Please help slow pc

SharonSSharonS
edited May 2008 in Spyware & Virus Removal
I have problems with this pc going slow, I have tried spyware scans which come up with no problems, I have tried BitDefender too which came up with no problems neither but it's driving me nuts. My husband wants me to just wipe the pc but I only want to do this as a very last resort. I have no firewall at the moment as I thought it might be that causing the problems.
I have a HijackThis log -
of Trend Micro HijackThis v2.0.2
Scan saved at 21:37:08, on 04/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Yahoo! Pager] ~"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [PopularScreensaversWallpaper] rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\F3SCRCTR.DLL,LES
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - ?p=ZRfox000
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb103\res\DealioSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165854538114
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

--
End of file - 8822 bytes


Thank you very much
Sharon

Comments

  • ThomasThomas
    edited May 2008
    Hello SharonS,

    The log shows at least some of IAC Search and Media's adware Popular Screensavers installed there. And when you see one of IAC's (of MyWebSearch fame) items there is likely much more not showing. Let's take a look at the installs there.


    Open Hijackthis.
    Click Config - Misc Tools - Open Uninstall Manager.
    A list of the entries in Add/Remove programs will appear.
    Click on Save List...
    The list will be saved as 'Uninstall_list.txt'
    Copy & Paste the contents back here for review.


    Also Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your protective software queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. Here are guidelines for using Silent Runners. You can use separate posts here when replying and posting the log files if needed.
  • SharonSSharonS
    edited May 2008
    Thank you very much :-))

    Here is the Silent Runners file -
    "Silent Runners.vbs", revision 56, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
    "msnmsgr" = ""C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background" [MS]
    "updateMgr" = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9" ["Adobe Systems Incorporated"]
    "Yahoo! Pager" = "~"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet" [file not found]
    "SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]
    "PopularScreensaversWallpaper" = "rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\F3SCRCTR.DLL,LES " [MS]
    "SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."]
    "Sony Ericsson PC Suite" = ""C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions" [null data]
    "QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
    "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]
    "Dit" = "Dit.exe" [null data]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
    \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSVHelper Class"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
    {9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Windows Live Sign-in Helper"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
    {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Windows Live Toolbar Helper"
    \InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {HKLM...CLSID} = "Display Panning CPL Extension"
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]


    and here is the HiJack This result -

    Ad-Aware 2007
    Adobe Flash Player 9 ActiveX
    Adobe Flash Player Plugin
    Adobe Reader 7.0.9
    Adobe Shockwave Player
    Apple Software Update
    ATI Display Driver
    avast! Antivirus
    CCleaner (remove only)
    COMODO Firewall Pro
    Defraggler (remove only)
    Dell ResourceCD
    FinePixViewer Ver.4.2
    FUJIFILM USB Driver
    HijackThis 2.0.2
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB896344)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) SE Runtime Environment 6 Update 1
    Kaspersky Online Scanner
    LimeWire 4.16.7
    Malwarebytes' Anti-Malware
    Map Button (Windows Live Toolbar)
    Media Library Management Wizard
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Windows Journal Viewer
    MicroStaff WINASPI
    mIRC
    Mozilla Firefox (2.0.0.14)
    MSXML 4.0 SP2 (KB925672)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    Multi-Card Reader & Flash Disk
    OneCare Advisor (Windows Live Toolbar)
    Panda ActiveScan 2.0
    Personal License Update Wizard for Windows Media Player
    Plus! MP3 Audio Converter LE
    Popup Blocker (Windows Live Toolbar)
    QuickTime
    RAW FILE CONVERTER LE
    Rhapsody Player Engine
    SAMSUNG CDMA Modem Driver Set
    SAMSUNG Mobile Composite Device Software
    Samsung Mobile phone USB driver Software
    SAMSUNG Mobile USB Modem 1.0 Software
    SAMSUNG Mobile USB Modem Software
    Scientific Atlanta WebSTAR 2000 series Cable Modem
    Security Task Manager 1.7e
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937894)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Smart Menus (Windows Live Toolbar)
    Sony Ericsson PC Suite
    Spybot - Search & Destroy
    SpywareBlaster v3.5.1
    SUPERAntiSpyware Free Edition
    SweetIM For Internet Explorer 3.0b
    The Day You Were Born
    Ulead Photo Express 4.0 SE
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920342)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB925876)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    VideoEgg Publisher
    Vodafone 804SS USB driver Software
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Live Favorites for Windows Live Toolbar
    Windows Live installer
    Windows Live Messenger
    Windows Live Outlook Toolbar (Windows Live Toolbar)
    Windows Live Sign-in Assistant
    Windows Live Toolbar
    Windows Live Toolbar
    Windows Live Toolbar Extension (Windows Live Toolbar)
    Windows Live Toolbar Feed Detector (Windows Live Toolbar)
    Windows Media Bonus Pack for Windows XP
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 11
    Windows Media Player 11
    Windows Media Player Playlist Import to Excel Wizard
    Windows Media Player Skin Importer
    Windows Media Player Tray Control
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Yahoo! Install Manager
    Yahoo! Messenger
  • ThomasThomas
    edited May 2008
    That Silent Runners log is not complete, so be sure to let scans run until they indicate they are done. No indication yet of where that MyWebSearch screen saver installed and uninstalls from. You do have SweetIM. As indicated here this may say it is not adware and spyware, but all it's doumentation it provides says it is. You can assume when you use MSN Messenger SweetIM is in contact with it's own servers, and sending/receiving encrypted data. This is considered as undesirable software to have installed there, so you should consider removing all of it through Add/Remove Programs.


    To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


    Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

    Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

    "%userprofile%\desktop\dss.exe" /config

    When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:

    System Restore
    Temp Cleanup
    Process Modules

    Then under Options, place a check next to the following:

    Backup Registry Hives

    Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

    Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)

    You can use extra posts here if needed for that.
  • SharonSSharonS
    edited May 2008
    Thank you :-) I couldn't find SweetIM on the Add/Remove programmes so I did a search for it, it came up with two empty files which I deleted.

    This is the Deckards scan log -
    ckard's System Scanner v20071014.68
    Run by Sharon on 2008-05-08 11:42:49
    Computer is in Normal Mode.



