Trojan?

Bigciccone · April 2008

Recently my brother decided to download a program that put a trojan on my computer. pop ups would keep coming and soon enough i would get an error and the task bar and icons dissapeared. i deleted the program and ran avg it deleted the trojans but popups are still coming my hjt log is below..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:47 PM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Documents and Settings\Faja\Application Data\U3\0000187FC57067D4\LaunchPad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [c4b12dfa] rundll32.exe "C:\WINDOWS\system32\rnisrbni.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Reboot.exe
O4 - Global Startup: Wireless Configuration Utility HW.14.lnk = C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203873834343
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

--
End of file - 6295 bytes

Thomas · May 2008

Hello Bigciccone,

Infection is showing here. Let's take a more detailed view and then start repairs. The log also shows you have Ask Toolbar installed. IAC Search and Media, who create and distribute their well known MyWebSearch adware/spyware, would prefer folks did not associate the two very similar softwares. Same Popswatter, same registry changes. I would suggest you opt to uninstall this this through Add/Remove Programs.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Options, place a check next to the following:

Backup Registry Hives

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)

You can use extra posts here if needed for that.

Bigciccone · May 2008

okay i made some progress on my own because i was freaking out without having a computer.. It was working normal and well still is but better safe than sorry..

I went into the add/remove programs and i found ask toolbar but when i went to delete it there was an error it couldn't find the dll...

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

-- System Information

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron(tm) Processor LE-1150
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 446.42 MiB / 136.78 MiB
Pagefile Memory (total/avail): 1054.62 MiB / 621.95 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1981.99 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 149.04 GiB total, 101.93 GiB free.
D: is CDROM (Unformatted)
E: is CDROM (CDFS)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - MAXTOR STM3160215AS - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.04 GiB - C:

-- Security Center

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Pro Firewall v7.0.470.000 (Check Point, LTD.) Disabled
AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

-- Environment Variables

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Faja\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DAD-F5E715AB27F
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Faja
LOGONSERVER=\\DAD-F5E715AB27F
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 127 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=7f01
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Faja\LOCALS~1\Temp
TMP=C:\DOCUME~1\Faja\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=DAD-F5E715AB27F
USERNAME=Faja
USERPROFILE=C:\Documents and Settings\Faja
windir=C:\WINDOWS

-- User Profiles

Faja (admin)
Administrator (admin)

-- Add/Remove Programs

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
1Click DVD Copy 5.4.3.8 --> "C:\Program Files\LG Software Innovations\1Click DVD Copy 5\unins000.exe"
AC-3 ACM Codec --> C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\AC3ACM.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Air USB Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2CA94ED4-F38D-44B4-A79D-E5835E276EFC}
AnyDVD --> "C:\Documents and Settings\Faja\Desktop\AnyDVD\AnyDVD-uninst.exe" /D="C:\Documents and Settings\Faja\Desktop\AnyDVD"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Ares 2.0.9 --> "C:\Program Files\Ares\uninstall.exe"
Ashampoo Burning Studio 7.21 --> "C:\Program Files\Ashampoo\Ashampoo Burning Studio 7\unins000.exe"
Ask Toolbar --> rundll32 C:\PROGRA~1\AskSBar\bar\1.bin\AskSBar.dll,O
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Cheetah DVD Burner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BD01E97F-2A6A-495E-BE38-22C7B80F3CD7}\Setup.exe"
CloneDVD 4.1.0.23 --> "C:\Program Files\CloneDVD\unins000.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DVD43 v4.2.0 --> "C:\Program Files\dvd43\unins000.exe"
DVDFab Platinum 4.1.0.2 Ghosthunter release --> "C:\Program Files\DVDFab Platinum 4\unins000.exe"
Grand Theft Auto Vice City --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B35F00C-E63D-40DC-9839-DF15A33EAC46}\Setup.exe" -l0x9
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864) --> "C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
ImgBurn --> "C:\Program Files\ImgBurn\uninstall.exe"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java(TM) 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Microsoft .NET Framework 2.0 Service Pack 1 --> MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs --> "C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs --> "C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Netflix Movie Viewer --> MsiExec.exe /X{BCE72AED-3332-4863-9567-C5DCB9052CA2}
NIOC Service --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BCF4E5BE-C249-4ED3-BA3B-C4257C743995}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Project64 1.6 --> MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Security Update for Windows Internet Explorer 7 (KB938127) --> "C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615) --> "C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533) --> "C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789) --> C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
TRENDnet TEW-424UB Wireless USB 2.0 Adapter Driver and Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{C43421C0-0DCB-4F26-8A3B-BF16155F9879}
Windows Genuine Advantage Notifications (KB905474) -->
Windows Genuine Advantage Validation Tool (KB892130) -->
Windows Internet Explorer 7 --> "C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11 --> "C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11 --> "C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WZCBDL Service --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{26595B84-25F5-43E2-9696-B1720E813850}
Xilisoft DVD Copy Express --> C:\Program Files\Xilisoft\DVD Copy Express\Uninstall.exe
ZoneAlarm Pro --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

-- Application Event Log

Event Record #/Type546 / Error
Event Submitted/Written: 05/02/2008 07:03:46 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Ares.exe, version 2.0.9.3030, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type545 / Error
Event Submitted/Written: 05/02/2008 07:00:16 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Ares.exe, version 2.0.9.3030, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type544 / Error
Event Submitted/Written: 05/02/2008 06:58:23 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Ares.exe, version 2.0.9.3030, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type538 / Error
Event Submitted/Written: 05/02/2008 06:44:34 PM
Event ID/Source: 5000 / .NET Runtime 2.0 Error Reporting
Event Description:
EventType clr20r3, P1 sharepod.exe, P2 3.6.3.0, P3 47568eb6, P4 sharepod, P5 3.6.3.0, P6 47568eb6, P7 68, P8 6, P9 clr20r30, P10 clr20r31.

Event Record #/Type513 / Warning
Event Submitted/Written: 04/28/2008 10:31:03 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

-- Security Event Log

No Errors/Warnings found.

-- System Event Log

Event Record #/Type7711 / Warning
Event Submitted/Written: 05/05/2008 01:25:00 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type7710 / Error
Event Submitted/Written: 05/05/2008 05:19:01 AM
Event ID/Source: 4319 / NetBT
Event Description:
A duplicate name has been detected on the TCP network. The IP address of
the machine that sent the message is in the data. Use nbtstat -n in a
command window to see which name is in the Conflict state.

Event Record #/Type7709 / Error
Event Submitted/Written: 05/05/2008 05:13:48 AM
Event ID/Source: 4321 / NetBT
Event Description:
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.46.
The machine with the IP address 192.168.1.44 did not allow the name to be claimed by
this machine.

Event Record #/Type7708 / Error
Event Submitted/Written: 05/05/2008 05:08:38 AM
Event ID/Source: 4321 / NetBT
Event Description:
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.46.
The machine with the IP address 192.168.1.44 did not allow the name to be claimed by
this machine.

Event Record #/Type7707 / Error
Event Submitted/Written: 05/05/2008 05:03:27 AM
Event ID/Source: 4321 / NetBT
Event Description:
The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.1.46.
The machine with the IP address 192.168.1.44 did not allow the name to be claimed by
this machine.

-- End of Deckard's System Scanner: finished at 2008-05-05 13:41:26

Bigciccone · May 2008

Deckard's System Scanner v20071014.68
Run by Faja on 2008-05-05 13:40:13
Computer is in Normal Mode.

Backed up registry hives.

Total Physical Memory: 447 MiB (512 MiB recommended).

-- HijackThis (run as Faja.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:49 PM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Faja\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Faja.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Reboot.exe
O4 - Global Startup: Wireless Configuration Utility HW.14.lnk = C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203873834343
O20 - Winlogon Notify: iifCsroo - iifCsroo.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

--
End of file - 5620 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

backup-20080429-193820-287 O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
backup-20080429-193820-901 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20080429-193820-910 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080429-193821-438 O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

-- File Associations

.bat - batfile - DefaultIcon - %SystemRoot%\System32\shell32.dll,-153
.bat - batfile - shell\open\command - "%1" %*
.bat - batfile - shell\edit\command - %SystemRoot%\System32\NOTEPAD.EXE %1
.cmd - cmdfile - DefaultIcon - %SystemRoot%\System32\shell32.dll,-153
.cmd - cmdfile - shell\open\command - "%1" %*
.cmd - cmdfile - shell\edit\command - %SystemRoot%\System32\NOTEPAD.EXE %1
.chm - chm.file - DefaultIcon - C:\WINDOWS\hh.exe,0
.chm - chm.file - shell\open\command - "C:\WINDOWS\hh.exe" %1
.com - comfile - DefaultIcon - %SystemRoot%\System32\shell32.dll,2
.com - comfile - shell\open\command - "%1" %*
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.exe - exefile - DefaultIcon - %1
.exe - exefile - shell\open\command - "%1" %*
.hlp - hlpfile - DefaultIcon - %SystemRoot%\System32\shell32.dll,23
.hlp - hlpfile - shell\open\command - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - DefaultIcon - %SystemRoot%\System32\shell32.dll,-151
.inf - inffile - shell\open\command - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - DefaultIcon - %SystemRoot%\System32\shell32.dll,-151
.ini - inifile - shell\open\command - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - DefaultIcon - %SystemRoot%\System32\WScript.exe,3
.js - JSFile - shell\open\command - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - CLSID - {00021401-0000-0000-C000-000000000046}
.pif - piffile - shell\open\command - "%1" %*
.reg - regfile - DefaultIcon - %SystemRoot%\regedit.exe,1
.reg - regfile - shell\open\command - regedit.exe "%1"
.reg - regfile - shell\edit\command - %SystemRoot%\system32\NOTEPAD.EXE %1
.scr - scrfile - shell\open\command - "%1" /S
.txt - txtfile - DefaultIcon - %SystemRoot%\system32\shell32.dll,-152
.txt - txtfile - shell\open\command - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - DefaultIcon - %SystemRoot%\System32\WScript.exe,2
.vbs - VBSFile - shell\open\command - %SystemRoot%\System32\WScript.exe "%1" %*
.vbs - VBSFile - shell\edit\command - %SystemRoot%\System32\Notepad.exe %1

