner v20071014.68
Run by Cr33p on 2008-04-15 15:23:20
Computer is in Normal Mode.

-- HijackThis (run as Cr33p.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:23:25, on 15.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programfiler\NetLimiter 2 Lite\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\NetLimiter 2 Lite\NLClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
C:\Programfiler\Fellesfiler\Logitech\LCD Manager\lcdmon.exe
C:\Programfiler\Fellesfiler\Logitech\G-series Software\LGDCore.exe
C:\Programfiler\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Programfiler\Fellesfiler\Logitech\LCD Manager\Applets\LCDClock.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programfiler\Fellesfiler\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Fellesfiler\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Programfiler\DynDNS Updater\DynDNS.exe
C:\Programfiler\Fellesfiler\Logitech\LCD Manager\Applets\LCDMedia.exe
D:\Programfiler\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
C:\WINDOWS\system32\wscntfy.exe
F:\Programfiler\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Cr33p\skrivebord\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Cr33p.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.online.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Programfiler\Fellesfiler\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Programfiler\Fellesfiler\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [XboxStat] "C:\Programfiler\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Programfiler\DynDNS Updater\DynDNS.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: My_AutoWarkey_Script.lnk = D:\Programfiler\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Registration Assassin's Creed.LNK = D:\spill\Assassin's Creed\Register\RegistrationReminder.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: My_AutoWarkey_Script.lnk = D:\Programfiler\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe (User 'Default user')
O4 - .DEFAULT Startup: Registration Assassin's Creed.LNK = D:\spill\Assassin's Creed\Register\RegistrationReminder.exe (User 'Default user')
O4 - Startup: My_AutoWarkey_Script.lnk = D:\Programfiler\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
O4 - Startup: Registration Assassin's Creed.LNK = D:\spill\Assassin's Creed\Register\RegistrationReminder.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programfiler\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196863513979
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatisk LiveUpdate-planlegging - Unknown owner - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (avg7alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (avg7updsvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (avgems) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Programfiler\NetLimiter 2 Lite\nlsvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Programfiler\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programfiler\WinPcap\rpcapd.exe

--
End of file - 8932 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

backup-20080413-005604-489 O23 - Service: iPod Service - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe
backup-20080413-005604-572 O23 - Service: Bonjour Service - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe

-- File Associations

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

S3 catchme - c:\docume~1\cr33p\lokale~1\temp\catchme.sys (file missing)
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 RivaTuner32 - f:\programfiler\rivatuner v2.05\rivatuner32.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R2 Apple Mobile Device - "c:\programfiler\fellesfiler\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 ForceWare Intelligent Application Manager (IAM) - c:\programfiler\nvidia corporation\networkaccessmanager\bin\nsvcappflt.exe <Not Verified; ; app_filter Module>
R2 nlsvc (NetLimiter) - "c:\programfiler\netlimiter 2 lite\nlsvc.exe" <Not Verified; Locktime Software; NetLimiter 2 Lite>

S2 Automatisk LiveUpdate-planlegging - "c:\programfiler\symantec\liveupdate\aluschedulersvc.exe" (file missing)
S4 Bonjour Service - c:\programfiler\bonjour\mdnsresponder.exe (file missing)

-- Device Manager: Disabled

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_10DE&DEV_0371&SUBSYS_C55E10DE&REV_A2\3&2411E6FE&0&79
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_10DE&DEV_0371&SUBSYS_C55E10DE&REV_A2\3&2411E6FE&0&79
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&19933FE2&0&00
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller #2
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&19933FE2&0&00
Service: NVENETFD

