Question

Virus tvgyiy.exe - unable to remove

Asked by: Heuman

Well first off my computer is acting a little buggy which is unusual.  I made sure that my antivirus software was up to date and ran a Virus and Spyware Scan to find nothing (utilities I'm using on my computer).  Went online to BitDefender's website and did an online virus-scan their to reveal a virus that my antivirus program did not pick up (imagine that). The virus's name is tvgyiy.exe - Backdoor.Rbot.XJH.  Which I've searched and searched I can't find anything on it.  I have tried to locate the virus myself by doing a search with the Windows search engine and whatever I do it won't find this particular file.  Then I did a search in the system32 directory where this virus resides I still can't find it there.  I enabled show hidden folders or files and turned on file extensions with no once again.  I ran silent runners and posting my log here for hopefully somebody can help me out.
------------------------------------------------------------------------------------------------------
"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Yahoo! Pager" = ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"BitDefender Antiphishing Helper" = ""C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"" ["BitDefender"]
"BDAgent" = ""C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"" ["BitDefender S.R.L."]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"ISUSPM Startup" = "c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup" ["InstallShield Software Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "&Yahoo! Toolbar Helper"
                   \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Yahoo! IE Services Button"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {HKLM...CLSID} = "Display Panning CPL Extension"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{280CFDE1-1354-4431-92F3-03073BA593FB}" = "TotalConverter Context Menu Shell Extension"
  -> {HKLM...CLSID} = "TotalConverter Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\TotalAudioConverter\axTotalConverter.dll" [empty string]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
  -> {HKLM...CLSID} = "Universal Plug and Play Devices"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {HKLM...CLSID} = "Microsoft Office Outlook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook File Icon Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
  -> {HKLM...CLSID} = "Yahoo! Mail Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YMMAPI.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
  -> {HKLM...CLSID} = "WPDShServiceObj Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
  -> {HKLM...CLSID} = "MShellExtMenu Class"
                   \InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
TotalConverter\(Default) = "{280CFDE1-1354-4431-92F3-03073BA593FB}"
  -> {HKLM...CLSID} = "TotalConverter Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\TotalAudioConverter\axTotalConverter.dll" [empty string]
WinExpert\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"
  -> {HKLM...CLSID} = "Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\context.dll" ["SuperLogix"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
  -> {HKLM...CLSID} = "Yahoo! Mail Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YMMAPI.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
  -> {HKLM...CLSID} = "MShellExtMenu Class"
                   \InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
  -> {HKLM...CLSID} = "MShellExtMenu Class"
                   \InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
WinExpert\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"
  -> {HKLM...CLSID} = "Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\context.dll" ["SuperLogix"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ss3dfo.scr" [MS]


Startup items in "David" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Wireless Connection Manager" -> shortcut to: "C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe" [" "]


Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
  -> {HKLM...CLSID} = "Yahoo! Toolbar"
                   \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{381FFDE8-2394-4F90-B10D-FC6124A40F8C}" = "IEToolbar"
  -> {HKLM...CLSID} = "BitDefender Toolbar"
                   \InProcServer32\(Default) = "C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll" ["Bitdefender"]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
  -> {HKLM...CLSID} = "Yahoo! Toolbar"
                   \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
  -> {HKLM...CLSID} = "Yahoo! IE Services Button"
                   \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
  -> {HKLM...CLSID} = "Yahoo! Toolbar"
                   \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Atheros Configuration Service, ACS, "C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe" ["Atheros"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
BitDefender Communicator, XCOMM, ""C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]
BitDefender Desktop Update Service, LIVESRV, ""C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service" ["BitDefender S.R.L."]
BitDefender Threat Scanner, scan, "C:\WINDOWS\System32\svchost.exe -kbdx" {"C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\scan.dll" ["BitDefender"]}
BitDefender Virus Shield, VSSERV, ""C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe" /service" ["BitDefender S.R.L."]
Diskeeper, Diskeeper, ""C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe"" ["Diskeeper Corporation"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Dell Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


---------- (launch time: 2007-10-16 18:04:59)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 30 seconds.
---------- (total run time: 73 seconds)




This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2007-10-16 at 15:22:40ID22897641
Tags

Virus removal

Topic

Anti-Virus

Participating Experts
2
Points
500
Comments
15

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. VIRUS ????
    Hello everyone... I have a Windows XP system that I am working on that I am pretty sure has a virus... These are the symptoms Cannot access the control panel Clicking on internet explorer does nothing Cannot access My network Places In command prompt I am getting an ...
  2. Virus Problem!!
    Hi guys, yet again I have another Virus problem and wanted someone to take a look at my HiJackThis log and tell me which ones to get rid of. Thanks, George C: Logfile of HijackThis v1.97.7 Scan saved at 10:28:47, on 20/05/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE:...
  3. svchost.exe
    I have XP Home Edition. When I type incorrect web address in my IE,receive message that this site not exist&IE open new page startnow.com.After that my CPU USE 100% capacity because svchost.exe use 100%.The only way to reduce this capacity is to restart PC.I think that I ...
  4. svchost.exe using 100% of CPU
    I have a PIII with 512Mb of RAM, running Windows XP Pro with SP2 installed. Antivirus protection is from Avast! Home Edition. Firewall is Zone Alarm (not pro) with the Internet security zone set to "High". Spyware protection is from Spybot Search and Destroy and Sp...
  5. SVCHOST.EXE Errors
    I have a Laptop running Windows XP Pro. Every startup, it generates an SVCHOST.EXE Error. But it is not just at start up, when I try to open things, i.e. My Computer, Internet, anything! It thinks about it(Hour Glass), then generates the SVCHOST error. This does not do th...
  6. svchost.exe chrash
    I am trying to fix one of our developers laptops. It has Symantec antivirus and Microsoft Spyware blocker on it. He has a lot of developer tools such as visual studio 2005 as well. When the machine boots he gets an svchost.exe application error before he ever logs in. The...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: IndiGenusPosted on 2007-10-16 at 15:54:12ID: 20089681