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R0 ACPI (Microsoft ACPI Driver) - c:\windows\system32\drivers\acpi.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 atapi (Standard IDE/ESDI Hard Disk Controller) - c:\windows\system32\drivers\atapi.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 Disk (Disk Driver) - c:\windows\system32\drivers\disk.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 dmio (Logical Disk Manager Driver) - c:\windows\system32\drivers\dmio.sys <Not Verified; Microsoft Corp., Veritas Software; VERITAS® NT Disk Manager>
R0 dmload - c:\windows\system32\drivers\dmload.sys <Not Verified; Microsoft Corp., Veritas Software.; Logical Disk Manager for Windows NT>
R0 FltMgr - c:\windows\system32\drivers\fltmgr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 Ftdisk (Volume Manager Driver) - c:\windows\system32\drivers\ftdisk.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 isapnp (PnP ISA/EISA Bus Driver) - c:\windows\system32\drivers\isapnp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 KSecDD - c:\windows\system32\drivers\ksecdd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 MountMgr - c:\windows\system32\drivers\mountmgr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 Mup - c:\windows\system32\drivers\mup.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 NDIS (NDIS System Driver) - c:\windows\system32\drivers\ndis.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 nvata - c:\windows\system32\drivers\nvata.sys <Not Verified; NVIDIA Corporation; NVIDIA nForce(TM) IDE Driver>
R0 PartMgr - c:\windows\system32\drivers\partmgr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 PCI (PCI Bus Driver) - c:\windows\system32\drivers\pci.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 PCIIde - c:\windows\system32\drivers\pciide.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 sptd - c:\windows\system32\drivers\sptd.sys
R0 sr (System Restore Filter Driver) - c:\windows\system32\drivers\sr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 srescan - c:\windows\system32\zonelabs\srescan.sys <Not Verified; Zone Labs, LLC; srescanner>
R0 VolSnap - c:\windows\system32\drivers\volsnap.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - c:\windows\system32\drivers\wudfpf.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 AFD - c:\windows\system32\drivers\afd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 AVG Anti-Spyware Driver - c:\program files\grisoft\avg anti-spyware 7.5\guard.sys
R1 Avg7Core (AVG7 Kernel) - c:\windows\system32\drivers\avg7core.sys <Not Verified; GRISOFT, s.r.o.; AVG Anti-Virus system>
R1 Avg7RsW (AVG7 Wrap Driver) - c:\windows\system32\drivers\avg7rsw.sys <Not Verified; GRISOFT, s.r.o.; AVG Anti-Virus System>
R1 Avg7RsXP (AVG7 Resident Driver XP) - c:\windows\system32\drivers\avg7rsxp.sys <Not Verified; GRISOFT, s.r.o.; AVG Anti-Virus system>
R1 AvgAsCln (AVG Anti-Spyware Clean Driver) - c:\windows\system32\drivers\avgascln.sys <Not Verified; GRISOFT, s.r.o.; AVG7 Clean Driver>
R1 AvgClean (AVG7 Clean Driver) - c:\windows\system32\drivers\avgclean.sys <Not Verified; GRISOFT, s.r.o.; AVG7 Clean Driver>
R1 Beep - c:\windows\system32\drivers\beep.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Cdrom (CD-ROM Driver) - c:\windows\system32\drivers\cdrom.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R1 Fips - c:\windows\system32\drivers\fips.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 i8042prt (i8042 Keyboard and PS/2 Mouse Port Driver) - c:\windows\system32\drivers\i8042prt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Imapi (CD-Burning Filter Driver) - c:\windows\system32\drivers\imapi.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 IPSec (IPSEC driver) - c:\windows\system32\drivers\ipsec.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Kbdclass (Keyboard Class Driver) - c:\windows\system32\drivers\kbdclass.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 mnmdd - c:\windows\system32\drivers\mnmdd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Mouclass (Mouse Class Driver) - c:\windows\system32\drivers\mouclass.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 MRxSmb - c:\windows\system32\drivers\mrxsmb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Msfs - c:\windows\system32\drivers\msfs.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 NetBIOS (NetBIOS Interface) - c:\windows\system32\drivers\netbios.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 NetBT (NetBios over Tcpip) - c:\windows\system32\drivers\netbt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Npfs - c:\windows\system32\drivers\npfs.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Null - c:\windows\system32\drivers\null.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Processor (Processor Driver) - c:\windows\system32\drivers\processr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 RasAcd (Remote Access Auto Connection Driver) - c:\windows\system32\drivers\rasacd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Rdbss - c:\windows\system32\drivers\rdbss.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 RDPCDD - c:\windows\system32\drivers\rdpcdd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 redbook (Digital CD Audio Playback Filter Driver) - c:\windows\system32\drivers\redbook.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Serial (Serial port driver) - c:\windows\system32\drivers\serial.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 Tcpip (TCP/IP Protocol Driver) - c:\windows\system32\drivers\tcpip.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 TermDD (Terminal Device Driver) - c:\windows\system32\drivers\termdd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 VgaSave - c:\windows\system32\drivers\vga.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R1 vsdatant - c:\windows\system32\vsdatant.sys <Not Verified; Zone Labs, LLC; TrueVector Device Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R2 AvgTdi (AVG Network Redirector) - c:\windows\system32\drivers\avgtdi.sys <Not Verified; GRISOFT, s.r.o.; AVG Anti-Virus System>
R2 NIOC (NIOC Service) - c:\windows\system32\nioc.sys <Not Verified; D-Link Corporation; NIOC (NT5) Driver>
R2 ParVdm - c:\windows\system32\drivers\parvdm.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 zumbus (Zune Bus Enumerator Driver) - c:\windows\system32\drivers\zumbus.sys <Not Verified; Microsoft Corporation; Zune®>
R3 AnyDVD - c:\windows\system32\drivers\anydvd.sys <Not Verified; SlySoft, Inc.; AnyDVD>
R3 audstub (Audio Stub Driver) - c:\windows\system32\drivers\audstub.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 dvd43llh - c:\windows\system32\drivers\dvd43llh.sys <Not Verified; RIF; DVD For Free>
R3 Fdc (Floppy Disk Controller Driver) - c:\windows\system32\drivers\fdc.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Flpydisk (Floppy Disk Driver) - c:\windows\system32\drivers\flpydisk.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 GEARAspiWDM - c:\windows\system32\drivers\gearaspiwdm.sys <Not Verified; GEAR Software Inc.; CD DVD Filter>
R3 Gpc (Generic Packet Classifier) - c:\windows\system32\drivers\msgpc.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 HDAudBus (Microsoft UAA Bus Driver for High Definition Audio) - c:\windows\system32\drivers\hdaudbus.sys <Not Verified; Windows (R) Server 2003 DDK provider; Microsoft® Windows® Operating System>
R3 HTTP - c:\windows\system32\drivers\http.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 IntcAzAudAddService (Service for Realtek HD Audio (WDM)) - c:\windows\system32\drivers\rtkhdaud.sys <Not Verified; Realtek Semiconductor Corp.; Realtek(r) High Definition Audio Function Driver (HRTF data Copyright 1994 by MIT Media Lab)>
R3 IpNat (IP Network Address Translator) - c:\windows\system32\drivers\ipnat.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 kmixer (Microsoft Kernel Wave Audio Mixer) - c:\windows\system32\drivers\kmixer.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 MRxDAV (WebDav Client Redirector) - c:\windows\system32\drivers\mrxdav.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 mssmbios (Microsoft System Management BIOS Driver) - c:\windows\system32\drivers\mssmbios.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 NdisTapi (Remote Access NDIS TAPI Driver) - c:\windows\system32\drivers\ndistapi.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Ndisuio (NDIS Usermode I/O Protocol) - c:\windows\system32\drivers\ndisuio.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 NdisWan (Remote Access NDIS WAN Driver) - c:\windows\system32\drivers\ndiswan.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 NDProxy (NDIS Proxy) - c:\windows\system32\drivers\ndproxy.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 nv - c:\windows\system32\drivers\nv4_mini.sys <Not Verified; NVIDIA Corporation; NVIDIA Compatible Windows 2000 Miniport Driver, Version 91.63>
R3 Parport (Parallel port driver) - c:\windows\system32\drivers\parport.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 PptpMiniport (WAN Miniport (PPTP)) - c:\windows\system32\drivers\raspptp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 PSched (QoS Packet Scheduler) - c:\windows\system32\drivers\psched.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Ptilink (Direct Parallel Link Driver) - c:\windows\system32\drivers\ptilink.sys <Not Verified; Parallel Technologies, Inc.; Microsoft® Windows® Operating System>
R3 Rasl2tp (WAN Miniport (L2TP)) - c:\windows\system32\drivers\rasl2tp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 RasPppoe (Remote Access PPPOE Driver) - c:\windows\system32\drivers\raspppoe.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Raspti (Direct Parallel) - c:\windows\system32\drivers\raspti.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 rdpdr (Terminal Server Device Redirector Driver) - c:\windows\system32\drivers\rdpdr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 RTL8187B (TRENDnet TEW-424UB 54M USB Dongle) - c:\windows\system32\drivers\rtl8187b.sys <Not Verified; Realtek Semiconductor Corporation; Realtek RTL8187B Wireless USB 2.0 Adapter>
R3 serenum (Serenum Filter Driver) - c:\windows\system32\drivers\serenum.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 SjyPkt - c:\windows\system32\drivers\sjypkt.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R3 Srv - c:\windows\system32\drivers\srv.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 swenum (Software Bus Driver) - c:\windows\system32\drivers\swenum.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
R3 sysaudio (Microsoft Kernel System Audio Device) - c:\windows\system32\drivers\sysaudio.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Update (Microcode Update Driver) - c:\windows\system32\drivers\update.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - c:\windows\system32\drivers\usbehci.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 usbhub (USB2 Enabled Hub) - c:\windows\system32\drivers\usbhub.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 usbohci (Microsoft USB Open Host Controller Miniport Driver) - c:\windows\system32\drivers\usbohci.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Wanarp (Remote Access IP ARP Driver) - c:\windows\system32\drivers\wanarp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Wdf01000 - c:\windows\system32\drivers\wdf01000.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 wdmaud (Microsoft WINMM WDM Audio Compatibility Driver) - c:\windows\system32\drivers\wdmaud.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R4 Cdfs - c:\windows\system32\drivers\cdfs.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R4 Fastfat - c:\windows\system32\drivers\fastfat.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R4 Ntfs - c:\windows\system32\drivers\ntfs.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