-- Scheduled Tasks

2008-04-15 15:19:01 252 --a

C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job

-- Files created between 2008-03-15 and 2008-04-15

2008-04-15 12:22:44 0 d

C:\WINDOWS\system32\Kaspersky Lab
2008-04-15 12:22:43 0 d

C:\WINDOWS\LastGood
2008-04-14 10:41:04 0 d

C:\WINDOWS\ERUNT
2008-04-13 00:49:01 0 d

C:\Programfiler\Trend Micro
2008-04-12 23:06:01 0 dr-h

C:\$VAULT$.AVG
2008-04-12 21:52:11 0 d

C:\Programfiler\Lavasoft
2008-04-11 11:05:39 0 d

C:\Programfiler\asd
2008-03-27 22:58:56 0 d

C:\Programfiler\Ventrilo
2008-03-27 19:04:47 0 d

C:\Programfiler\IrfanView
2008-03-22 03:30:26 0 d

C:\Programfiler\Solar System Technologies
2008-03-22 02:15:37 0 d

C:\Incomplete
2008-03-19 17:05:59 0 d

C:\Programfiler\Telenor

-- Find3M Report

2008-04-15 12:11:28 0 d

C:\Documents and Settings\Cr33p\Programdata\uTorrent
2008-04-15 08:46:11 0 d

C:\Programfiler\DynDNS Updater
2008-04-14 11:52:09 0 d

C:\Documents and Settings\Cr33p\Programdata\AVG7
2008-04-14 10:54:31 0 d

C:\Documents and Settings\Cr33p\Programdata\Malwarebytes
2008-04-13 07:57:14 0 d

C:\Programfiler\WC3Banlist
2008-04-13 02:40:22 0 d

C:\Programfiler\Fellesfiler\Symantec Shared
2008-04-13 00:53:26 0 d

C:\Programfiler\Bonjour
2008-04-12 22:36:09 0 d

C:\Programfiler\Fellesfiler
2008-04-12 22:07:20 444792 --a

C:\WINDOWS\system32\perfh014.dat
2008-04-12 22:07:20 80074 --a

C:\WINDOWS\system32\perfc014.dat
2008-04-12 21:51:34 0 d

C:\Programfiler\Fellesfiler\Wise Installation Wizard
2008-04-11 23:09:44 0 d

C:\Documents and Settings\Cr33p\Programdata\Ubisoft
2008-04-11 22:22:52 0 d--h

C:\Programfiler\InstallShield Installation Information
2008-04-11 22:22:23 0 d

C:\Documents and Settings\Cr33p\Programdata\InstallShield
2008-03-27 22:59:28 0 d

C:\Programfiler\VentSrv
2008-03-22 03:28:11 0 d

C:\Documents and Settings\Cr33p\Programdata\FreeCap
2008-03-13 05:06:07 0 d

C:\Documents and Settings\Cr33p\Programdata\Locktime
2008-03-13 05:04:06 0 d

C:\Programfiler\NetLimiter 2 Lite
2008-03-03 12:59:30 0 d

C:\Documents and Settings\Cr33p\Programdata\Google
2008-03-03 12:58:44 0 d

C:\Programfiler\Google
2008-02-26 13:51:13 0 d

C:\Documents and Settings\Cr33p\Programdata\Kana Solution
2008-02-22 01:41:49 0 d

C:\Programfiler\Microsoft Xbox 360 Accessories
2008-02-09 23:32:04 0 --a

C:\Documents and Settings\Cr33p\Programdata\AVSDVDPlayer.m3u
2008-02-07 00:58:07 67460 --a

C:\WINDOWS\War3Unin.dat

-- Registry Dump

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [17.08.2006 12:32 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [17.08.2006 12:32 C:\WINDOWS\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [25.09.2007 02:11]
"Launch LCDMon"="C:\Programfiler\Fellesfiler\Logitech\LCD Manager\lcdmon.exe" [26.04.2007 17:54]
"Launch LGDCore"="C:\Programfiler\Fellesfiler\Logitech\G-series Software\LGDCore.exe" [26.04.2007 18:22]
"QuickTime Task"="C:\Programfiler\QuickTime\QTTask.exe" [10.01.2008 16:27]
"XboxStat"="C:\Programfiler\Microsoft Xbox 360 Accessories\XboxStat.exe" [26.09.2007 19:05]
"nwiz"="nwiz.exe" [05.12.2007 02:41 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05.12.2007 02:41]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12.04.2008 22:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [13.10.2004 18:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [29.09.2004 16:52]
"DynDNS Updater"="C:\Programfiler\DynDNS Updater\DynDNS.exe" [17.09.2006 11:32]

C:\Documents and Settings\Cr33p\Start-meny\Programmer\Oppstart\
My_AutoWarkey_Script.lnk - D:\Programfiler\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [19.07.2007 16:05:22]
Registration Assassin's Creed.LNK - D:\spill\Assassin's Creed\Register\RegistrationReminder.exe [11.04.2008 22:35:04]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlJCUoOG

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Cr33p^Start-meny^Programmer^Oppstart^Warkeys Update.exe.lnk]
path=C:\Documents and Settings\Cr33p\Start-meny\Programmer\Oppstart\Warkeys Update.exe.lnk
backup=C:\WINDOWS\pss\Warkeys Update.exe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Cr33p^Start-meny^Programmer^Oppstart^Warkeys Update.lnk]
path=C:\Documents and Settings\Cr33p\Start-meny\Programmer\Oppstart\Warkeys Update.lnk
backup=C:\WINDOWS\pss\Warkeys Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clipdiary]
C:\Programfiler\Clipdiary\clipdiary.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
"C:\Programfiler\Electronic Arts\EADM\Core.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Programfiler\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Programfiler\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
F:\Programfiler\Winamp\winampa.exe

-- End of Deckard's System Scanner: finished at 2008-04-15 15:23:42

Thomas · April 2008

One malware change to a sensitive user logon value to change, but overall looking pretty good now. Kaspersky only located normally locked system functions, gave some alerts to either infection already removed or your mIRC software (alerts due to it being used at time by malware) and the these - the Nero installer bundled with adware:

F:\R.O.T\Div. Programmer\Nero-8.1.1.0b_eng_trial.exe/Toolbar.exe

> AdTool.Win32.MyWebSearch.bm skipped
F:\R.O.T\Div. Programmer\Nero-8.1.1.0b_eng_trial.exe 7-Zip: infected - 1

May want to delete that file, and if it was used to install Nero may want to uninstall that version as well. You have some startups disabled through msconfig, so since we have opportunity and the info we can check for remnants there as well.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
  00

Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it lsafix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

Then go to Start - Run, type msconfig (and Enter).

Under the Startup and Services tabs, click Enable All, then Apply/OK to close msconfig. Allow the reboot at this time. You can expect to receive alerts/error messages at reboot after this, but we will be addressing all this during the repairs.

After the reboot, Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Extra Log, uncheck all the boxes except this one:

Security Center

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Problem with some spyware

Comments