Not seeing anything in the SR log. Can you give us a Deckards System Scanner log?

Download Deckard's System Scanner (DSS) and save it to your Desktop.

http://www.techsupportforum.com/sectools/Deckard/dss.exe

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads. main.txt and extra.tx  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

 

by: HeumanPosted on 2007-10-16 at 16:28:31ID: 20089832

Detail from the program any you are the two reports main.txt and extra.txt
--------------------------------------------------------------------------------------------
Deckard's System Scanner v20071014.68
Run by David on 2007-10-16 19:20:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as David.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:55 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\David\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\David.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\RunServices: [Microsoft Update Machine] tvgyiy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 7429 bytes

-- Files created between 2007-09-16 and 2007-10-16 -----------------------------

2007-10-16 19:20:49         0 d-------- C:\Program Files\Trend Micro
2007-10-16 17:35:42         0 dr-h----- C:\Documents and Settings\David\Recent
2007-10-16 05:35:19         0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-16 05:28:13         0 d-------- C:\Documents and Settings\All Users\Application Data\CrystalIdea Software
2007-10-16 05:22:48         0 d-------- C:\Program Files\Uninstall Tool
2007-10-16 00:30:22         0 d-------- C:\Documents and Settings\David\Application Data\Bitdefender
2007-10-16 00:30:08         0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-10-15 22:01:40     81984 --a------ C:\WINDOWS\system32\bdod.bin
2007-10-15 22:01:01         0 d-------- C:\Program Files\BitDefender
2007-10-15 22:00:27         0 d-------- C:\Program Files\Common Files\BitDefender
2007-10-15 17:04:34         0 d-------- C:\WINDOWS\BDOSCAN8
2007-10-15 04:37:47         0 d-------- C:\Program Files\SonicWallES
2007-10-15 00:07:14         0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-14 17:13:39         0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 13:43:41         0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-10-14 00:46:30         0 d-------- C:\KAV
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\zts2.exe
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\rundll16.exe
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\rundl132.dll
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\logo1_.exe
2007-10-13 04:17:28         0 d-------- C:\Program Files\Wise Registry Cleaner
2007-10-13 04:16:49         0 d-------- C:\Program Files\Aezay Productions
2007-10-13 04:10:22         0 d-------- C:\Program Files\AusLogics Registry Defrag
2007-10-12 22:49:54         0 d-------- C:\Documents and Settings\David\Application Data\foobar2000
2007-10-12 22:49:50         0 d-------- C:\Program Files\foobar2000
2007-10-12 17:55:16         0 d-------- C:\Program Files\Common Files\Scansoft Shared
2007-10-12 17:55:16         0 d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-10-12 17:55:02         0 d-------- C:\Program Files\Nuance
2007-10-12 16:44:57         0 d-------- C:\Program Files\Easy Duplicate Finder
2007-10-12 16:43:40         0 d-------- C:\Program Files\Duplicate Music Files Finder
2007-10-12 16:24:08         0 --a------ C:\WINDOWS\system32\suupdate.dat
2007-10-12 16:24:08         0 --a------ C:\WINDOWS\system32\mssurun.dat
2007-10-12 16:24:08    269824 --a------ C:\WINDOWS\system32\baksm.dll
2007-10-12 16:23:59   2281472 --a------ C:\WINDOWS\system32\vbsbak.dat <Not Verified; SuperLogix; Super Utilities>
2007-10-12 16:23:59        42 --a------ C:\WINDOWS\system32\vb6sock.dll
2007-10-12 16:23:59    269824 --a------ C:\WINDOWS\system32\supermenuhook.dll
2007-10-12 16:23:59         0 d-------- C:\WINDOWS\system32\IOSUBSYS
2007-10-12 16:23:59     43936 --a------ C:\WINDOWS\system32\drivers\HWFProt.sys <Not Verified; Alfa Corporation; AlfaFP (TM) 2003 Ansi Build for Windows NT/2K>
2007-10-12 16:23:59    591872 --a------ C:\WINDOWS\system32\context.dll <Not Verified; SuperLogix; Enhancement to context menu>
2007-10-12 16:23:59    269824 --a------ C:\WINDOWS\system32\baksm.dat
2007-10-12 16:23:59         0 d-------- C:\Program Files\SuperLogix
2007-10-12 15:36:47         0 d-------- C:\Program Files\Mgutil
2007-10-12 04:06:18         0 d-------- C:\Program Files\Wise Disk Cleaner
2007-10-11 23:59:00         0 d-------- C:\Program Files\SpywareBlaster
2007-10-11 22:58:27     28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-10-11 18:57:35         0 d-------- C:\Program Files\QuickTime
2007-10-11 18:40:32         0 d-------- C:\WINDOWS\Sun
2007-10-11 18:40:32         0 d-------- C:\Documents and Settings\David\Application Data\Sun
2007-10-11 18:40:06         0 d-------- C:\Program Files\Java
2007-10-11 18:39:56         0 d-------- C:\Program Files\Common Files\Java
2007-10-11 18:34:58         0 d-------- C:\Documents and Settings\David\.housecall6.6
2007-10-11 12:24:05         0 d-------- C:\Program Files\TotalAudioConverter
2007-10-10 19:58:42         0 d-------- C:\Program Files\MSECache
2007-10-10 19:52:49         0 d-------- C:\Program Files\Microsoft ActiveSync
2007-10-10 19:52:10         0 d-------- C:\WINDOWS\SHELLNEW
2007-10-10 19:51:10         0 d-------- C:\Program Files\Microsoft.NET
2007-10-09 16:20:53         0 d-------- C:\Documents and Settings\David\Application Data\Ahead
2007-10-09 16:15:57         0 d-------- C:\Program Files\Nero
2007-10-09 16:15:57         0 d-------- C:\Program Files\Common Files\Ahead
2007-10-09 16:07:31         0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-09 15:25:25         0 d-------- C:\WINDOWS\SxsCaPendDel
2007-10-09 04:09:23         0 d-------- C:\Program Files\Seagate
2007-10-09 03:33:33         0 d-------- C:\Documents and Settings\David\Application Data\uTorrent
2007-10-09 02:36:46         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-08 01:53:15         0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-08 01:18:26         0 d-------- C:\Program Files\Bonjour
2007-10-08 01:10:05         0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-08 00:57:25         0 d-------- C:\Program Files\MagicISO