    -- HijackThis (run as Sharon.exe)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:44:00, on 08/05/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\Dit.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\DitExp.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\COMODO\Firewall\cfp.exe
    C:\Documents and Settings\Sharon\desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\Sharon.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [Yahoo! Pager] ~"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [PopularScreensaversWallpaper] rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\F3SCRCTR.DLL,LES
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Search - ?p=ZRfox000
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb103\res\DealioSearch.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165854538114
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

    --
    End of file - 8899 bytes

    -- File Associations

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

    R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
    R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
    R1 StarOpen - c:\windows\system32\drivers\staropen.sys
    R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
    R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

    S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
    S3 catchme - c:\docume~1\sharon\locals~1\temp\catchme.sys (file missing)
    S3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ913>
    S3 hSONYPVh - c:\docume~1\graham\locals~1\temp\hsonypvh.sys (file missing)
    S3 SABProcEnum - c:\program files\mozilla firefox\sabprocenum.sys (file missing)
    S3 w810bus (Sony Ericsson W810 Driver driver (WDM)) - c:\windows\system32\drivers\w810bus.sys (file missing)
    S3 w810mdfl (Sony Ericsson W810 USB WMC Modem Filter) - c:\windows\system32\drivers\w810mdfl.sys (file missing)
    S3 w810mdm (Sony Ericsson W810 USB WMC Modem Driver) - c:\windows\system32\drivers\w810mdm.sys (file missing)
    S3 w810mgmt (Sony Ericsson W810 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\w810mgmt.sys (file missing)
    S3 w810obex (Sony Ericsson W810 USB WMC OBEX Interface) - c:\windows\system32\drivers\w810obex.sys (file missing)


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

    S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)


    -- Device Manager: Disabled

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
    Device ID: PCI\VEN_10B7&DEV_9200&SUBSYS_00FE1028&REV_78\4&24B99E98&0&60F0
    Manufacturer: 3Com
    Name: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
    PNP Device ID: PCI\VEN_10B7&DEV_9200&SUBSYS_00FE1028&REV_78\4&24B99E98&0&60F0
    Service: EL90XBC


    -- Scheduled Tasks

    2008-05-08 11:26:04 256 --a
    C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
    2008-05-03 21:59:04 284 --a
    C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


    -- Files created between 2008-04-08 and 2008-05-08

    2008-05-07 15:21:55 0 dr-h
    C:\Documents and Settings\Sharon\Recent
    2008-05-07 13:58:20 0 d--hs---- C:\FOUND.001
    2008-05-07 13:10:36 0 d--hs---- C:\FOUND.000
    2008-05-07 12:35:34 0 dr-h
    C:\Documents and Settings\Win XP\Recent
    2008-05-04 23:01:33 0 d
    C:\Documents and Settings\Win XP\Application Data\Comodo
    2008-05-04 22:05:11 0 d
    C:\Documents and Settings\Sharon\Application Data\Comodo
    2008-05-04 22:05:03 0 d
    C:\Documents and Settings\All Users\Application Data\comodo
    2008-05-04 22:04:53 0 d
    C:\Program Files\COMODO
    2008-04-29 21:31:53 0 d
    C:\Program Files\LimeWire1
    2008-04-29 21:31:53 0 d
    C:\Program Files\Incomplete
    2008-04-29 21:29:38 0 d
    C:\Program Files\LimeWire
    2008-04-28 22:34:53 0 d
    C:\Documents and Settings\Win XP\Application Data\LimeWire
    2008-04-22 01:23:14 0 d
    C:\Documents and Settings\Win XP\Application Data\Malwarebytes
    2008-04-17 14:02:44 53248 --a
    C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
    2008-04-15 16:22:36 0 d
    C:\WINDOWS\BDOSCAN8
    2008-04-11 14:33:11 0 d
    C:\Program Files\Panda Security
    2008-04-10 18:51:09 237728 --a
    C:\cmldr
    2008-04-10 18:50:50 0 d
    C:\cmdcons


    -- Find3M Report

    2008-04-26 12:07:58 4212 ---h
    C:\WINDOWS\system32\zllictbl.dat
    2008-04-07 21:13:32 0 d
    C:\Documents and Settings\Sharon\Application Data\Malwarebytes
    2008-04-07 21:13:18 0 d
    C:\Program Files\Malwarebytes' Anti-Malware
    2008-04-06 20:40:10 0 d
    C:\Program Files\Trend Micro
    2008-03-30 12:09:12 0 --a
    C:\WINDOWS\nsreg.dat
    2008-03-27 21:13:18 0 d
    C:\Program Files\Defraggler
    2008-03-27 12:56:22 0 d
    C:\Program Files\Security Task Manager
    2008-03-26 21:37:20 0 d
    C:\Program Files\CCleaner
    2008-02-16 07:32:42 664 --a
    C:\WINDOWS\system32\d3d9caps.dat


    -- Registry Dump

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 22:32]
    "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [28/03/2007 01:07]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
    "Dit"="Dit.exe" [22/04/2003 17:20 C:\WINDOWS\Dit.exe]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 10:00]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 16:24]
    "msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 16:45]
    "Yahoo! Pager"="~C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" []
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [04/03/2008 10:24]
    "PopularScreensaversWallpaper"="C:\PROGRA~1\MYWEBS~1\bar\3.bin\F3SCRCTR.DLL,LES " []
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=0 (0x0)
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=1 (0x1)
    "HideStartupScripts"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=1 (0x1)
    "HideStartupScripts"=0 (0x0)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"= C:\WINDOWS\system32\guard32.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 nwprovau

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @=&quot;Service"




    -- End of Deckard's System Scanner: finished at 2008-05-08 11:45:20

    and this is the extra.txt -
    Deckard's System Scanner v20071014.68
    Extra logfile - please post this as an attachment with your post.

    -- System Information

    Microsoft Windows XP Professional (build 2600) SP 2.0
    Architecture: X86; Language: English

    CPU 0: Intel(R) Pentium(R) 4 CPU 2.20GHz
    Percentage of Memory in Use: 52%
    Physical Memory (total/avail): 511.01 MiB / 243.52 MiB
    Pagefile Memory (total/avail): 1249.84 MiB / 922.82 MiB
    Virtual Memory (total/avail): 2047.88 MiB / 1937.36 MiB

    A: is Removable (No Media)
    C: is Fixed (FAT32) - 18.61 GiB total, 6.25 GiB free.
    D: is CDROM (No Media)

    \\.\PHYSICALDRIVE0 - Maxtor 2B020H1 - 18.62 GiB - 1 partition
    \PARTITION0 (bootable) - Unknown - 18.61 GiB - C:



    -- Security Center

    AUOptions is scheduled to auto-install.
    Windows Internal Firewall is disabled.