S1 Cdaudio - c:\windows\system32\drivers\cdaudio.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S1 Sfloppy - c:\windows\system32\drivers\sfloppy.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 aec (Microsoft Kernel Acoustic Echo Canceller) - c:\windows\system32\drivers\aec.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 AsyncMac (RAS Asynchronous Media Driver) - c:\windows\system32\drivers\asyncmac.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 Atmarpc (ATM ARP Client Protocol) - c:\windows\system32\drivers\atmarpc.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 DMusic (Microsoft Kernel DLS Syntheiszer) - c:\windows\system32\drivers\dmusic.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 drmkaud (Microsoft Kernel DRM Audio Descrambler) - c:\windows\system32\drivers\drmkaud.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 Ip6Fw (IPv6 Windows Firewall Driver) - c:\windows\system32\drivers\ip6fw.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 IpFilterDriver (IP Traffic Filter Driver) - c:\windows\system32\drivers\ipfltdrv.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 IpInIp (IP in IP Tunnel Driver) - c:\windows\system32\drivers\ipinip.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 IRENUM (IR Enumerator Service) - c:\windows\system32\drivers\irenum.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 Modem - c:\windows\system32\drivers\modem.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 MSKSSRV (Microsoft Streaming Service Proxy) - c:\windows\system32\drivers\mskssrv.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
S3 MSPCLOCK (Microsoft Streaming Clock Proxy) - c:\windows\system32\drivers\mspclock.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
S3 MSPQM (Microsoft Streaming Quality Manager Proxy) - c:\windows\system32\drivers\mspqm.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 NwlnkFlt (IPX Traffic Filter Driver) - c:\windows\system32\drivers\nwlnkflt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 NwlnkFwd (IPX Traffic Forwarder Driver) - c:\windows\system32\drivers\nwlnkfwd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 PRISM_USB (D-Link Air DWL-122 Wireless USB Adapter Driver) - c:\windows\system32\drivers\prismusb.sys <Not Verified; Intersil Americas Inc.; PRISM Wireless LAN>
S3 RDPWD - c:\windows\system32\drivers\rdpwd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 Secdrv - c:\windows\system32\drivers\secdrv.sys <Not Verified; Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.; Macrovision SECURITY Driver>
S3 splitter (Microsoft Kernel Audio Splitter) - c:\windows\system32\drivers\splitter.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 swmidi (Microsoft Kernel GS Wavetable Synthesizer) - c:\windows\system32\drivers\swmidi.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 TDPIPE - c:\windows\system32\drivers\tdpipe.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 TDTCP - c:\windows\system32\drivers\tdtcp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 USBAAPL (Apple Mobile USB Driver) - c:\windows\system32\drivers\usbaapl.sys <Not Verified; Apple, Inc.; Apple Mobile Device USB Driver>
S3 USBSTOR (USB Mass Storage Driver) - c:\windows\system32\drivers\usbstor.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WpdUsb - c:\windows\system32\drivers\wpdusb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - c:\windows\system32\drivers\wudfrd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 ACPIEC - c:\windows\system32\drivers\acpiec.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 cbidf2k - c:\windows\system32\drivers\cbidf2k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 dmboot - c:\windows\system32\drivers\dmboot.sys <Not Verified; Microsoft Corp., Veritas Software; VERITAS® NT Disk Manager>
S4 Pcmcia - c:\windows\system32\drivers\pcmcia.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 Udfs - c:\windows\system32\drivers\udfs.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 AudioSrv (Windows Audio) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 AVG Anti-Spyware Guard - c:\program files\grisoft\avg anti-spyware 7.5\guard.exe <Not Verified; GRISOFT s.r.o.; AVG Anti-Spyware>
R2 Avg7Alrt (AVG7 Alert Manager Server) - c:\progra~1\grisoft\avg7\avgamsvr.exe <Not Verified; GRISOFT, s.r.o.; AVG Anti-Virus system>
R2 Avg7UpdSvc (AVG7 Update Service) - c:\progra~1\grisoft\avg7\avgupsvc.exe <Not Verified; GRISOFT, s.r.o.; AVG 7.5 Anti-Virus System>
R2 AVGEMS (AVG E-mail Scanner) - c:\progra~1\grisoft\avg7\avgemc.exe <Not Verified; GRISOFT, s.r.o.; AVG Anti-Virus system>
R2 Browser (Computer Browser) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 DcomLaunch (DCOM Server Process Launcher) - c:\windows\system32\svchost -k dcomlaunch <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Dhcp (DHCP Client) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 dmserver (Logical Disk Manager) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Dnscache (DNS Client) - c:\windows\system32\svchost.exe -k networkservice <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 ERSvc (Error Reporting Service) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Eventlog (Event Log) - c:\windows\system32\services.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 helpsvc (Help and Support) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 lanmanserver (Server) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 lanmanworkstation (Workstation) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 LmHosts (TCP/IP NetBIOS Helper) - c:\windows\system32\svchost.exe -k localservice <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 MDM (Machine Debug Manager) - "c:\program files\common files\microsoft shared\vs7debug\mdm.exe" <Not Verified; Microsoft Corporation; Microsoft® Visual Studio .NET>
R2 NVSvc (NVIDIA Display Driver Service) - c:\windows\system32\nvsvc32.exe <Not Verified; NVIDIA Corporation; NVIDIA Driver Helper Service, Version 91.63>
R2 PlugPlay (Plug and Play) - c:\windows\system32\services.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 PolicyAgent (IPSEC Services) - c:\windows\system32\lsass.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 ProtectedStorage (Protected Storage) - c:\windows\system32\lsass.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 RemoteRegistry (Remote Registry) - c:\windows\system32\svchost.exe -k localservice <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 RpcSs (Remote Procedure Call (RPC)) - c:\windows\system32\svchost -k rpcss <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 SamSs (Security Accounts Manager) - c:\windows\system32\lsass.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Schedule (Task Scheduler) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 seclogon (Secondary Logon) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 SENS (System Event Notification) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 SharedAccess (Windows Firewall/Internet Connection Sharing (ICS)) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 ShellHWDetection (Shell Hardware Detection) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Spooler (Print Spooler) - c:\windows\system32\spoolsv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 srservice (System Restore Service) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 Themes - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 TrkWks (Distributed Link Tracking Client) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 W32Time (Windows Time) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 WebClient - c:\windows\system32\svchost.exe -k localservice <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 winmgmt (Windows Management Instrumentation) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 wscsvc (Security Center) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 wuauserv (Automatic Updates) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 WudfSvc (Windows Driver Foundation - User-mode Driver Framework) - c:\windows\system32\svchost.exe -k wudfservicegroup <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 WZCBDLService (WZCBDL Service) - "c:\program files\wzcbdl service\wzcbdls.exe" <Not Verified; D-Link; WZCBDLService Launcher (NT)>
R2 WZCSVC (Wireless Zero Configuration) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 ALG (Application Layer Gateway Service) - c:\windows\system32\alg.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 CryptSvc (Cryptographic Services) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 EventSystem (COM+ Event System) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 FastUserSwitchingCompatibility (Fast User Switching Compatibility) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" <Not Verified; Apple Inc.; iTunes>
R3 Netman (Network Connections) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Nla (Network Location Awareness (NLA)) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 RasMan (Remote Access Connection Manager) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 SSDPSRV (SSDP Discovery Service) - c:\windows\system32\svchost.exe -k localservice <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 stisvc (Windows Image Acquisition (WIA)) - c:\windows\system32\svchost.exe -k imgsvc <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 TapiSrv (Telephony) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 TermService (Terminal Services) - c:\windows\system32\svchost -k dcomlaunch <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