2007-10-08 00:39:32    639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-07 00:17:29    237636 --a------ C:\WINDOWS\system32\wsimd.dll <Not Verified; Atheros Communications, Inc.; wsimd>
2007-10-07 00:17:29    245830 --a------ C:\WINDOWS\system32\wsfwDS.dll <Not Verified; Atheros Communications, Inc.; wsfwds>
2007-10-07 00:17:29     53248 -ra------ C:\WINDOWS\system32\dsaNac.dll <Not Verified; Devicescape, Inc.; Devicescape NAC Notify DLL>
2007-10-07 00:17:29   1253432 -ra------ C:\WINDOWS\system32\dsa.dll <Not Verified; Devicescape; Devicescape Windows WPA Supplicant (Core 0.4.3)>
2007-10-07 00:17:29         0 d-------- C:\WINDOWS\pcidevice
2007-10-07 00:17:29         0 d-------- C:\Program Files\D-Link
2007-10-06 18:44:54         0 d-------- C:\Documents and Settings\David\Application Data\Nero
2007-10-06 18:42:18         0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-10-05 19:41:15         0 d-------- C:\Program Files\Marvell
2007-10-05 19:37:24      5824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2007-10-04 13:52:54    399872 --a------ C:\WINDOWS\c4dstand.dll
2007-10-04 13:52:53    438272 --a------ C:\WINDOWS\c4dll.dll <Not Verified; Sequiter Software Inc.; CodeBase>
2007-10-04 13:52:39     98304 --a------ C:\WINDOWS\system32\tsccvid.dll <Not Verified; TechSmith Corporation; TechSmith Screen Capture Codec>
2007-10-04 13:52:39         0 d-------- C:\Program Files\LearnKey
2007-10-04 13:52:36    487936 --a------ C:\WINDOWS\LkUnInst.exe <Not Verified; LearnKey, Inc.; >
2007-10-03 22:55:26         0 d-------- C:\temp
2007-10-02 20:58:47         0 d-------- C:\WINDOWS\PAC207
2007-10-02 00:18:12      1075 --a------ C:\Documents and Settings\David\Application Data\SAS7_000.DAT
2007-10-01 19:09:02         0 d-------- C:\Documents and Settings\David\Application Data\Nuance
2007-10-01 19:03:34         0 d-------- C:\Documents and Settings\All Users\Application Data\Nuance
2007-10-01 17:20:18         0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-10-01 17:17:35         0 d-------- C:\WINDOWS\speech
2007-10-01 02:24:27         0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-10-01 02:23:46         0 d-------- C:\Program Files\MSXML 4.0
2007-10-01 01:53:31         0 d-------- C:\Program Files\Anark
2007-09-30 23:56:43    299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-09-30 23:56:38         0 d-------- C:\Documents and Settings\David\WINDOWS
2007-09-28 23:05:33         0 d-------- C:\Program Files\MSXML 6.0
2007-09-28 20:57:19         0 d-------- C:\WINDOWS\system32\XPSViewer
2007-09-28 20:56:58         0 d-------- C:\Program Files\Reference Assemblies
2007-09-28 20:52:33         0 d-------- C:\WINDOWS\system32\URTTemp
2007-09-28 20:33:08         0 d-------- C:\Program Files\MTV Networks
2007-09-28 20:33:04         0 d-------- C:\WINDOWS\Downloaded Installations
2007-09-28 20:09:30         0 d-------- C:\Program Files\Windows Media Connect 2
2007-09-28 20:08:23         0 d-------- C:\WINDOWS\system32\LogFiles
2007-09-28 20:08:23         0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-09-28 20:00:19         0 d-------- C:\WINDOWS\network diagnostic
2007-09-28 19:59:04         0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-09-28 19:35:44         0 d-------- C:\Program Files\Diskeeper Corporation
2007-09-28 16:52:49         0 d--hs---- C:\Diskeeper
2007-09-28 16:09:53         0 d-------- C:\Documents and Settings\David\Application Data\Softplicity
2007-09-28 01:39:11         0 d-------- C:\WINDOWS\Wallpaper Of Wow
2007-09-27 22:22:02         0 d-------- C:\Documents and Settings\David\Application Data\Yahoo!
2007-09-27 22:09:22         0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-27 22:07:44         0 d-------- C:\Program Files\Yahoo!
2007-09-27 19:19:21     29696 -----n--- C:\WINDOWS\system32\dev32.exe <Not Verified; ALi Coporation; Install Program>
2007-09-27 19:19:16    163840 -----n--- C:\WINDOWS\system32\coin5288.dll <Not Verified; ULi Electronics Inc.; Coinstaller Dynamic Link Library>
2007-09-27 18:01:51         0 d-------- C:\Program Files\MSBuild
2007-09-27 17:58:14         0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-27 17:19:07         0 d-------- C:\Documents and Settings\David\Application Data\Adobe
2007-09-27 17:11:35         0 d-------- C:\Documents and Settings\David\Application Data\Media Player Classic
2007-09-27 17:10:34    217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2007-09-27 17:10:34    282624 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-09-27 17:10:34   1559040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-09-27 17:10:33   3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-09-27 17:10:33     73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-09-27 17:10:33    740442 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-27 17:10:32      7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-09-27 17:10:31         0 d-------- C:\Program Files\K-Lite Codec Pack
2007-09-27 17:03:31         0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-09-27 17:03:24         0 d-------- C:\Program Files\Common Files\Adobe
2007-09-27 17:00:32         0 d-------- C:\WINDOWS\pss
2007-09-27 16:47:23         0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-09-27 16:47:23         0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-09-27 16:47:23         0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\Recent
2007-09-27 16:47:23         0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-09-27 16:47:23    524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-09-27 16:47:23         0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\Local Settings
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-09-27 16:47:23         0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-09-27 16:47:23         0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-09-27 16:47:23         0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-09-27 16:32:20         0 d-------- C:\Documents and Settings\David\Application Data\Macromedia
2007-09-27 16:02:50       830 --a------ C:\WINDOWS\system32\installer.bat
2007-09-27 15:44:50    851456 --a------ C:\WINDOWS\system32\WGA.exe
2007-09-27 15:44:30       512 --a------ C:\ScanSectorLog.dat
2007-09-27 14:36:47         0 d-------- C:\Program Files\DAMN NFO Viewer