    FirstRunDisabled is set.

    FW: COMODO Firewall Pro v3.0 (COMODO) Disabled
    AV: avast! antivirus 4.8.1169 [VPS 080507-0] v4.8.1169 (ALWIL Software) Disabled

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
    "C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"


    -- Environment Variables

    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\Sharon\Application Data
    CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
    CLIENTNAME=Console
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=WINXP
    ComSpec=C:\WINDOWS\system32\cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\Sharon
    LOGONSERVER=\\WINXP
    NUMBER_OF_PROCESSORS=1
    OS=Windows_NT
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\Samsung\Samsung PC Studio 3;C:\Program Files\QuickTime\QTSystem
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
    PROCESSOR_LEVEL=15
    PROCESSOR_REVISION=0204
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\Sharon\LOCALS~1\Temp
    TMP=C:\DOCUME~1\Sharon\LOCALS~1\Temp
    USERDOMAIN=WINXP
    USERNAME=Sharon
    USERPROFILE=C:\Documents and Settings\Sharon
    windir=C:\WINDOWS


    -- User Profiles

    Win XP (admin)
    Sharon (admin)


    -- Add/Remove Programs

    --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
    Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
    Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
    Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
    Adobe Shockwave Player --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\Install.log
    Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
    ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
    avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
    CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
    COMODO Firewall Pro --> C:\Program Files\COMODO\Firewall\cfpconfg.exe -u
    Defraggler (remove only) --> "C:\Program Files\Defraggler\uninst.exe"
    Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
    FinePixViewer Ver.4.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{24ED4D80-8294-11D5-96CD-0040266301AD}\SETUP.EXE"
    FUJIFILM USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE"
    HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
    Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
    Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
    Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
    Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
    Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
    LimeWire 4.16.7 --> "C:\Program Files\LimeWire\uninstall.exe"
    Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
    Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
    Media Library Management Wizard --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplibwiz.inf,DefaultUninstall
    Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
    Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
    Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
    Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
    MicroStaff WINASPI --> C:\MWASPI\uninst.exe
    mIRC --> "C:\P&Plus\mirc.exe" -uninstall
    Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
    Multi-Card Reader & Flash Disk --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA1CB7AC-E221-4822-A789-0ADB051DC498}\Setup.exe" -l0x9
    OneCare Advisor (Windows Live Toolbar) --> MsiExec.exe /X{53B2CFE9-A508-4457-B2CA-5D253536BFB7}
    Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
    Plus! MP3 Audio Converter LE --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\audcle.inf,DefaultUninstall
    Popup Blocker (Windows Live Toolbar) --> MsiExec.exe /X{66A7A386-6F35-41A7-A731-101F0C0153C8}
    QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
    RAW FILE CONVERTER LE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D680C913-5955-469D-9D88-C1940F7506D6}\SETUP.EXE" -l0x9
    Rhapsody Player Engine --> MsiExec.exe /I{8A62A068-3FD6-495A-9F66-26FE94F32EC9}
    SAMSUNG CDMA Modem Driver Set --> C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
    SAMSUNG Mobile Composite Device Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\6\SSBCUninstall.exe
    Samsung Mobile phone USB driver Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
    SAMSUNG Mobile USB Modem 1.0 Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
    SAMSUNG Mobile USB Modem Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
    Scientific Atlanta WebSTAR 2000 series Cable Modem --> UNDPX2K.EXE
    Security Task Manager 1.7e --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
    Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
    Sony Ericsson PC Suite --> MsiExec.exe /I{FE6397C1-CECA-4EC3-B064-42AED7676898}
    Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
    SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
    SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
    SweetIM For Internet Explorer 3.0b --> MsiExec.exe /X{F6D63A65-BD23-46F3-B9A3-87F442423481}
    The Day You Were Born --> C:\DAY2\UNWISE.EXE C:\DAY2\INSTALL.LOG
    Ulead Photo Express 4.0 SE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBC0D330-C37B-4472-BFB9-AA217CF0C95F}\setup.exe"
    VideoEgg Publisher --> C:\Program Files\VideoEgg\Uninstall.exe
    Vodafone 804SS USB driver Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\4\SSVDUninstall.exe
    Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
    Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
    Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
    Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{35E1A8C8-6646-4101-B0AA-42D1EB2AB3AE}
    Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
    Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
    Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
    Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
    Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{68108E66-D13A-4EE8-A6F4-40E4B90C2A26}
    Windows Media Bonus Pack for Windows XP --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmbonus.inf,DefaultUninstall
    Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
    Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
    Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
    Yahoo! Messenger --> C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG


    -- Application Event Log

    Event Record #/Type882 / Error
    Event Submitted/Written: 05/08/2008 11:35:51 AM
    Event ID/Source: 8 / crypt32
    Event Description:
    Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt&gt; with error: This operation returned because the timeout period expired.

    Event Record #/Type881 / Error
    Event Submitted/Written: 05/08/2008 11:35:20 AM
    Event ID/Source: 8 / crypt32
    Event Description:
    Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt&gt; with error: This operation returned because the timeout period expired.

    Event Record #/Type865 / Error
    Event Submitted/Written: 05/07/2008 08:16:38 AM
    Event ID/Source: 1000 / Application Error
    Event Description:
    Faulting application syncmldesktopserver.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
    Processing media-specific event for [syncmldesktopserver.exe!ws!]

    Event Record #/Type854 / Error
    Event Submitted/Written: 05/05/2008 06:53:26 PM
    Event ID/Source: 1000 / Application Error
    Event Description:
    Faulting application firefox.exe, version 1.8.20080.40413, faulting module nss3.dll, version 3.11.5.0, fault address 0x000306df.
    Processing media-specific event for [firefox.exe!ws!]

    Event Record #/Type851 / Error
    Event Submitted/Written: 05/05/2008 05:54:42 PM
    Event ID/Source: 1001 / Application Hang
    Event Description:
    Fault bucket 452615105.



    -- Security Event Log

    No Errors/Warnings found.