Bigciccone · May 2008

S2 vsmon (TrueVector Internet Monitor) - c:\windows\system32\zonelabs\vsmon.exe -service <Not Verified; Zone Labs, LLC; TrueVector Service>
S3 AppMgmt (Application Management) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>
S3 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
S3 BITS (Background Intelligent Transfer Service) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 CiSvc (Indexing Service) - c:\windows\system32\cisvc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
S3 COMSysApp (COM+ System Application) - c:\windows\system32\dllhost.exe /processid:{02d4b3f1-fd88-11d1-960d-00805fc79235} <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 dmadmin (Logical Disk Manager Administrative Service) - c:\windows\system32\dmadmin.exe /com <Not Verified; Microsoft Corp., Veritas Software; Logical Disk Manager for Windows NT>
S3 HTTPFilter (HTTP SSL) - c:\windows\system32\svchost.exe -k httpfilter <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 IDriverT (InstallDriver Table Manager) - "c:\program files\common files\installshield\driver\1150\intel 32\idrivert.exe" <Not Verified; Macrovision Corporation; InstallShield>
S3 ImapiService (IMAPI CD-Burning COM Service) - c:\windows\system32\imapi.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 mnmsrvc (NetMeeting Remote Desktop Sharing) - c:\windows\system32\mnmsrvc.exe <Not Verified; Microsoft Corporation; Windows® NetMeeting®>
S3 MSDTC (Distributed Transaction Coordinator) - c:\windows\system32\msdtc.exe <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
S3 MSIServer (Windows Installer) - c:\windows\system32\msiexec.exe /v <Not Verified; Microsoft Corporation; Windows Installer - Unicode>
S3 Netlogon (Net Logon) - c:\windows\system32\lsass.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 NtLmSsp (NT LM Security Support Provider) - c:\windows\system32\lsass.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 NtmsSvc (Removable Storage) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 ose (Office Source Engine) - "c:\program files\common files\microsoft shared\source engine\ose.exe" <Not Verified; Microsoft Corporation; Office Source Engine>
S3 RasAuto (Remote Access Auto Connection Manager) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 RDSessMgr (Remote Desktop Help Session Manager) - c:\windows\system32\sessmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 RpcLocator (Remote Procedure Call (RPC) Locator) - c:\windows\system32\locator.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 RSVP (QoS RSVP) - c:\windows\system32\rsvp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 SCardSvr (Smart Card) - c:\windows\system32\scardsvr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 SwPrv (MS Software Shadow Copy Provider) - c:\windows\system32\dllhost.exe /processid:{24fb67c7-b638-4abd-927f-623b27c8de83} <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 SysmonLog (Performance Logs and Alerts) - c:\windows\system32\smlogsvc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 upnphost (Universal Plug and Play Device Host) - c:\windows\system32\svchost.exe -k localservice <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 UPS (Uninterruptible Power Supply) - c:\windows\system32\ups.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 VSS (Volume Shadow Copy) - c:\windows\system32\vssvc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WmdmPmSN (Portable Media Serial Number Service) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 Wmi (Windows Management Instrumentation Driver Extensions) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WmiApSrv (WMI Performance Adapter) - c:\windows\system32\wbem\wmiapsrv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WMPNetworkSvc (Windows Media Player Network Sharing Service) - "c:\program files\windows media player\wmpnetwk.exe" <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 xmlprov (Network Provisioning Service) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 Alerter - c:\windows\system32\svchost.exe -k localservice <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 ClipSrv (ClipBook) - c:\windows\system32\clipsrv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 HidServ (Human Interface Device Access) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 Messenger - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 NetDDE (Network DDE) - c:\windows\system32\netdde.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 NetDDEdsdm (Network DDE DSDM) - c:\windows\system32\netdde.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 RemoteAccess (Routing and Remote Access) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 TlntSvr (Telnet) - c:\windows\system32\tlntsvr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

-- Device Manager: Disabled

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Other PCI Bridge Device
Device ID: PCI\VEN_10DE&DEV_03EF&SUBSYS_26091019&REV_A2\3&2411E6FE&0&38
Manufacturer:
Name: Other PCI Bridge Device
PNP Device ID: PCI\VEN_10DE&DEV_03EF&SUBSYS_26091019&REV_A2\3&2411E6FE&0&38
Service:

-- Scheduled Tasks

2008-05-05 03:30:00 400 --a

C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
2008-05-01 20:39:01 284 --a

C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-04-05 and 2008-05-05

2008-05-05 13:39:07 0 d

C:\Deckard
2008-05-02 19:02:43 0 d

C:\Program Files\Ares
2008-05-02 18:51:17 0 d

C:\Program Files\QuickTime
2008-05-02 15:49:40 0 dr-h

C:\Documents and Settings\Faja\Recent
2008-05-02 13:45:44 0 d--hs---- C:\Config.Msi
2008-05-02 11:36:28 0 d

C:\Downloads
2008-05-02 11:36:25 0 d

C:\Documents and Settings\Faja\Application Data\GetRightToGo
2008-05-01 18:49:04 0 d

C:\Documents and Settings\LocalService\Desktop
2008-05-01 18:26:02 4212 ---h

C:\WINDOWS\system32\zllictbl.dat
2008-05-01 18:25:58 71144 --a

C:\WINDOWS\system32\vsregexp.dll <Not Verified; Zone Labs, LLC; TrueVector Service>
2008-05-01 18:25:56 71144 --a

C:\WINDOWS\system32\zlcommdb.dll <Not Verified; Zone Labs, LLC; ZLCommDB>
2008-05-01 18:25:56 83432 --a

C:\WINDOWS\system32\zlcomm.dll <Not Verified; Zone Labs, LLC; ZLComm>
2008-05-01 18:25:52 1086952 --a

C:\WINDOWS\system32\zpeng24.dll <Not Verified; Python Software Foundation; Python>
2008-05-01 18:25:52 99816 --a

C:\WINDOWS\system32\vsxml.dll <Not Verified; Zone Labs, LLC; TrueVector Service>
2008-05-01 18:25:52 46568 --a

C:\WINDOWS\system32\vswmi.dll <Not Verified; Zone Labs, LLC; vsmon component>
2008-05-01 18:25:51 0 d

C:\WINDOWS\system32\ZoneLabs
2008-05-01 18:25:51 275944 --a

C:\WINDOWS\system32\vspubapi.dll <Not Verified; Zone Labs, LLC; TrueVector Service>
2008-05-01 18:25:51 103912 --a

C:\WINDOWS\system32\vsmonapi.dll <Not Verified; Zone Labs, LLC; TrueVector Client Interface>
2008-05-01 18:25:51 0 d

C:\Program Files\Zone Labs
2008-05-01 18:25:50 394952 --a

C:\WINDOWS\system32\vsdatant.sys <Not Verified; Zone Labs, LLC; TrueVector Device Driver>
2008-05-01 18:24:47 472552 --a

C:\WINDOWS\system32\vsutil.dll <Not Verified; Zone Labs, LLC; TrueVector Service>
2008-05-01 18:24:47 161256 --a

C:\WINDOWS\system32\vsinit.dll <Not Verified; Zone Labs, LLC; TrueVector Service>
2008-05-01 18:24:47 83432 --a

C:\WINDOWS\system32\vsdata.dll <Not Verified; Zone Labs, LLC; TrueVector Service DLL>
2008-05-01 18:24:47 0 d

C:\WINDOWS\Internet Logs
2008-05-01 17:31:07 0 d--hs---- C:\RECYCLER
2008-05-01 14:44:07 0 d

C:\WINDOWS\TEMP
2008-05-01 14:32:02 0 d

C:\WINDOWS\erdnt
2008-05-01 14:31:43 68096 --a

C:\WINDOWS\zip.exe
2008-05-01 14:31:43 49152 --a

C:\WINDOWS\VFind.exe
2008-05-01 14:31:43 212480 --a

C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-01 14:31:43 136704 --a

C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-01 14:31:43 161792 --a

C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-01 14:31:43 98816 --a

C:\WINDOWS\sed.exe
2008-05-01 14:31:43 28160 --a

C:\WINDOWS\Nircmd.exe <Not Verified; NirSoft; NirCmd>
2008-05-01 14:31:43 80412 --a

C:\WINDOWS\grep.exe
2008-05-01 14:31:43 73728 --a

C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-28 20:29:40 0 d

C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-04-28 18:32:44 0 d

C:\ConverterOutput
2008-04-28 18:32:32 262144 --a

C:\WINDOWS\system32\TomsMoComp_ff.dll
2008-04-28 18:32:32 395776 --a

C:\WINDOWS\system32\libmplayer.dll
2008-04-28 18:32:32 112640 --a

C:\WINDOWS\system32\libmpeg2_ff.dll
2008-04-28 18:32:32 2255360 --a

C:\WINDOWS\system32\libavcodec.dll
2008-04-28 18:32:32 34820 --a

C:\WINDOWS\system32\ffdshow.reg
2008-04-28 18:32:30 0 d

C:\Program Files\Cucusoft
2008-04-27 17:36:08 0 d

C:\WINDOWS\Sun
2008-04-27 17:36:08 0 d

C:\Documents and Settings\Faja\Application Data\Sun
2008-04-27 14:03:55 0 d

C:\Documents and Settings\Faja\Application Data\Google
2008-04-27 12:11:02 0 d

C:\Documents and Settings\All Users\Application Data\Google
2008-04-27 12:11:00 0 d

C:\Program Files\Google
2008-04-27 12:10:35 139264 --a

C:\WINDOWS\system32\javaws.exe <Not Verified; Sun Microsystems, Inc.; Java(TM) Platform SE 6 U5>
2008-04-27 12:10:35 135168 --a

C:\WINDOWS\system32\javaw.exe <Not Verified; Sun Microsystems, Inc.; Java(TM) Platform SE 6 U5>
2008-04-27 12:10:35 135168 --a

C:\WINDOWS\system32\java.exe <Not Verified; Sun Microsystems, Inc.; Java(TM) Platform SE 6 U5>
2008-04-27 10:22:46 0 d

C:\Documents and Settings\Faja\Application Data\FrostWire
2008-04-27 09:42:30 0 d

C:\Program Files\iPod
2008-04-24 23:35:12 0 d--hs---- C:\Documents and Settings\Faja\!
2008-04-24 23:33:59 0 d

C:\WINDOWS\system32\pnVes05
2008-04-24 23:29:46 0 d

C:\Documents and Settings\Faja\Incomplete
2008-04-24 23:28:46 0 d

C:\Documents and Settings\Faja\Application Data\LimeWire
2008-04-24 23:27:57 0 d

C:\Program Files\Java
2008-04-24 23:26:41 0 d

C:\Program Files\Common Files\Java
2008-04-11 22:39:40 0 d

C:\Program Files\EA GAMES
2008-04-11 21:41:50 442368 -ra

C:\WINDOWS\system32\vp6vfw.dll <Not Verified; On2.com; On2_VP6>

-- Find3M Report

2008-05-03 08:29:45 0 d

C:\Documents and Settings\Faja\Application Data\AVG7
2008-05-02 15:56:06 0 d

C:\Program Files\Windows Media Connect 2
2008-05-02 14:07:44 0 d

C:\Program Files\WinRAR
2008-05-01 19:15:30 2048 --a-s---- C:\WINDOWS\bootstat.dat
2008-05-01 19:15:26 704643072 --ahs---- C:\pagefile.sys
2008-04-29 15:43:14 0 d