2007-09-27 14:36:15         0 d-------- C:\Documents and Settings\David\Application Data\WinRAR
2007-09-27 14:06:58         0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-09-27 14:06:57         0 d-------- C:\Documents and Settings\David\Application Data\Azureus
2007-09-27 14:06:07         0 d-------- C:\Program Files\Azureus
2007-09-27 13:54:35      4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-09-27 13:54:26     11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2007-09-27 13:53:49         0 d-------- C:\WINDOWS\Internet Logs
2007-09-27 13:49:08         0 d-------- C:\WINDOWS\system32\appmgmt
2007-09-27 13:25:13         0 d-------- C:\WINDOWS\system32\PreInstall
2007-09-27 13:25:12         0 d--h----- C:\WINDOWS\$hf_mig$
2007-09-27 13:23:03         0 d--hs---- C:\Documents and Settings\David\UserData
2007-09-27 13:21:20         0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-09-27 13:09:06     40636 -ra------ C:\WINDOWS\system32\drivers\WLANGEN.bin
2007-09-27 13:09:06       912 -ra------ C:\WINDOWS\system32\drivers\RADIO15.bin
2007-09-27 13:09:06       964 -ra------ C:\WINDOWS\system32\drivers\RADIO11.bin
2007-09-27 13:09:06       936 -ra------ C:\WINDOWS\system32\drivers\RADIO0d.bin
2007-09-27 13:09:06    255360 -ra------ C:\WINDOWS\system32\drivers\AIRPLUS.sys <Not Verified; D-Link; D-Link AirPlus 22 Mbps Wireless Network Adapter>
2007-09-27 13:09:06     40636 -ra------ C:\WINDOWS\system\WLANGEN.bin
2007-09-27 13:09:06       912 -ra------ C:\WINDOWS\system\RADIO15.bin
2007-09-27 13:09:06       964 -ra------ C:\WINDOWS\system\RADIO11.bin
2007-09-27 13:09:06       936 -ra------ C:\WINDOWS\system\RADIO0d.bin
2007-09-27 12:59:50         0 d-------- C:\Program Files\AllToAVI
2007-09-27 12:59:21         0 d-------- C:\Documents and Settings\David\Application Data\TuneUp Software
2007-09-27 12:56:18         0 d-------- C:\Program Files\Lavalys
2007-09-27 12:55:13         0 d-------- C:\Program Files\DSC Driver
2007-09-27 12:35:45         0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-09-27 12:35:44         0 d-------- C:\WINDOWS\system32\Data
2007-09-27 12:35:36     49152 --a------ C:\WINDOWS\CTDCRES.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-09-27 12:24:35    593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2007-09-27 12:24:27         0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-27 12:24:16         0 d-------- C:\Program Files\Common Files\InstallShield
2007-09-27 12:24:11         0 d-------- C:\ATI
2007-09-27 12:23:27         0 d-------- C:\Documents and Settings\David\Application Data\Identities
2007-09-27 12:23:20         0 d--h----- C:\Documents and Settings\David\Templates
2007-09-27 12:23:20         0 dr------- C:\Documents and Settings\David\Start Menu
2007-09-27 12:23:20         0 dr-h----- C:\Documents and Settings\David\SendTo
2007-09-27 12:23:20         0 d--h----- C:\Documents and Settings\David\PrintHood
2007-09-27 12:23:20         0 d--h----- C:\Documents and Settings\David\NetHood
2007-09-27 12:23:20         0 dr------- C:\Documents and Settings\David\My Documents
2007-09-27 12:23:20         0 d--h----- C:\Documents and Settings\David\Local Settings
2007-09-27 12:23:20         0 dr------- C:\Documents and Settings\David\Favorites
2007-09-27 12:23:20         0 d-------- C:\Documents and Settings\David\Desktop
2007-09-27 12:23:20         0 d--hs---- C:\Documents and Settings\David\Cookies
2007-09-27 12:23:20         0 dr-h----- C:\Documents and Settings\David\Application Data
2007-09-27 12:23:19   4456448 --a------ C:\Documents and Settings\David\NTUSER.DAT
2007-09-27 12:22:37         0 d-------- C:\WINDOWS\SoftwareDistribution
2007-09-27 12:22:36         0 d---s---- C:\WINDOWS\system32\Microsoft
2007-09-27 12:22:36         0 d-------- C:\WINDOWS\Prefetch
2007-09-27 12:22:35    229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2007-09-27 12:22:35         0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-09-27 12:22:35         0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2007-09-27 12:22:35         0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-09-27 12:22:35         0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-09-27 12:18:04    229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-09-27 12:18:04         0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-09-27 12:18:04         0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2007-09-27 12:18:04         0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-09-27 12:18:04         0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-09-27 12:14:59         0 d-------- C:\WINDOWS\system32\xircom
2007-09-27 12:14:59         0 d-------- C:\Program Files\microsoft frontpage
2007-09-27 12:14:51    229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-09-27 12:14:47         0 -rahs---- C:\MSDOS.SYS
2007-09-27 12:14:47         0 -rahs---- C:\IO.SYS
2007-09-27 12:14:47         0 --a------ C:\CONFIG.SYS
2007-09-27 12:14:47         0 -----n--- C:\AUTOEXEC.BAT
2007-09-27 12:14:03         0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-09-27 12:13:57         0 d-------- C:\WINDOWS\Offline Web Pages
2007-09-27 12:13:57         0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-09-27 12:13:48         0 d--h----- C:\Program Files\WindowsUpdate
2007-09-27 12:13:34         0 d-------- C:\WINDOWS\system32\DirectX
2007-09-27 12:13:04         0 d---s---- C:\WINDOWS\Tasks
2007-09-27 12:13:03         0 d-------- C:\Program Files\Common Files\MSSoap
2007-09-27 12:12:59         0 d-------- C:\WINDOWS\system32\Macromed
2007-09-27 12:12:59         0 d-------- C:\WINDOWS\srchasst
2007-09-27 12:12:51         0 d-------- C:\Program Files\Movie Maker
2007-09-27 12:12:43         0 d-------- C:\WINDOWS\system32\Restore
2007-09-27 12:12:14     21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-09-27 12:12:02         0 d-------- C:\WINDOWS\Registration
2007-09-27 12:11:57         0 d-------- C:\Program Files\Online Services
2007-09-27 12:11:52         0 d-------- C:\Program Files\Messenger
2007-09-27 12:11:48         0 d-------- C:\Program Files\MSN Gaming Zone
2007-09-27 12:11:12         0 d-------- C:\Program Files\Windows NT
2007-09-27 12:11:09         0 d-------- C:\WINDOWS\system32\MsDtc
2007-09-27 12:11:07         0 d-------- C:\WINDOWS\system32\Com