    -- System Event Log

    Event Record #/Type930 / Warning
    Event Submitted/Written: 05/08/2008 10:58:28 AM
    Event ID/Source: 4226 / Tcpip
    Event Description:
    TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

    Event Record #/Type809 / Warning
    Event Submitted/Written: 05/07/2008 06:01:11 PM
    Event ID/Source: 1073 / USER32
    Event Description:
    The attempt to power off WINXP failed

    Event Record #/Type767 / Warning
    Event Submitted/Written: 05/07/2008 00:36:34 PM
    Event ID/Source: 1073 / USER32
    Event Description:
    The attempt to unknown WINXP failed

    Event Record #/Type766 / Warning
    Event Submitted/Written: 05/07/2008 00:12:52 PM
    Event ID/Source: 4226 / Tcpip
    Event Description:
    TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

    Event Record #/Type765 / Warning
    Event Submitted/Written: 05/07/2008 10:50:07 AM
    Event ID/Source: 4226 / Tcpip
    Event Description:
    TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



    -- End of Deckard's System Scanner: finished at 2008-05-08 11:45:20
  • ThomasThomas
    edited May 2008
    I think I am getting a better grasp of what is showing here. Some earlier repairs were started, but for some reason not completed. Let's go ahead and do that now. To be sure here, for that screensaver, what do you have in use right now as a screensaver (the Silent Runners scan part for that was cut short)?

    First follow the steps here to disable SpyBot's TeaTimer, as it will interfere with the repairs. Important! Be sure to do all the steps, including the required reboot. If you have any difficulties accomplishing those then please go ahead and uninstall SpyBot - TeaTimer has been causing too many problems in repairs to make it worth any extra effort while we do them. You can always reinstall it after if you choose to.

    To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

    Download SDFix.exe and save it to your desktop.

    Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now.

    ===================================================


    Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).


    In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.

    Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

    When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

    Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.
  • SharonSSharonS
    edited May 2008
    Thank you :-))
    I have a Jaguar sportscar as my screensaver at the moment, I think it came from here - http://www.racingsportscars.com/photo/Le_Mans-1989-06-11-photo.html

    I have done another Silent Runners scan, here's the result -
    "Silent Runners.vbs", revision 56, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
    "msnmsgr" = ""C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background" [MS]
    "updateMgr" = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9" ["Adobe Systems Incorporated"]
    "Yahoo! Pager" = "~"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet" [file not found]
    "PopularScreensaversWallpaper" = "rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\F3SCRCTR.DLL,LES " [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."]
    "Sony Ericsson PC Suite" = ""C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions" [null data]
    "QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
    "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]
    "Dit" = "Dit.exe" [null data]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSVHelper Class"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
    {9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Windows Live Sign-in Helper"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
    {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Windows Live Toolbar Helper"
    \InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {HKLM...CLSID} = "Display Panning CPL Extension"
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
    "{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
    -> {HKLM...CLSID} = "History Band"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
    "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
    -> {HKLM...CLSID} = "avast"
    \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
    "{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"
    -> {HKLM...CLSID} = "NetWare Objects"
    \InProcServer32\(Default) = "nwprovau.dll" [MS]
    "{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
    -> {HKLM...CLSID} = "NetWare UNC Folder Menu"
    \InProcServer32\(Default) = "nwprovau.dll" [MS]
    "{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
    -> {HKLM...CLSID} = "NetWare Hood Verbs"
    \InProcServer32\(Default) = "nwprovau.dll" [MS]
    "{03DAACC5-10BA-4E3E-9D54-2A569F6B4B87}" = "Sony Ericsson File Manager"
    -> {HKLM...CLSID} = "Sony Ericsson File Manager"
    \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]
    "{738D66C6-0149-4D40-84E4-A7BB2D0CE949}" = "Sony Ericsson File Manager"
    -> {HKLM...CLSID} = "Sony Ericsson File Manager"
    \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]
    "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
    -> {HKLM...CLSID} = "My Sharing Folders"
    \InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
    -> {HKLM...CLSID} = "WPDShServiceObj Class"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
    <<!>> "Authentication Packages" = "msv1_0"|"nwprovau"

    HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
    -> {HKLM...CLSID} = "PDF Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
    avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
    -> {HKLM...CLSID} = "avast"
    \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

    HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
    avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
    -> {HKLM...CLSID} = "avast"
    \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
    NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"
    -> {HKLM...CLSID} = "NetWare UNC Folder Menu"
    \InProcServer32\(Default) = "nwprovau.dll" [MS]


    Group Policies {GPedit.msc branch and setting}:

    Note: detected settings may not have any effect.

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "HideLogoffScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
    {unrecognized setting}

    "RunStartupScriptSync" = (REG_DWORD) dword:0x00000001
    {unrecognized setting}

    "HideStartupScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) dword:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Devices: Allow undock without having to log on}

    "DisableRegistryTools" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "HideLogoffScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}

    "RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
    {unrecognized setting}

    "RunStartupScriptSync" = (REG_DWORD) dword:0x00000001
    {unrecognized setting}

    "HideStartupScripts" = (REG_DWORD) dword:0x00000000
    {unrecognized setting}


    Active Desktop and Wallpaper:

    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
    "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\Sharon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


    Startup items in "Sharon" & "All Users" startup folders:

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]


    Enabled Scheduled Tasks:

    "AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
    "Check Updates for Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]


    Winsock2 Service Provider DLLs:

    Namespace Service Providers

    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

    Transport Service Providers

    HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:

    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
    "{4B3803EA-5230-4DC3-A7FC-33638F3D3542}"
    -> {HKLM...CLSID} = "&Inbox Toolbar"
    \InProcServer32\(Default) = "C:\PROGRA~1\Inbox\ctbr.dll" [file not found]

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{4B3803EA-5230-4DC3-A7FC-33638F3D3542}"
    -> {HKLM...CLSID} = "&Inbox Toolbar"
    \InProcServer32\(Default) = "C:\PROGRA~1\Inbox\ctbr.dll" [file not found]
    "{BC4FFE41-DE9F-46FA-B455-AAD49B9F9938}"
    -> {HKLM...CLSID} = "SweetIM For Internet Explorer"
    \InProcServer32\(Default) = "C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll" [file not found]
    "{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
    -> {HKLM...CLSID} = "Windows Live Toolbar"
    \InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
    "{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
    -> {HKLM...CLSID} = "Windows Live Toolbar"
    \InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
    -> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
    -> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]