C:\Documents and Settings\Faja\Application Data\U3
2008-04-27 09:53:00 0 d

C:\Program Files\Apple Software Update
2008-04-27 09:42:54 0 d

C:\Program Files\iTunes
2008-04-24 23:26:41 0 d

C:\Program Files\Common Files
2008-04-18 18:25:04 0 d

C:\Program Files\Project64 1.6
2008-04-13 03:02:53 400464 --a

C:\WINDOWS\system32\perfh009.dat
2008-04-13 03:02:53 60624 --a

C:\WINDOWS\system32\perfc009.dat
2008-04-13 03:02:16 0 d

C:\Program Files\Internet Explorer
2008-04-09 03:09:30 239944 --a

C:\WINDOWS\system32\FNTCACHE.DAT
2008-04-06 01:56:20 19836024 --a

C:\WINDOWS\system32\MRT.exe <Not Verified; Microsoft Corporation; Microsoft Windows Malicious Software Removal Tool>
2008-04-04 12:03:04 0 d

C:\Documents and Settings\Faja\Application Data\Vso
2008-04-03 23:24:36 0 d

C:\Program Files\CloneDVD
2008-04-03 22:43:11 34 --a

C:\Documents and Settings\Faja\Application Data\pcouffin.log
2008-04-03 22:42:08 47360 --a

C:\Documents and Settings\Faja\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-03 22:42:08 1144 --a

C:\Documents and Settings\Faja\Application Data\pcouffin.inf
2008-04-03 22:42:08 7176 --a

C:\Documents and Settings\Faja\Application Data\pcouffin.cat
2008-04-03 22:42:08 81920 --a

C:\Documents and Settings\Faja\Application Data\ezpinst.exe
2008-03-27 15:07:49 0 d

C:\Program Files\SlySoft
2008-03-27 07:24:23 0 d--h

C:\Program Files\InstallShield Installation Information
2008-03-27 07:24:23 0 d

C:\Program Files\Cheetah Burner
2008-03-27 07:24:16 0 d

C:\Program Files\Common Files\InstallShield
2008-03-27 00:43:13 0 d

C:\Program Files\DAEMON Tools Lite
2008-03-27 00:35:46 0 d

C:\Documents and Settings\Faja\Application Data\DAEMON Tools
2008-03-27 00:21:21 0 d

C:\Program Files\Rockstar Games
2008-03-23 19:50:57 0 d---s---- C:\Documents and Settings\Faja\Application Data\Microsoft
2008-03-23 08:21:58 0 d

C:\Program Files\dvd43
2008-03-19 22:25:28 0 d

C:\Program Files\CCleaner
2008-03-19 22:25:20 0 d

C:\Program Files\Yahoo!
2008-03-19 22:09:16 0 d

C:\Program Files\Opera
2008-03-19 14:21:05 0 d

C:\Documents and Settings\Faja\Application Data\WinRAR
2008-03-19 13:41:49 34308 --a

C:\WINDOWS\system32\BASSMOD.dll
2008-03-19 12:55:31 0 d

C:\Program Files\LG Software Innovations
2008-03-19 12:42:21 0 d

C:\Program Files\Common Files\Download Manager
2008-03-19 05:47:00 1845248 --a

C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-17 22:06:38 0 d

C:\Program Files\Xilisoft
2008-03-14 23:40:43 0 d

C:\Documents and Settings\Faja\Application Data\ImgBurn
2008-03-14 19:26:11 0 d

C:\Program Files\ImgBurn
2008-03-14 18:11:58 0 d

C:\Program Files\TRENDnet
2008-03-13 20:49:51 0 d

C:\Program Files\DVDFab Platinum 4
2008-03-13 20:22:45 0 d

C:\Documents and Settings\Faja\Application Data\RipIt4Me
2008-03-13 20:15:51 87608 --a

C:\Documents and Settings\Faja\Application Data\inst.exe
2008-03-13 15:36:31 0 d

C:\Documents and Settings\Faja\Application Data\DivX
2008-03-13 15:28:38 0 d

C:\Documents and Settings\Faja\Application Data\Ashampoo
2008-03-13 15:25:19 0 d

C:\Program Files\Ashampoo
2008-03-12 20:32:08 0 d

C:\Documents and Settings\Faja\Application Data\Apple Computer
2008-03-12 00:16:23 0 d

C:\Program Files\DivX
2008-03-11 21:25:06 0 d

C:\Program Files\Windows Media Player
2008-03-10 23:01:11 0 d

C:\Program Files\Netflix
2008-03-08 18:25:10 0 d

C:\Program Files\Trend Micro
2008-03-07 21:44:12 14 --a

C:\WINDOWS\system32\systeminfo3.dll
2008-03-07 21:41:19 0 d

C:\Documents and Settings\Faja\Application Data\InfraRecorder
2008-03-06 17:02:11 0 d

C:\Program Files\Common Files\Apple
2008-03-01 18:36:30 3591680 --a

C:\WINDOWS\system32\mshtml.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 11:11:51 40 ---hs---- C:\Documents and Settings\Faja\Application Data\.zreglib
2008-03-01 09:06:31 826368 --a

C:\WINDOWS\system32\wininet.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:30 233472 --a

C:\WINDOWS\system32\webcheck.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:30 1159680 --a

C:\WINDOWS\system32\urlmon.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:29 105984 --a

C:\WINDOWS\system32\url.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:29 44544

n--- C:\WINDOWS\system32\pngfilt.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:29 102912

n--- C:\WINDOWS\system32\occache.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:29 671232

n--- C:\WINDOWS\system32\mstime.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:28 193024

n--- C:\WINDOWS\system32\msrating.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:28 478208

n--- C:\WINDOWS\system32\mshtmled.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:26 52224 --a

C:\WINDOWS\system32\msfeedsbs.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:26 459264 --a

C:\WINDOWS\system32\msfeeds.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:25 27648

n--- C:\WINDOWS\system32\jsproxy.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:25 267776 --a

C:\WINDOWS\system32\iertutil.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:24 44544

n--- C:\WINDOWS\system32\iernonce.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:24 6066176 --a

C:\WINDOWS\system32\ieframe.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:22 384512

n--- C:\WINDOWS\system32\iedkcs32.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:22 383488 --a

C:\WINDOWS\system32\ieapfltr.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:21 230400

n--- C:\WINDOWS\system32\ieaksie.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:21 153088

n--- C:\WINDOWS\system32\ieakeng.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:21 63488 --a

C:\WINDOWS\system32\icardie.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:21 133120

n--- C:\WINDOWS\system32\extmgr.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:21 214528

n--- C:\WINDOWS\system32\dxtrans.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:21 347136

n--- C:\WINDOWS\system32\dxtmsft.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 09:06:20 124928 --a

C:\WINDOWS\system32\advpack.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-03-01 00:16:56 315392 --a

C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-02-29 04:55:23 70656

n--- C:\WINDOWS\system32\ie4uinit.exe <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-02-24 12:01:52 348160 --a

C:\WINDOWS\system32\msvcr71.dll <Not Verified; Microsoft Corporation; Microsoft® Visual Studio .NET>
2008-02-24 12:01:52 499712 --a

C:\WINDOWS\system32\msvcp71.dll <Not Verified; Microsoft Corporation; Microsoft® Visual Studio .NET>
2008-02-23 20:03:31 0 -rahs---- C:\MSDOS.SYS
2008-02-23 20:03:31 0 -rahs---- C:\IO.SYS
2008-02-23 20:03:31 0 --a

C:\CONFIG.SYS
2008-02-23 20:03:31 0 --a

C:\AUTOEXEC.BAT
2008-02-23 20:00:55 21640 --a

C:\WINDOWS\system32\emptyregdb.dat
2008-02-23 14:54:19 62 --ahs---- C:\Documents and Settings\Faja\Application Data\desktop.ini
2008-02-22 06:00:51 13824 --a

C:\WINDOWS\system32\ieudinit.exe <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-02-20 02:51:05 282624 --a

C:\WINDOWS\system32\gdi32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-20 01:32:43 45568 --a

C:\WINDOWS\system32\dnsrslvr.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-20 01:32:43 148992 --a

C:\WINDOWS\system32\dnsapi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-15 01:44:25 161792

n--- C:\WINDOWS\system32\ieakui.dll <Not Verified; Microsoft Corporation; Windows® Internet Explorer>

-- Registry Dump

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/31/2006 02:35 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/31/2006 02:35 AM]
"D-Link Air USB Utility"="C:\Program Files\D-Link\Air USB Utility\AirCFG.exe" [07/23/2003 09:21 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/18/2008 09:21 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"ares"="C:\Program Files\Ares\Ares.exe" [02/20/2008 10:33 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Reboot.exe [12/29/2006 6:35:16 AM]
Wireless Configuration Utility HW.14.lnk - C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe [7/9/2007 3:43:00 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifCsroo]
iifCsroo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Documents and Settings\Faja\Desktop\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Program Files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c4b12dfa]
rundll32.exe "C:\WINDOWS\system32\mmmrutcs.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
"C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35275fa7-0a98-11dd-8677-0014d145a2fb}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b49febcf-e23f-11dc-a251-806d6172696f}]
AutoRun\command- D:\Setup.EXE

*Newly Created Service* - SJYPKT

-- End of Deckard's System Scanner: finished at 2008-05-05 13:41:26

Thomas · May 2008

Boy, gotta admit it just is tough coming along after the fact and trying to guess what changes have been made. You obviously ran ComboFix, so those loud beeps alerts and warnings sUBs added to it again proves to be not real effective. Not posting this to be mean spirited, but just the reality that it could have seriously corrupted your system if run with the wrong scenario of software and infection there. Might notice that your CD's don't auto-start after running it, and your screensaver is not loading now.