2007-09-27 08:05:30         0 d--hs---- C:\WINDOWS\Installer
2007-09-27 08:05:30         0 d-------- C:\Program Files\Common Files\ODBC
2007-09-27 08:05:27         0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-09-27 08:05:26         0 d-------- C:\Program Files
2007-09-27 08:05:26         0 d-------- C:\Program Files\Common Files
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\Default User\Templates
2007-09-27 08:05:05         0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-09-27 08:05:05         0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\Default User\Recent
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\Default User\PrintHood
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\Default User\NetHood
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\Default User\My Documents
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\Default User\Local Settings
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\Default User\Favorites
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\Default User\Desktop
2007-09-27 08:05:05         0 d---s---- C:\Documents and Settings\Default User\Cookies
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\All Users\Templates
2007-09-27 08:05:05         0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\All Users\Favorites
2007-09-27 08:05:05         0 dr------- C:\Documents and Settings\All Users\Documents
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\All Users\Desktop
2007-09-27 08:04:47         0 d-------- C:\WINDOWS\system32\CatRoot2
2007-09-27 08:04:47         0 d-------- C:\WINDOWS\system32\CatRoot
2007-09-27 08:04:41         0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-09-27 08:04:41         0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-09-27 08:04:41         0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-09-27 08:04:41         0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-09-27 08:04:04         0 d-------- C:\Documents and Settings
2007-09-27 08:04:03         0 d--hs---- C:\System Volume Information
2007-09-27 07:57:20         0 d-------- C:\WINDOWS
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\WinSxS
2007-09-27 07:57:20         0 dr------- C:\WINDOWS\Web
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\twain_32
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\wins
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\wbem
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\usmt
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\spool
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\ShellExt
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\Setup
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\ras
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\oobe
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\npp
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\mui
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\inetsrv
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\IME
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\icsxml
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\ias
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\export
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\drivers
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\drivers\etc
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-09-27 07:57:20         0 d------c- C:\WINDOWS\system32\dllcache
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\dhcp
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\config
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\3com_dmi
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\3076
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\2052
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1054
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1042
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1041
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1037
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1033
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1031
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1028
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1025
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\security
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Resources
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Provisioning
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\PeerNet
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\pchealth
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\mui
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\msapps
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\msagent
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Media
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\java
2007-09-27 07:57:20         0 d--h----- C:\WINDOWS\inf
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\ime
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Help
2007-09-27 07:57:20         0 dr--s---- C:\WINDOWS\Fonts
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\ehome
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Driver Cache
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Debug
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Cursors
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Connection Wizard
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Config
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\AppPatch
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2007-09-27 08:05:05        62 --ahs---- C:\Documents and Settings\David\Application Data\desktop.ini
2007-07-20 15:54:30     77824 --a------ C:\WINDOWS\system32\xcomm.dll <Not Verified; Softwin; Softwin BitDefender Communicator>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [08/27/2007 03:24 PM]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [10/01/2007 03:23 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [02/16/2005 04:15 PM]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [02/16/2005 04:15 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 05:43 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Update Machine"=tvgyiy.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe [10/7/2007 12:17:30 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)
"ClearRecentDocsOnExit"=01