    {85D1F590-48F4-11D9-9669-0800200C9A66}\
    "MenuText" = "Uninstall BitDefender Online Scanner v8"
    "Exec" = "%windir%\bdoscandel.exe" [null data]

    {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\


    Miscellaneous IE Hijack Points

    HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
    <<H>> "{BC4FFE41-DE9F-46fa-B455-AAD49B9F9938}" = (no title provided)
    -> {HKLM...CLSID} = "SweetIM For Internet Explorer"
    \InProcServer32\(Default) = "C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll" [file not found]


    Running Services (Display Name, Service Name, Path {Service DLL}):

    avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
    avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
    avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
    avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
    Client Service for NetWare, NWCWorkstation, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\nwwks.dll" [MS]}
    Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}

    (launch time: 2008-05-09 13:27:44)
    <<!>>: Suspicious data at a malware launch point.
    <<H>>: Suspicious data at a browser hijack point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + The search for DESKTOP.INI DLL launch points on all local fixed drives
    took 53 seconds.
    (total run time: 110 seconds)

    and here's the Report from SDFix -

    SDFix: Version 1.181
    Run by Sharon on 09/05/2008 at 13:50

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting


    Checking Files :

    No Trojan Files Found






    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-09 13:55:42
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :




    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
    "C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

    Remaining Files :


    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Wed 21 Feb 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT1.tmp"
    Tue 12 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

    Finished!
  • ThomasThomas
    edited May 2008
    SDFix located nothing active, so some drivers showing in logs are true remnants we can remove soon. Those car photos are .jpg files, so would need something more to be used as screensavers. The Silent Runners log suggests no screensaver is active there. Right click on your desktop, select Properties, Screensaver tab. What is listed there? Is there a download screensaver on that car site you can point me to that I might download and analyze?
  • SharonSSharonS
    edited May 2008
    I've looked for the car site but can't find it anywhere, neither can I find it on the pc so I have changed the wallpaper to a Windows one and, as the screensaver always comes on after the pc is inactive for about 10 minutes (despite the fact it's set to 60 minutes), I have no screensaver on there.
  • ThomasThomas
    edited May 2008
    Almost enough info - what comes on the screensaver? A black screen?
  • SharonSSharonS
    edited May 2008
    Sorry, yes it's a black screen :-)
  • ThomasThomas
    edited May 2008
    I sense this is more just an issue of TeaTimer interfering there, the SweetIM and then your earlier work never having a needed cleanup after. Don't do anything with it, but do you still have ComboFix.exe there on the system? If so, where is the file located?
  • SharonSSharonS
    edited May 2008
    Yes I do still have ComboFix, it's in my C drive :-)
  • ThomasThomas
    edited May 2008
    If that is C:\ComboFix.exe just delete that file. If it is a ComboFix-named folder just leave it.

    Then download ComboFix.exe from here to your desktop. Do not be tempted to click it - we only need it for removal of it's settings here.

    Go to Start - Run, type the following then OK:

    ComboFix /u

    Assuming nothing has altered there this will have ComboFix remove what it added earlier.


    One that has completed reboot, and till making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

    "%userprofile%\desktop\dss.exe" /config

    When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

    System Restore
    Temp Cleanup
    Process Modules

    Then under Extra Log, uncheck all the boxes.

    Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

    Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
  • SharonSSharonS
    edited May 2008
    Thank you :-)

    Deckard's System Scanner v20071014.68
    Run by Sharon on 2008-05-10 13:19:49
    Computer is in Normal Mode.



    -- HijackThis (run as Sharon.exe)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:20:06, on 10/05/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\Dit.exe
    C:\WINDOWS\DitExp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Documents and Settings\Sharon\desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\Sharon.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [Yahoo! Pager] ~"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [PopularScreensaversWallpaper] rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\F3SCRCTR.DLL,LES
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Search - ?p=ZRfox000
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb103\res\DealioSearch.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165854538114
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

    --
    End of file - 8154 bytes

    -- File Associations

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

    R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
    R1 StarOpen - c:\windows\system32\drivers\staropen.sys
    R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>

    S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
    S1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys (file missing)
    S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
    S3 catchme - c:\docume~1\sharon\locals~1\temp\catchme.sys (file missing)
    S3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ913>
    S3 hSONYPVh - c:\docume~1\graham\locals~1\temp\hsonypvh.sys (file missing)
    S3 SABProcEnum - c:\program files\mozilla firefox\sabprocenum.sys (file missing)
    S3 SASENUM - c:\program files\superantispyware\sasenum.sys (file missing)
    S3 w810bus (Sony Ericsson W810 Driver driver (WDM)) - c:\windows\system32\drivers\w810bus.sys (file missing)
    S3 w810mdfl (Sony Ericsson W810 USB WMC Modem Filter) - c:\windows\system32\drivers\w810mdfl.sys (file missing)
    S3 w810mdm (Sony Ericsson W810 USB WMC Modem Driver) - c:\windows\system32\drivers\w810mdm.sys (file missing)
    S3 w810mgmt (Sony Ericsson W810 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\w810mgmt.sys (file missing)
    S3 w810obex (Sony Ericsson W810 USB WMC OBEX Interface) - c:\windows\system32\drivers\w810obex.sys (file missing)


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

    S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)


    -- Device Manager: Disabled

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
    Device ID: PCI\VEN_10B7&DEV_9200&SUBSYS_00FE1028&REV_78\4&24B99E98&0&60F0
    Manufacturer: 3Com
    Name: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
    PNP Device ID: PCI\VEN_10B7&DEV_9200&SUBSYS_00FE1028&REV_78\4&24B99E98&0&60F0
    Service: EL90XBC


    -- Scheduled Tasks

    2008-05-10 12:26:06 256 --a
    C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
    2008-05-03 21:59:04 284 --a
    C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