You really should not have used HijackThis to do those removals you did. One service is a packet sniffer software, and given the use of torrent software here is very likely part of one of your installed software there. And Ask toolbar has an uninstaller of it's own in Add/Remove Programs, so having HijackThis take it out this way leaves many of it's files and functions still installed/existing.

Open HijackThis - Misc tools - Backups and Restore all those items now. Once you have done that you can try to uninstall Ask the normal way, though it might have been corrupted.

I see some questionable enough files to suggest at least running a complete malware scan right now.

Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

Post back that log please.

Bigciccone · May 2008

Ask toolbar wasn't there after i stored everything..

KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 06, 2008 5:38:50 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/05/2008
Kaspersky Anti-Virus database records: 742676

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 75704
Number of viruses found: 3
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 01:05:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.g skipped
C:\Documents and Settings\Faja\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Faja\Local Settings\Application Data\Ares\My Shared Folder\___ARESTRA___07 - geek usa [the smashing pumpkins cover].mp3 Object is locked skipped
C:\Documents and Settings\Faja\Local Settings\Application Data\Ares\My Shared Folder\___ARESTRA___kill a celebrity (dc5628909).wma Object is locked skipped
C:\Documents and Settings\Faja\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Faja\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Faja\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Faja\Local Settings\History\History.IE5\MSHist012008050220080503\index.dat Object is locked skipped
C:\Documents and Settings\Faja\Local Settings\History\History.IE5\MSHist012008050620080507\index.dat Object is locked skipped
C:\Documents and Settings\Faja\Local Settings\Temp\~DFC6ED.tmp Object is locked skipped
C:\Documents and Settings\Faja\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Faja\My Documents\American Pie 6 Beta House 2008.avi Infected: Trojan-Downloader.WMA.GetCodec.a skipped
C:\Documents and Settings\Faja\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Faja\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{367EC7B4-0ED3-411C-A1C0-E283BB6E66C2}\RP6\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\DAD-F5E715AB27F.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\RTacDbg.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4B07003B-4B09-40C2-A601-122918F94066}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\Tools\Restart.exe Infected: not-a-virus:RiskTool.Win32.Reboot.j skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\ZLT051aa.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT051b0.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Thomas · May 2008

Kaspersky looks okay - normally locked system functions and some function files likely used by some install, or one of the repairs you ran. Let's do some after-the-fact removals, clean some remnants, then one other solid scan check for hidden services and actions.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Go to Control Panel - Scheduled Tasks, and remove this remnant rogue software task:

ErrorSmart Scheduled Scan

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c4b12dfa]

Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it fixer.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O20 - Winlogon Notify: iifCsroo - iifCsroo.dll (file missing)

Download OTMoveIt2 by OldTimer to your desktop.

Then click OTMoveIt2.exe to run it (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator").

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C, or right-click and choose Copy):

C:\WINDOWS\system32\pnVes05
C:\WINDOWS\system32\mmmrutcs.dll

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window and select Paste. Then click the red MoveIt! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

Then Download SDFix.exe and save it to your desktop.

===================================================

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).

In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.

Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.

=============================

Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Temp Cleanup
Process Modules

Then under Extra Log, uncheck all the boxes.

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

Post that along with the SDFix report.txt log and the OTMoveIt log please.

Bigciccone · May 2008

what dss.exe??

I did everything else except that last part i dont know where the dss.exe was suppose to come from.

SDFix: Version 1.180
Run by Faja on Thu 05/08/2008 at 07:24 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

C:\Documents and Settings\Faja\!\*.avi - 39271 File(s) 1,554,189,096 bytes - Deleted

Folder C:\Documents and Settings\Faja\! - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 19:31:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:e8,2f,53,75,27,25,68,ee,fc,b9,0e,2a,a9,6c,2b,82,a0,b1,f8,2f,63,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,1b,21,c5,58,11,b4,3e,03,5f,3d,dd,83,fd,d7,79,f4,0d,..
"khjeh"=hex:86,c0,13,ec,64,1e,8f,75,0e,9f,af,aa,4d,99,e9,98,35,52,b0,e1,59,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:ab,a9,14,60,b9,1a,1e,49,6e,de,85,50,8f,56,81,a1,74,89,e9,06,14,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:e8,2f,53,75,27,25,68,ee,fc,b9,0e,2a,a9,6c,2b,82,a0,b1,f8,2f,63,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,1b,21,c5,58,11,b4,3e,03,5f,3d,dd,83,fd,d7,79,f4,0d,..
"khjeh"=hex:86,c0,13,ec,64,1e,8f,75,0e,9f,af,aa,4d,99,e9,98,35,52,b0,e1,59,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:ab,a9,14,60,b9,1a,1e,49,6e,de,85,50,8f,56,81,a1,74,89,e9,06,14,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 1 Mar 2008 24 ..SH. --- "C:\WINDOWS\S4E407693.tmp"
Mon 10 Mar 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 11 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT1.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Faja\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

Uppy · May 2008

I don't mean to do anyone else's job but I assume that dss.exe is Deckard's System Scanner that Thomas referred to in the first reply to this thread :-)

Bigciccone · May 2008

wow, completly over looked that i got rid of it..

Deckard's System Scanner v20071014.68
Run by Faja on 2008-05-08 20:40:51
Computer is in Normal Mode.

Total Physical Memory: 447 MiB (512 MiB recommended).

-- HijackThis (run as Faja.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:53 PM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Faja\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Faja.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Reboot.exe
O4 - Global Startup: Wireless Configuration Utility HW.14.lnk = C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203873834343
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

--
End of file - 6034 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

backup-20080508-190544-707 O20 - Winlogon Notify: iifCsroo - iifCsroo.dll (file missing)

-- File Associations

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R2 NIOC (NIOC Service) - c:\windows\system32\nioc.sys <Not Verified; D-Link Corporation; NIOC (NT5) Driver>
R3 catchme - c:\docume~1\faja\locals~1\temp\catchme.sys (file missing)
R3 dvd43llh - c:\windows\system32\drivers\dvd43llh.sys <Not Verified; RIF; DVD For Free>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 RTL8187B (TRENDnet TEW-424UB 54M USB Dongle) - c:\windows\system32\drivers\rtl8187b.sys <Not Verified; Realtek Semiconductor Corporation; Realtek RTL8187B Wireless USB 2.0 Adapter>
R3 SjyPkt - c:\windows\system32\drivers\sjypkt.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 WZCBDLService (WZCBDL Service) - "c:\program files\wzcbdl service\wzcbdls.exe" <Not Verified; D-Link; WZCBDLService Launcher (NT)>

S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>

-- Device Manager: Disabled

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Other PCI Bridge Device
Device ID: PCI\VEN_10DE&DEV_03EF&SUBSYS_26091019&REV_A2\3&2411E6FE&0&38
Manufacturer:
Name: Other PCI Bridge Device
PNP Device ID: PCI\VEN_10DE&DEV_03EF&SUBSYS_26091019&REV_A2\3&2411E6FE&0&38
Service:

-- Scheduled Tasks

2008-05-08 20:39:06 284 --a

C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-04-08 and 2008-05-08

2008-05-08 19:20:23 0 d

C:\WINDOWS\ERUNT
2008-05-06 14:24:26 0 d

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-06 14:24:24 0 d

C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 19:31:08 0 dr-h

C:\Documents and Settings\Faja\Recent
2008-05-02 19:02:43 0 d

C:\Program Files\Ares
2008-05-02 18:51:17 0 d

C:\Program Files\QuickTime
2008-05-02 11:36:28 0 d

C:\Downloads
2008-05-02 11:36:25 0 d

C:\Documents and Settings\Faja\Application Data\GetRightToGo
2008-05-01 18:49:04 0 d

C:\Documents and Settings\LocalService\Desktop
2008-05-01 18:26:02 4212 ---h

C:\WINDOWS\system32\zllictbl.dat
2008-05-01 18:25:51 0 d

C:\WINDOWS\system32\ZoneLabs
2008-05-01 18:24:47 0 d

C:\WINDOWS\Internet Logs
2008-05-01 14:31:43 68096 --a

C:\WINDOWS\zip.exe
2008-05-01 14:31:43 49152 --a

C:\WINDOWS\VFind.exe
2008-05-01 14:31:43 212480 --a

C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-01 14:31:43 136704 --a

C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-01 14:31:43 161792 --a

C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-01 14:31:43 98816 --a

C:\WINDOWS\sed.exe
2008-05-01 14:31:43 80412 --a

C:\WINDOWS\grep.exe
2008-05-01 14:31:43 73728 --a

C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-28 20:29:40 0 d

C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-04-28 18:32:44 0 d

C:\ConverterOutput
2008-04-28 18:32:32 262144 --a

C:\WINDOWS\system32\TomsMoComp_ff.dll
2008-04-28 18:32:32 395776 --a

C:\WINDOWS\system32\libmplayer.dll
2008-04-28 18:32:32 112640 --a

C:\WINDOWS\system32\libmpeg2_ff.dll
2008-04-28 18:32:32 2255360 --a

C:\WINDOWS\system32\libavcodec.dll
2008-04-28 18:32:32 34820 --a

C:\WINDOWS\system32\ffdshow.reg
2008-04-28 18:32:30 0 d

C:\Program Files\Cucusoft
2008-04-27 17:36:08 0 d

C:\WINDOWS\Sun
2008-04-27 17:36:08 0 d

C:\Documents and Settings\Faja\Application Data\Sun
2008-04-27 14:03:55 0 d

C:\Documents and Settings\Faja\Application Data\Google
2008-04-27 12:11:02 0 d

C:\Documents and Settings\All Users\Application Data\Google
2008-04-27 12:11:00 0 d

C:\Program Files\Google
2008-04-27 10:22:46 0 d

C:\Documents and Settings\Faja\Application Data\FrostWire
2008-04-27 09:42:30 0 d