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Icatch(VI) SnapDetect.lnk]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNS7reminder]
"C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.exe" -r "C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.ini"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update Machine]
famrbe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx      scan




-- End of Deckard's System Scanner: finished at 2007-10-16 19:23:21 ------------
-------------------------------------------------------------------------------------------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) 64 Processor 3700+
Percentage of Memory in Use: 23%
Physical Memory (total/avail): 2047.23 MiB / 1569.67 MiB
Pagefile Memory (total/avail): 3939.66 MiB / 3554.13 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1896.43 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 66.06 GiB free.
D: is Fixed (NTFS) - 232.88 GiB total, 158.02 GiB free.
E: is Fixed (NTFS) - 232.88 GiB total, 9.18 GiB free.
F: is CDROM (CDFS)
G: is Removable (FAT)

\\.\PHYSICALDRIVE0 - WDC WD2500JB-00GVA0 - 232.88 GiB - 1 partition
  \PARTITION0 (bootable) - Installable File System - 232.88 GiB - E:

\\.\PHYSICALDRIVE2 - ST325041 0AS SCSI Disk Device - 232.88 GiB - 1 partition
  \PARTITION0 - Installable File System - 232.88 GiB - D:

\\.\PHYSICALDRIVE1 - ST380811 AS SCSI Disk Device - 74.53 GiB - 1 partition
  \PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:

\\.\PHYSICALDRIVE3 - Kingston DataTraveler 2.0 USB Device - 1898.31 MiB - 1 partition
  \PARTITION0 (bootable) - MS-DOS V4 Huge - 1898.27 MiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntivirusOverride is set.

FW: Bitdefender Firewall v8.0 (BitDefender)
AV: Bitdefender Antivirus v8.0 (BitDefender)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\WINDOWS\\system32\\tvgyiy.exe"="C:\\WINDOWS\\system32\\tvgyiy.exe:*:Disabled:tvgyiy"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\David\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DAVID-DESKTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\David
LOGONSERVER=\\DAVID-DESKTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Diskeeper Corporation\Diskeeper\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 39 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2701
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\David\LOCALS~1\Temp
TMP=C:\DOCUME~1\David\LOCALS~1\Temp
USERDOMAIN=DAVID-DESKTOP
USERNAME=David
USERPROFILE=C:\Documents and Settings\David
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

David [I](admin)[/I]
Administrator [I](new local, admin)[/I]