    -- Files created between 2008-04-10 and 2008-05-10

    2008-05-10 12:56:06 0 d
    C:\327882R2FWJFW
    2008-05-10 11:40:52 0 dr-h
    C:\Documents and Settings\Sharon\Recent
    2008-05-09 19:29:32 0 d
    C:\Program Files\Malwarebytes' Anti-Malware
    2008-05-09 13:46:53 0 d
    C:\WINDOWS\ERUNT
    2008-05-07 12:35:34 0 dr-h
    C:\Documents and Settings\Win XP\Recent
    2008-05-04 23:01:33 0 d
    C:\Documents and Settings\Win XP\Application Data\Comodo
    2008-05-04 22:05:11 0 d
    C:\Documents and Settings\Sharon\Application Data\Comodo
    2008-05-04 22:05:03 0 d
    C:\Documents and Settings\All Users\Application Data\comodo
    2008-05-04 22:04:53 0 d
    C:\Program Files\COMODO
    2008-04-29 21:31:53 0 d
    C:\Program Files\LimeWire1
    2008-04-29 21:31:53 0 d
    C:\Program Files\Incomplete
    2008-04-29 21:29:38 0 d
    C:\Program Files\LimeWire
    2008-04-28 22:34:53 0 d
    C:\Documents and Settings\Win XP\Application Data\LimeWire
    2008-04-22 01:23:14 0 d
    C:\Documents and Settings\Win XP\Application Data\Malwarebytes
    2008-04-17 14:02:44 53248 --a
    C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
    2008-04-15 16:22:36 0 d
    C:\WINDOWS\BDOSCAN8
    2008-04-11 14:33:11 0 d
    C:\Program Files\Panda Security
    2008-04-10 18:51:09 237728 --a
    C:\cmldr
    2008-04-10 18:50:50 0 d
    C:\cmdcons


    -- Find3M Report

    2008-04-26 12:07:58 4212 ---h
    C:\WINDOWS\system32\zllictbl.dat
    2008-04-07 21:13:32 0 d
    C:\Documents and Settings\Sharon\Application Data\Malwarebytes
    2008-04-06 20:40:10 0 d
    C:\Program Files\Trend Micro
    2008-03-30 12:09:12 0 --a
    C:\WINDOWS\nsreg.dat
    2008-03-27 21:13:18 0 d
    C:\Program Files\Defraggler
    2008-03-27 12:56:22 0 d
    C:\Program Files\Security Task Manager
    2008-03-26 21:37:20 0 d
    C:\Program Files\CCleaner
    2008-02-16 07:32:42 664 --a
    C:\WINDOWS\system32\d3d9caps.dat


    -- Registry Dump

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 22:32]
    "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [28/03/2007 01:07]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
    "Dit"="Dit.exe" [22/04/2003 17:20 C:\WINDOWS\Dit.exe]
    "COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [09/05/2008 16:34]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 10:00]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 16:24]
    "msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 16:45]
    "Yahoo! Pager"="~C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" []
    "PopularScreensaversWallpaper"="C:\PROGRA~1\MYWEBS~1\bar\3.bin\F3SCRCTR.DLL,LES " []

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=1 (0x1)
    "HideStartupScripts"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=1 (0x1)
    "HideStartupScripts"=0 (0x0)
    "disableregistrytools"=0 (0x0)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 nwprovau

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @=&quot;Service"




    -- End of Deckard's System Scanner: finished at 2008-05-10 13:21:11
  • ThomasThomas
    edited May 2008
    Good, that just removes some of the earlier changes from the equation here. There is an orphaned driver from some earlier likely Genlot infection as well to remove.

    To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

    That ComboFix uninstall changed your hidden files view settings. If you had previously preferred these for viewing hidden files follow the steps here.


    Go to Start > Run and type

    cmd

    and OK. At the prompt type (or copy\paste) the below commands and hit "Enter" after each line

    sc config hSONYPVh start= disabled
    sc delete hSONYPVh

    Type Exit to close.

    Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
    R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
    O4 - HKCU\..\Run: [PopularScreensaversWallpaper] rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\F3SCRCTR.DLL,LES
    O8 - Extra context menu item: &Search - ?p=ZRfox000
    O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb103\res\DealioSearch.html
    O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)

    The autoplay functions there were blocked as part of the procedures you did before. You can return those to the Windows default settings at this time by doing the following step, if you wish. This will allow autoplay for all drives such as CD-ROM and external drives.
    REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=dword:00000000
"NoDriveTypeAutoRun"=dword:00000095
    Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it autofix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

    Also these logon script settings were altered, in part to keep removal scripts running from showing during startup. I would not know your original settings for these, but you can do the following to change these to a default setting. Most often changing these only would impact networked users relying on certain types of logon scripts. 
    REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"RunLogonScriptSync"=dword:00000001
"RunStartupScriptSync"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"RunLogonScriptSync"=dword:00000001
"RunStartupScriptSync"=dword:00000001
    Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it logonfix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and OK the prompt asking if you wish to merge the file with your registry.


    Enough changes for now. Let's check those then a few more to do.

    Reboot, and after the reboot, still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

    "%userprofile%\desktop\dss.exe" /config

    When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

    System Restore
    Process Modules

    Then under Extra Log, uncheck all the boxes.

    Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

    Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
  • SharonSSharonS
    edited May 2008
    Thank you :-)
    Deckard's System Scanner v20071014.68
    Run by Sharon on 2008-05-11 15:17:23
    Computer is in Normal Mode.

    Performed disk cleanup.



    -- HijackThis (run as Sharon.exe)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:17:29, on 11/05/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\Dit.exe
    C:\WINDOWS\DitExp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Sharon\desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\Sharon.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [Yahoo! Pager] ~"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165854538114
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

    --
    End of file - 7417 bytes

    -- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

    backup-20080511-141950-946 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
    backup-20080511-141950-676 R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
    backup-20080511-141950-456 O4 - HKCU\..\Run: [PopularScreensaversWallpaper] rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\F3SCRCTR.DLL,LES
    backup-20080511-141950-914 O8 - Extra context menu item: &Search - ?p=ZRfox000
    backup-20080511-141950-862 O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb103\res\DealioSearch.html
    backup-20080511-141950-191 O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)

    -- File Associations

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

    R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
    R1 StarOpen - c:\windows\system32\drivers\staropen.sys
    R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>