C:\Program Files\iPod
2008-04-24 23:29:46 0 d

C:\Documents and Settings\Faja\Incomplete
2008-04-24 23:28:46 0 d

C:\Documents and Settings\Faja\Application Data\LimeWire
2008-04-24 23:27:57 0 d

C:\Program Files\Java
2008-04-24 23:26:41 0 d

C:\Program Files\Common Files\Java
2008-04-11 22:39:40 0 d

C:\Program Files\EA GAMES
2008-04-11 21:41:50 442368 -ra

C:\WINDOWS\system32\vp6vfw.dll <Not Verified; On2.com; On2_VP6>

-- Find3M Report

2008-05-08 19:44:44 0 d

C:\Documents and Settings\Faja\Application Data\AVG7
2008-05-02 15:56:06 0 d

C:\Program Files\Windows Media Connect 2
2008-04-29 15:43:14 0 d

C:\Documents and Settings\Faja\Application Data\U3
2008-04-27 09:53:00 0 d

C:\Program Files\Apple Software Update
2008-04-27 09:42:54 0 d

C:\Program Files\iTunes
2008-04-24 23:26:41 0 d

C:\Program Files\Common Files
2008-04-18 18:25:04 0 d

C:\Program Files\Project64 1.6
2008-04-04 12:03:04 0 d

C:\Documents and Settings\Faja\Application Data\Vso
2008-04-03 23:24:36 0 d

C:\Program Files\CloneDVD
2008-04-03 22:43:11 34 --a

C:\Documents and Settings\Faja\Application Data\pcouffin.log
2008-04-03 22:42:08 47360 --a

C:\Documents and Settings\Faja\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-03 22:42:08 1144 --a

C:\Documents and Settings\Faja\Application Data\pcouffin.inf
2008-04-03 22:42:08 7176 --a

C:\Documents and Settings\Faja\Application Data\pcouffin.cat
2008-04-03 22:42:08 81920 --a

C:\Documents and Settings\Faja\Application Data\ezpinst.exe
2008-03-27 15:07:49 0 d

C:\Program Files\SlySoft
2008-03-27 07:24:23 0 d--h

C:\Program Files\InstallShield Installation Information
2008-03-27 07:24:23 0 d

C:\Program Files\Cheetah Burner
2008-03-27 07:24:16 0 d

C:\Program Files\Common Files\InstallShield
2008-03-27 00:43:13 0 d

C:\Program Files\DAEMON Tools Lite
2008-03-27 00:35:46 0 d

C:\Documents and Settings\Faja\Application Data\DAEMON Tools
2008-03-27 00:21:21 0 d

C:\Program Files\Rockstar Games
2008-03-23 08:21:58 0 d

C:\Program Files\dvd43
2008-03-19 22:25:28 0 d

C:\Program Files\CCleaner
2008-03-19 22:25:20 0 d

C:\Program Files\Yahoo!
2008-03-19 22:09:16 0 d

C:\Program Files\Opera
2008-03-19 14:21:05 0 d

C:\Documents and Settings\Faja\Application Data\WinRAR
2008-03-19 12:55:31 0 d

C:\Program Files\LG Software Innovations
2008-03-19 12:42:21 0 d

C:\Program Files\Common Files\Download Manager
2008-03-17 22:06:38 0 d

C:\Program Files\Xilisoft
2008-03-14 23:40:43 0 d

C:\Documents and Settings\Faja\Application Data\ImgBurn
2008-03-14 19:26:11 0 d

C:\Program Files\ImgBurn
2008-03-14 18:11:58 0 d

C:\Program Files\TRENDnet
2008-03-13 20:49:51 0 d

C:\Program Files\DVDFab Platinum 4
2008-03-13 20:22:45 0 d

C:\Documents and Settings\Faja\Application Data\RipIt4Me
2008-03-13 15:36:31 0 d

C:\Documents and Settings\Faja\Application Data\DivX
2008-03-13 15:28:38 0 d

C:\Documents and Settings\Faja\Application Data\Ashampoo
2008-03-13 15:25:19 0 d

C:\Program Files\Ashampoo
2008-03-12 20:32:08 0 d

C:\Documents and Settings\Faja\Application Data\Apple Computer
2008-03-12 00:16:23 0 d

C:\Program Files\DivX
2008-03-10 23:01:11 0 d

C:\Program Files\Netflix
2008-03-08 18:25:10 0 d

C:\Program Files\Trend Micro
2008-03-07 21:44:12 14 --a

C:\WINDOWS\system32\systeminfo3.dll
2008-03-01 11:11:51 40 ---hs---- C:\Documents and Settings\Faja\Application Data\.zreglib
2008-03-01 00:16:56 315392 --a

C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-02-23 20:03:31 0 -rahs---- C:\MSDOS.SYS
2008-02-23 20:03:31 0 -rahs---- C:\IO.SYS
2008-02-23 20:03:31 0 --a

C:\CONFIG.SYS
2008-02-23 20:03:31 0 --a

C:\AUTOEXEC.BAT
2008-02-23 20:00:55 21640 --a

C:\WINDOWS\system32\emptyregdb.dat
2008-02-23 14:54:19 62 --ahs---- C:\Documents and Settings\Faja\Application Data\desktop.ini

-- Registry Dump

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/31/2006 02:35 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/31/2006 02:35 AM]
"D-Link Air USB Utility"="C:\Program Files\D-Link\Air USB Utility\AirCFG.exe" [07/23/2003 09:21 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/18/2008 09:21 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"ares"="C:\Program Files\Ares\Ares.exe" [02/20/2008 10:33 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [01/03/2008 12:15 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Reboot.exe [12/29/2006 6:35:16 AM]
Wireless Configuration Utility HW.14.lnk - C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe [7/9/2007 3:43:00 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Documents and Settings\Faja\Desktop\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Program Files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
"C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35275fa7-0a98-11dd-8677-0014d145a2fb}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b49febcf-e23f-11dc-a251-806d6172696f}]
AutoRun\command- D:\Setup.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca205ed0-ee39-11dc-8660-000d88545b82}]
AutoRun\command- G:\LaunchU3.exe -a

-- End of Deckard's System Scanner: finished at 2008-05-08 20:41:31

Thomas · May 2008

I would really like to give you the A-OK on providing that tip Uppy, but once non-malware removal workers start providing those, at some point one will be the wrong tip, or something completely out of left field that will result in some undesirable changes. Appreciate the intent though.

Looks cleaned up now Bigciccone, at least as far as malware is concerned. Your system has many startups disabled through msconfig. Too often when this diagnostic tool is used as a startup stopper, the person forgets they did the disabling, and then makes changes/uninstalls with the software. Leaves orphaned registry items, and some chance of corrupting the change or uninstall process. Much better to take the time and disable startups from within the software's options/settings locations. And those like RealPlayer, that make sure there is none? Some folks just decide they can do just fine without it. For us to do a more thorough cleaning here these startups will need to be enabled at least once though.

Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O4 - Global Startup: Reboot.exe

Go to Start - Run, type msconfig (and Enter).

Under the Startup and Services tabs, click Enable All, then Apply/OK to close msconfig. Allow the reboot at this time. You can expect to receive alerts/error messages at reboot after this, but we will be addressing all this during the repairs.

After the reboot, still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

"%userprofile%\desktop\dss.exe" /config

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

System Restore
Process Modules

Then under Extra Log, uncheck all the boxes.

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)

As a mention, if you were wondering what these do there:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:e8,2f,53,75,27,25,68,ee,fc,b9,0e,2a,a9 ,6c,2b,82,a0,b1,f8,2f,63,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000 001]
"a0"=hex:20,01,00,00,1b,21,c5,58,11,b4,3e,03,5f,3d ,dd,83,fd,d7,79,f4,0d,..
"khjeh"=hex:86,c0,13,ec,64,1e,8f,75,0e,9f,af,aa,4d ,99,e9,98,35,52,b0,e1,59,..

Those are Daemon's hidden rootkit driver keys/value. The values are encrypted, so only the Daemon folks, business partners with the When-U adware that comes with their install, know their purposes. Unlike any other software I am aware of, these are not uninstalled when you uninstall Daemon Tools. From what the Daemon website indicates, this is to make reinstalling Daemon easier later.

Bigciccone · May 2008

Deckard's System Scanner v20071014.68
Run by Faja on 2008-05-09 12:43:48
Computer is in Normal Mode.

Performed disk cleanup.

Total Physical Memory: 447 MiB (512 MiB recommended).