-- Add/Remove Programs ---------------------------------------------------------

 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AllToAVI v4 r5394 --> C:\Program Files\AllToAVI\uninst.exe
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AudioConverter --> "C:\Program Files\TotalAudioConverter\unins000.exe"
AusLogics Registry Defrag --> "C:\Program Files\AusLogics Registry Defrag\unins000.exe"
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
BitDefender Internet Security 2008 --> MsiExec.exe /I{E48949FB-95D7-4818-B45A-DE52BE556547}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
D-Link RangeBooster N DWA-542 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6F6F39E3-D24D-4EEE-9AEA-DEDAF991385D}\setup.exe" -l0x9  -removeonly
Dell Photo Printer 720 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBCUN5C.EXE -dDell Photo Printer 720
Diskeeper 2007 Pro Premier --> MsiExec.exe /X{6EEE934B-F292-4995-95BF-4AE871AC42E8}
Dragon NaturallySpeaking 9 --> MsiExec.exe /I{DDDD90B2-80F2-413A-8A8E-38C5076A7DBA}
Duplicate Music Files Finder 1.5.5 --> "C:\Program Files\Duplicate Music Files Finder\unins000.exe"
Easy Duplicate Finder v. 1.4.3.0 --> "C:\Program Files\Easy Duplicate Finder\unins000.exe"
EVEREST Ultimate Edition v2.80 --> "C:\Program Files\Lavalys\EVEREST Ultimate Edition\unins000.exe"
foobar2000 v0.9.4.3 --> "C:\Program Files\foobar2000\uninstall.exe"
Images of Ireland Theme for Windows XP --> MsiExec.exe /X{E3387EAB-DFD3-4894-9F4C-B27669D35ED8}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
K-Lite Codec Pack 3.4.5 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Macromedia Flash Player 8 --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Magic ISO Maker v5.4 (build 0239) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Magic Utilities 2007 Version 5.30 --> "C:\Program Files\Mgutil\unins000.exe"
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 7 Essentials --> MsiExec.exe /I{9FB8CAC0-CCF6-47C9-8EDE-3AC69FD61033}
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Registry Commander v1.04 --> "C:\Program Files\Aezay Productions\Registry Commander\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Super Utilities Pro 7.66 --> "C:\Program Files\SuperLogix\Super Utilities\unins000.exe"
ULi Sata Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FDC53DC6-137A-4541-BFA2-A9BAE4A7FE99}\setup.exe"
Uninstall Tool --> "C:\Program Files\Uninstall Tool\unins000.exe"
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1460 / Warning
Event Submitted/Written: 10/16/2007 03:52:44 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'ProductNonBootFiles' failed during request for component '{22056900-C842-11D1-A0DD-00A0C9054277}'

Event Record #/Type1459 / Warning
Event Submitted/Written: 10/16/2007 03:52:44 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'ProductNonBootFiles', component '{EED59264-D37E-4F24-A622-EA5AB43D0EAC}' failed.  The resource 'C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\OPA11.BAK' does not exist.

Event Record #/Type1458 / Error
Event Submitted/Written: 10/16/2007 03:45:38 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WiseDiskCleaner.exe, version 2.7.1.83, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1380 / Error
Event Submitted/Written: 10/14/2007 11:38:42 PM
Event ID/Source: 11921 / MsiInstaller
Event Description:
Product: Kaspersky Anti-Virus 7.0 -- Error 1921.Service Kaspersky Anti-Virus 7.0 (AVP) could not be stopped.  Verify that you have sufficient privileges to stop system services.

Event Record #/Type1375 / Error
Event Submitted/Written: 10/14/2007 05:47:25 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application nero.exe, version 7.7.5.1, faulting module unknown, version 0.0.0.0, fault address 0x08080774.
Processing media-specific event for [nero.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5815 / Warning
Event Submitted/Written: 10/16/2007 02:49:19 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type5798 / Error
Event Submitted/Written: 10/16/2007 05:17:30 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Event Record #/Type5797 / Error
Event Submitted/Written: 10/16/2007 05:17:30 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Event Record #/Type5796 / Error
Event Submitted/Written: 10/16/2007 05:17:30 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Event Record #/Type5764 / Warning
Event Submitted/Written: 10/16/2007 03:58:09 AM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\JOHN-DESKTOP on the network \Device\NetBT_Tcpip_{F159D5D5-E846-41AD-8002-F3357B5B7AC1}.
The data is the error code.



-- End of Deckard's System Scanner: finished at 2007-10-16 19:19:54 ------------

 

 

by: IndiGenusPosted on 2007-10-16 at 16:34:45ID: 20089864

Yes, it's definitely a backdoor SDBot.

Please download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.
A text file should automatically open, so please copy the contents and post them here. We also need you to post a new HijackThis log.

 

by: IndiGenusPosted on 2007-10-16 at 16:36:20ID: 20089872

EDIT: Instead of posting a HijackThis log at the end please post another Deckards Scanner Log.