    S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
    S1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys (file missing)
    S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
    S3 catchme - c:\docume~1\sharon\locals~1\temp\catchme.sys (file missing)
    S3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ913>
    S3 SABProcEnum - c:\program files\mozilla firefox\sabprocenum.sys (file missing)
    S3 SASENUM - c:\program files\superantispyware\sasenum.sys (file missing)
    S3 w810bus (Sony Ericsson W810 Driver driver (WDM)) - c:\windows\system32\drivers\w810bus.sys (file missing)
    S3 w810mdfl (Sony Ericsson W810 USB WMC Modem Filter) - c:\windows\system32\drivers\w810mdfl.sys (file missing)
    S3 w810mdm (Sony Ericsson W810 USB WMC Modem Driver) - c:\windows\system32\drivers\w810mdm.sys (file missing)
    S3 w810mgmt (Sony Ericsson W810 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\w810mgmt.sys (file missing)
    S3 w810obex (Sony Ericsson W810 USB WMC OBEX Interface) - c:\windows\system32\drivers\w810obex.sys (file missing)


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

    S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)


    -- Device Manager: Disabled

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
    Device ID: PCI\VEN_10B7&DEV_9200&SUBSYS_00FE1028&REV_78\4&24B99E98&0&60F0
    Manufacturer: 3Com
    Name: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
    PNP Device ID: PCI\VEN_10B7&DEV_9200&SUBSYS_00FE1028&REV_78\4&24B99E98&0&60F0
    Service: EL90XBC


    -- Scheduled Tasks

    2008-05-11 14:26:56 256 --a
    C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
    2008-05-03 21:59:04 284 --a
    C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


    -- Files created between 2008-04-11 and 2008-05-11

    2008-05-11 14:58:28 0 d--hs---- C:\FOUND.000
    2008-05-10 12:56:06 0 d
    C:\327882R2FWJFW
    2008-05-10 11:40:52 0 dr-h
    C:\Documents and Settings\Sharon\Recent
    2008-05-09 19:29:32 0 d
    C:\Program Files\Malwarebytes' Anti-Malware
    2008-05-09 13:46:53 0 d
    C:\WINDOWS\ERUNT
    2008-05-07 12:35:34 0 dr-h
    C:\Documents and Settings\Win XP\Recent
    2008-05-04 23:01:33 0 d
    C:\Documents and Settings\Win XP\Application Data\Comodo
    2008-05-04 22:05:11 0 d
    C:\Documents and Settings\Sharon\Application Data\Comodo
    2008-05-04 22:05:03 0 d
    C:\Documents and Settings\All Users\Application Data\comodo
    2008-05-04 22:04:53 0 d
    C:\Program Files\COMODO
    2008-04-29 21:31:53 0 d
    C:\Program Files\LimeWire1
    2008-04-29 21:31:53 0 d
    C:\Program Files\Incomplete
    2008-04-29 21:29:38 0 d
    C:\Program Files\LimeWire
    2008-04-28 22:34:53 0 d
    C:\Documents and Settings\Win XP\Application Data\LimeWire
    2008-04-22 01:23:14 0 d
    C:\Documents and Settings\Win XP\Application Data\Malwarebytes
    2008-04-17 14:02:44 53248 --a
    C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
    2008-04-15 16:22:36 0 d
    C:\WINDOWS\BDOSCAN8
    2008-04-11 14:33:11 0 d
    C:\Program Files\Panda Security


    -- Find3M Report

    2008-04-26 12:07:58 4212 ---h
    C:\WINDOWS\system32\zllictbl.dat
    2008-04-07 21:13:32 0 d
    C:\Documents and Settings\Sharon\Application Data\Malwarebytes
    2008-04-06 20:40:10 0 d
    C:\Program Files\Trend Micro
    2008-03-30 12:09:12 0 --a
    C:\WINDOWS\nsreg.dat
    2008-03-27 21:13:18 0 d
    C:\Program Files\Defraggler
    2008-03-27 12:56:22 0 d
    C:\Program Files\Security Task Manager
    2008-03-26 21:37:20 0 d
    C:\Program Files\CCleaner
    2008-02-16 07:32:42 664 --a
    C:\WINDOWS\system32\d3d9caps.dat


    -- Registry Dump

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 22:32]
    "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [28/03/2007 01:07]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
    "Dit"="Dit.exe" [22/04/2003 17:20 C:\WINDOWS\Dit.exe]
    "COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [09/05/2008 16:34]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 10:00]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 16:24]
    "msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 16:45]
    "Yahoo! Pager"="~C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" []

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=1 (0x1)
    "HideStartupScripts"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=1 (0x1)
    "HideStartupScripts"=0 (0x0)
    "disableregistrytools"=0 (0x0)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 nwprovau

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @=&quot;Service"




    -- End of Deckard's System Scanner: finished at 2008-05-11 15:18:23
  • ThomasThomas
    edited May 2008
    Looks good. You chose not to make the "RunLogonScriptSync" changes I see, which is okay. Right now just this orphaned startup you can select and Fix checked in a new HijackThis scan there:

    O4 - HKCU\..\Run: [Yahoo! Pager] ~"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

    The SUPERAntispyware service files show as not found - is this uninstalled now? Also just post back an update on how things are running there please.
  • SharonSSharonS
    edited May 2008
    Hmmm strange, I made the "RunLogonScriptSync" changes so I don't know what went wrong, I did have to restart the pc sometime after though and it came up with a file error so it did a disk scan and had a long list of things the scan changed.
    I did uninstall the SUPERAntispyware and I'm glad you mentioned it as I forgot to reinstall it lol
    The pc is running ok'ish. Yesterday it was lovely but my husband was on Facebook this morning, the pc started running very slow and after restarting it it's still slow (not annoyingly slow, just slower than it should be).
  • ThomasThomas
    edited May 2008
    :) My thoughts are so locked into procedures sometimes, so when I noticed the logs indicating those script logon entries I automatically went to the pat repair. But if you look at the reg file and the entries you will see they match - they are enabled (1).

    The logs already showed a "FOUND" folder, so not sure why your system is seeking a new disk scan now. Did you make changes at some time using that Defraggler software I see listed? But for us the work isn't complete until, well, the work is complete.


    Might be overkill, but since we did remove one pretty bad infection driver there, go ahead now and Download gmer.zip from here. Once downloaded, doubleclick on gmer.zip and unzip the file to its own folder.

    When you have done this, doubleclick on Gmer.exe to run it.

    Under the Rootkit/Malware tab look at the righthand side (under Files) and uncheck all drives with the exception of your C drive and then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

    When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.