-- HijackThis (run as Faja.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:01 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Faja\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Faja.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Documents and Settings\Faja\Desktop\AnyDVD\AnyDVD.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Wireless Configuration Utility HW.14.lnk = C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203873834343
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

--
End of file - 6584 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

backup-20080508-190544-707 O20 - Winlogon Notify: iifCsroo - iifCsroo.dll (file missing)
backup-20080509-122906-504 O4 - Global Startup: Reboot.exe
backup-20080509-122906-786 O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
backup-20080509-122906-994 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

-- File Associations

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R2 NIOC (NIOC Service) - c:\windows\system32\nioc.sys <Not Verified; D-Link Corporation; NIOC (NT5) Driver>
R3 dvd43llh - c:\windows\system32\drivers\dvd43llh.sys <Not Verified; RIF; DVD For Free>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 RTL8187B (TRENDnet TEW-424UB 54M USB Dongle) - c:\windows\system32\drivers\rtl8187b.sys <Not Verified; Realtek Semiconductor Corporation; Realtek RTL8187B Wireless USB 2.0 Adapter>
R3 SjyPkt - c:\windows\system32\drivers\sjypkt.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

S3 catchme - c:\docume~1\faja\locals~1\temp\catchme.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 WZCBDLService (WZCBDL Service) - "c:\program files\wzcbdl service\wzcbdls.exe" <Not Verified; D-Link; WZCBDLService Launcher (NT)>

S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>

-- Device Manager: Disabled

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Other PCI Bridge Device
Device ID: PCI\VEN_10DE&DEV_03EF&SUBSYS_26091019&REV_A2\3&2411E6FE&0&38
Manufacturer:
Name: Other PCI Bridge Device
PNP Device ID: PCI\VEN_10DE&DEV_03EF&SUBSYS_26091019&REV_A2\3&2411E6FE&0&38
Service:

-- Scheduled Tasks

2008-05-08 20:39:06 284 --a

C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-04-09 and 2008-05-09

2008-05-08 19:20:23 0 d

C:\WINDOWS\ERUNT
2008-05-06 14:24:26 0 d

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-06 14:24:24 0 d

C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 19:31:08 0 dr-h

C:\Documents and Settings\Faja\Recent
2008-05-02 19:02:43 0 d

C:\Program Files\Ares
2008-05-02 18:51:17 0 d

C:\Program Files\QuickTime
2008-05-02 11:36:28 0 d

C:\Downloads
2008-05-02 11:36:25 0 d

C:\Documents and Settings\Faja\Application Data\GetRightToGo
2008-05-01 18:49:04 0 d

C:\Documents and Settings\LocalService\Desktop
2008-05-01 18:26:02 4212 ---h

C:\WINDOWS\system32\zllictbl.dat
2008-05-01 18:25:51 0 d

C:\WINDOWS\system32\ZoneLabs
2008-05-01 18:24:47 0 d

C:\WINDOWS\Internet Logs
2008-05-01 14:31:43 68096 --a

C:\WINDOWS\zip.exe
2008-05-01 14:31:43 49152 --a

C:\WINDOWS\VFind.exe
2008-05-01 14:31:43 212480 --a

C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-01 14:31:43 136704 --a

C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-01 14:31:43 161792 --a

C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-01 14:31:43 98816 --a

C:\WINDOWS\sed.exe
2008-05-01 14:31:43 80412 --a

C:\WINDOWS\grep.exe
2008-05-01 14:31:43 73728 --a

C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-28 20:29:40 0 d

C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-04-28 18:32:44 0 d

C:\ConverterOutput
2008-04-28 18:32:32 262144 --a

C:\WINDOWS\system32\TomsMoComp_ff.dll
2008-04-28 18:32:32 395776 --a

C:\WINDOWS\system32\libmplayer.dll
2008-04-28 18:32:32 112640 --a

C:\WINDOWS\system32\libmpeg2_ff.dll
2008-04-28 18:32:32 2255360 --a

C:\WINDOWS\system32\libavcodec.dll
2008-04-28 18:32:32 34820 --a

C:\WINDOWS\system32\ffdshow.reg
2008-04-28 18:32:30 0 d

C:\Program Files\Cucusoft
2008-04-27 17:36:08 0 d

C:\WINDOWS\Sun
2008-04-27 17:36:08 0 d

C:\Documents and Settings\Faja\Application Data\Sun
2008-04-27 14:03:55 0 d

C:\Documents and Settings\Faja\Application Data\Google
2008-04-27 12:11:02 0 d

C:\Documents and Settings\All Users\Application Data\Google
2008-04-27 12:11:00 0 d

C:\Program Files\Google
2008-04-27 10:22:46 0 d

C:\Documents and Settings\Faja\Application Data\FrostWire
2008-04-27 09:42:30 0 d

C:\Program Files\iPod
2008-04-24 23:29:46 0 d

C:\Documents and Settings\Faja\Incomplete
2008-04-24 23:28:46 0 d

C:\Documents and Settings\Faja\Application Data\LimeWire
2008-04-24 23:27:57 0 d

C:\Program Files\Java
2008-04-24 23:26:41 0 d

C:\Program Files\Common Files\Java
2008-04-11 22:39:40 0 d

C:\Program Files\EA GAMES
2008-04-11 21:41:50 442368 -ra

C:\WINDOWS\system32\vp6vfw.dll <Not Verified; On2.com; On2_VP6>

-- Find3M Report

2008-05-09 08:25:26 0 d

C:\Documents and Settings\Faja\Application Data\AVG7
2008-05-02 15:56:06 0 d

C:\Program Files\Windows Media Connect 2
2008-04-29 15:43:14 0 d

C:\Documents and Settings\Faja\Application Data\U3
2008-04-27 09:53:00 0 d

C:\Program Files\Apple Software Update
2008-04-27 09:42:54 0 d

C:\Program Files\iTunes
2008-04-24 23:26:41 0 d

C:\Program Files\Common Files
2008-04-18 18:25:04 0 d

C:\Program Files\Project64 1.6
2008-04-04 12:03:04 0 d

C:\Documents and Settings\Faja\Application Data\Vso
2008-04-03 23:24:36 0 d

C:\Program Files\CloneDVD
2008-04-03 22:43:11 34 --a

C:\Documents and Settings\Faja\Application Data\pcouffin.log
2008-04-03 22:42:08 47360 --a

C:\Documents and Settings\Faja\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-03 22:42:08 1144 --a

C:\Documents and Settings\Faja\Application Data\pcouffin.inf
2008-04-03 22:42:08 7176 --a

C:\Documents and Settings\Faja\Application Data\pcouffin.cat
2008-04-03 22:42:08 81920 --a

C:\Documents and Settings\Faja\Application Data\ezpinst.exe
2008-03-27 15:07:49 0 d

C:\Program Files\SlySoft
2008-03-27 07:24:23 0 d--h

C:\Program Files\InstallShield Installation Information
2008-03-27 07:24:23 0 d

C:\Program Files\Cheetah Burner
2008-03-27 07:24:16 0 d

C:\Program Files\Common Files\InstallShield
2008-03-27 00:43:13 0 d

C:\Program Files\DAEMON Tools Lite
2008-03-27 00:35:46 0 d

C:\Documents and Settings\Faja\Application Data\DAEMON Tools
2008-03-27 00:21:21 0 d

C:\Program Files\Rockstar Games
2008-03-23 08:21:58 0 d

C:\Program Files\dvd43
2008-03-19 22:25:28 0 d

C:\Program Files\CCleaner
2008-03-19 22:25:20 0 d

C:\Program Files\Yahoo!
2008-03-19 22:09:16 0 d

C:\Program Files\Opera
2008-03-19 14:21:05 0 d

C:\Documents and Settings\Faja\Application Data\WinRAR
2008-03-19 12:55:31 0 d

C:\Program Files\LG Software Innovations
2008-03-19 12:42:21 0 d

C:\Program Files\Common Files\Download Manager
2008-03-17 22:06:38 0 d

C:\Program Files\Xilisoft
2008-03-14 23:40:43 0 d

C:\Documents and Settings\Faja\Application Data\ImgBurn
2008-03-14 19:26:11 0 d

C:\Program Files\ImgBurn
2008-03-14 18:11:58 0 d

C:\Program Files\TRENDnet
2008-03-13 20:49:51 0 d

C:\Program Files\DVDFab Platinum 4
2008-03-13 20:22:45 0 d

C:\Documents and Settings\Faja\Application Data\RipIt4Me
2008-03-13 15:36:31 0 d

C:\Documents and Settings\Faja\Application Data\DivX
2008-03-13 15:28:38 0 d

C:\Documents and Settings\Faja\Application Data\Ashampoo
2008-03-13 15:25:19 0 d

C:\Program Files\Ashampoo
2008-03-12 20:32:08 0 d

C:\Documents and Settings\Faja\Application Data\Apple Computer
2008-03-12 00:16:23 0 d

C:\Program Files\DivX
2008-03-10 23:01:11 0 d

C:\Program Files\Netflix
2008-03-07 21:44:12 14 --a

C:\WINDOWS\system32\systeminfo3.dll
2008-03-01 11:11:51 40 ---hs---- C:\Documents and Settings\Faja\Application Data\.zreglib
2008-03-01 00:16:56 315392 --a

C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-02-23 20:03:31 0 -rahs---- C:\MSDOS.SYS
2008-02-23 20:03:31 0 -rahs---- C:\IO.SYS
2008-02-23 20:03:31 0 --a

C:\CONFIG.SYS
2008-02-23 20:03:31 0 --a

C:\AUTOEXEC.BAT
2008-02-23 20:00:55 21640 --a

C:\WINDOWS\system32\emptyregdb.dat
2008-02-23 14:54:19 62 --ahs---- C:\Documents and Settings\Faja\Application Data\desktop.ini

-- Registry Dump

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/31/2006 02:35 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/31/2006 02:35 AM]
"D-Link Air USB Utility"="C:\Program Files\D-Link\Air USB Utility\AirCFG.exe" [07/23/2003 09:21 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/18/2008 09:21 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"RTHDCPL"="RTHDCPL.EXE" [01/09/2008 04:25 PM C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [10/31/2006 02:35 AM C:\WINDOWS\system32\nwiz.exe]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [03/01/2008 03:49 PM]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 07:43 PM C:\WINDOWS\Alcmtr.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"ares"="C:\Program Files\Ares\Ares.exe" [02/20/2008 10:33 AM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [01/03/2008 12:15 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [03/21/2008 04:30 AM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" []
"AnyDVD"="C:\Documents and Settings\Faja\Desktop\AnyDVD\AnyDVD.exe" [03/23/2008 07:49 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.14.lnk - C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe [7/9/2007 3:43:00 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35275fa7-0a98-11dd-8677-0014d145a2fb}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b49febcf-e23f-11dc-a251-806d6172696f}]
AutoRun\command- D:\Setup.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca205ed0-ee39-11dc-8660-000d88545b82}]
AutoRun\command- G:\LaunchU3.exe -a

*Newly Created Service* - SJYPKT

-- End of Deckard's System Scanner: finished at 2008-05-09 12:44:30

Thomas · May 2008

Just two remnants we can address right now.

Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

Then no need for additional logs. Before we go to clean up what out work added there, post back how things are running now please.

Trojan?

Comments