    Then run the same Deckards scan as before and post that log please.
  • SharonSSharonS
    edited May 2008
    Thank you :-)
    The Gmer scan said it hadn't found any system modification :-)
    Here's the Deckards log though -
    Deckard's System Scanner v20071014.68
    Run by Sharon on 2008-05-12 22:16:02
    Computer is in Normal Mode.

    Performed disk cleanup.



    -- HijackThis (run as Sharon.exe)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:16:15, on 12/05/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\Dit.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\DitExp.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Sharon\desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\Sharon.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165854538114
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

    --
    End of file - 7273 bytes

    -- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)

    backup-20080511-141950-946 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
    backup-20080511-141950-676 R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
    backup-20080511-141950-456 O4 - HKCU\..\Run: [PopularScreensaversWallpaper] rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\F3SCRCTR.DLL,LES
    backup-20080511-141950-914 O8 - Extra context menu item: &Search - ?p=ZRfox000
    backup-20080511-141950-862 O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb103\res\DealioSearch.html
    backup-20080511-141950-191 O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
    backup-20080511-201140-414 O4 - HKCU\..\Run: [Yahoo! Pager] ~"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

    -- File Associations

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

    R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
    R1 StarOpen - c:\windows\system32\drivers\staropen.sys
    R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>

    S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
    S1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys (file missing)
    S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
    S3 catchme - c:\docume~1\sharon\locals~1\temp\catchme.sys (file missing)
    S3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ913>
    S3 SABProcEnum - c:\program files\mozilla firefox\sabprocenum.sys (file missing)
    S3 SASENUM - c:\program files\superantispyware\sasenum.sys (file missing)
    S3 w810bus (Sony Ericsson W810 Driver driver (WDM)) - c:\windows\system32\drivers\w810bus.sys (file missing)
    S3 w810mdfl (Sony Ericsson W810 USB WMC Modem Filter) - c:\windows\system32\drivers\w810mdfl.sys (file missing)
    S3 w810mdm (Sony Ericsson W810 USB WMC Modem Driver) - c:\windows\system32\drivers\w810mdm.sys (file missing)
    S3 w810mgmt (Sony Ericsson W810 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\w810mgmt.sys (file missing)
    S3 w810obex (Sony Ericsson W810 USB WMC OBEX Interface) - c:\windows\system32\drivers\w810obex.sys (file missing)


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled

    S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)


    -- Device Manager: Disabled

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
    Device ID: PCI\VEN_10B7&DEV_9200&SUBSYS_00FE1028&REV_78\4&24B99E98&0&60F0
    Manufacturer: 3Com
    Name: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
    PNP Device ID: PCI\VEN_10B7&DEV_9200&SUBSYS_00FE1028&REV_78\4&24B99E98&0&60F0
    Service: EL90XBC


    -- Scheduled Tasks

    2008-05-12 21:26:06 256 --a
    C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
    2008-05-03 21:59:04 284 --a
    C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


    -- Files created between 2008-04-12 and 2008-05-12

    2008-05-12 14:07:56 0 dr-h
    C:\Documents and Settings\Sharon\Recent
    2008-05-10 12:56:06 0 d
    C:\327882R2FWJFW
    2008-05-09 19:29:32 0 d
    C:\Program Files\Malwarebytes' Anti-Malware
    2008-05-09 13:46:53 0 d
    C:\WINDOWS\ERUNT
    2008-05-07 12:35:34 0 dr-h
    C:\Documents and Settings\Win XP\Recent
    2008-05-04 23:01:33 0 d
    C:\Documents and Settings\Win XP\Application Data\Comodo
    2008-05-04 22:05:11 0 d
    C:\Documents and Settings\Sharon\Application Data\Comodo
    2008-05-04 22:05:03 0 d
    C:\Documents and Settings\All Users\Application Data\comodo
    2008-05-04 22:04:53 0 d
    C:\Program Files\COMODO
    2008-04-29 21:31:53 0 d
    C:\Program Files\LimeWire1
    2008-04-29 21:31:53 0 d
    C:\Program Files\Incomplete
    2008-04-29 21:29:38 0 d
    C:\Program Files\LimeWire
    2008-04-28 22:34:53 0 d
    C:\Documents and Settings\Win XP\Application Data\LimeWire
    2008-04-22 01:23:14 0 d
    C:\Documents and Settings\Win XP\Application Data\Malwarebytes
    2008-04-17 14:02:44 53248 --a
    C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
    2008-04-15 16:22:36 0 d
    C:\WINDOWS\BDOSCAN8


    -- Find3M Report

    2008-04-26 12:07:58 4212 ---h
    C:\WINDOWS\system32\zllictbl.dat
    2008-04-11 14:33:12 0 d
    C:\Program Files\Panda Security
    2008-04-07 21:13:32 0 d
    C:\Documents and Settings\Sharon\Application Data\Malwarebytes
    2008-04-06 20:40:10 0 d
    C:\Program Files\Trend Micro
    2008-03-30 12:09:12 0 --a
    C:\WINDOWS\nsreg.dat
    2008-03-27 21:13:18 0 d
    C:\Program Files\Defraggler
    2008-03-27 12:56:22 0 d
    C:\Program Files\Security Task Manager
    2008-03-26 21:37:20 0 d
    C:\Program Files\CCleaner
    2008-02-16 07:32:42 664 --a
    C:\WINDOWS\system32\d3d9caps.dat


    -- Registry Dump

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 22:32]
    "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [28/03/2007 01:07]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
    "Dit"="Dit.exe" [22/04/2003 17:20 C:\WINDOWS\Dit.exe]
    "COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [09/05/2008 16:34]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 10:00]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 16:24]
    "msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 16:45]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=1 (0x1)
    "HideStartupScripts"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=1 (0x1)
    "HideStartupScripts"=0 (0x0)
    "disableregistrytools"=0 (0x0)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 nwprovau

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @=&quot;Service"

    *Newly Created Service* - GMER



    -- End of Deckard's System Scanner: finished at 2008-05-12 22:17:41
  • ThomasThomas
    edited May 2008
    Nothing too out of the ordinary showing still. Some ICSI USB 2.0 card reader ditxp.exe running process I am not very familiar with. Maybe you would know what USB items are in use there.

    And these services, showing as stopped and no files associated with them being found:

    SABProcEnum - Super Ad Blocker
    S3 SASENUM - Super Antispyware
    iPod Service

    We can remove those servcies if you are sure the software is no longer installed there.
Sign In or Register to comment.