Thanks,
Dave

 

by: HeumanPosted on 2007-10-16 at 17:28:01ID: 20090043

Dave,

No Thank you for your help.  I running the SDFix fix tool.  When you run Deckards it will ask you if it can install and run HijackThis.  Is this normal?  Looks like it found something.  How radicial is this trojan and how can I ensure their is nothing else resident and laying in incoignito on my PC?
----------------------------------------------------------------------------------------------
 
SDFix: Version 1.109

Run by David on Tue 10/16/2007 at 08:10 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\regedit.com  - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 


                                 Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\WINDOWS\\system32\\tvgyiy.exe"="C:\\WINDOWS\\system32\\tvgyiy.exe:*:Disabled:tvgyiy"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 12 Oct 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!
------------------------------------------------------------------------------------------------------------------------


Deckard's System Scanner v20071014.68
Run by David on 2007-10-16 20:17:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as David.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:38 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\David\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\David.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 7385 bytes

-- Files created between 2007-09-16 and 2007-10-16 -----------------------------

2007-10-16 20:09:55         0 d-------- C:\WINDOWS\ERUNT
2007-10-16 20:03:34         0 dr-h----- C:\Documents and Settings\David\Recent
2007-10-16 19:20:49         0 d-------- C:\Program Files\Trend Micro
2007-10-16 05:35:19         0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-16 05:28:13         0 d-------- C:\Documents and Settings\All Users\Application Data\CrystalIdea Software
2007-10-16 05:22:48         0 d-------- C:\Program Files\Uninstall Tool
2007-10-16 00:30:22         0 d-------- C:\Documents and Settings\David\Application Data\Bitdefender
2007-10-16 00:30:08         0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-10-15 22:01:40     81984 --a------ C:\WINDOWS\system32\bdod.bin
2007-10-15 22:01:01         0 d-------- C:\Program Files\BitDefender
2007-10-15 22:00:27         0 d-------- C:\Program Files\Common Files\BitDefender
2007-10-15 17:04:34         0 d-------- C:\WINDOWS\BDOSCAN8
2007-10-15 04:37:47         0 d-------- C:\Program Files\SonicWallES
2007-10-15 00:07:14         0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-14 17:13:39         0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 13:43:41         0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-10-14 00:46:30         0 d-------- C:\KAV
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\zts2.exe
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\rundll16.exe
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\rundl132.dll
2007-10-13 14:06:14         0 d-a------ C:\WINDOWS\logo1_.exe
2007-10-13 04:17:28         0 d-------- C:\Program Files\Wise Registry Cleaner
2007-10-13 04:16:49         0 d-------- C:\Program Files\Aezay Productions
2007-10-13 04:10:22         0 d-------- C:\Program Files\AusLogics Registry Defrag
2007-10-12 22:49:54         0 d-------- C:\Documents and Settings\David\Application Data\foobar2000
2007-10-12 22:49:50         0 d-------- C:\Program Files\foobar2000
2007-10-12 17:55:16         0 d-------- C:\Program Files\Common Files\Scansoft Shared
2007-10-12 17:55:16         0 d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-10-12 17:55:02         0 d-------- C:\Program Files\Nuance
2007-10-12 16:44:57         0 d-------- C:\Program Files\Easy Duplicate Finder
2007-10-12 16:43:40         0 d-------- C:\Program Files\Duplicate Music Files Finder
2007-10-12 16:24:08         0 --a------ C:\WINDOWS\system32\suupdate.dat
2007-10-12 16:24:08         0 --a------ C:\WINDOWS\system32\mssurun.dat
2007-10-12 16:24:08    269824 --a------ C:\WINDOWS\system32\baksm.dll
2007-10-12 16:23:59   2281472 --a------ C:\WINDOWS\system32\vbsbak.dat <Not Verified; SuperLogix; Super Utilities>
2007-10-12 16:23:59        42 --a------ C:\WINDOWS\system32\vb6sock.dll
2007-10-12 16:23:59    269824 --a------ C:\WINDOWS\system32\supermenuhook.dll
2007-10-12 16:23:59         0 d-------- C:\WINDOWS\system32\IOSUBSYS
2007-10-12 16:23:59     43936 --a------ C:\WINDOWS\system32\drivers\HWFProt.sys <Not Verified; Alfa Corporation; AlfaFP (TM) 2003 Ansi Build for Windows NT/2K>
2007-10-12 16:23:59    591872 --a------ C:\WINDOWS\system32\context.dll <Not Verified; SuperLogix; Enhancement to context menu>
2007-10-12 16:23:59    269824 --a------ C:\WINDOWS\system32\baksm.dat
2007-10-12 16:23:59         0 d-------- C:\Program Files\SuperLogix
2007-10-12 15:36:47         0 d-------- C:\Program Files\Mgutil
2007-10-12 04:06:18         0 d-------- C:\Program Files\Wise Disk Cleaner
2007-10-11 23:59:00         0 d-------- C:\Program Files\SpywareBlaster
2007-10-11 22:58:27     28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-10-11 18:57:35         0 d-------- C:\Program Files\QuickTime
2007-10-11 18:40:32         0 d-------- C:\WINDOWS\Sun
2007-10-11 18:40:32         0 d-------- C:\Documents and Settings\David\Application Data\Sun
2007-10-11 18:40:06         0 d-------- C:\Program Files\Java
2007-10-11 18:39:56         0 d-------- C:\Program Files\Common Files\Java
2007-10-11 18:34:58         0 d-------- C:\Documents and Settings\David\.housecall6.6
2007-10-11 12:24:05         0 d-------- C:\Program Files\TotalAudioConverter
2007-10-10 19:58:42         0 d-------- C:\Program Files\MSECache
2007-10-10 19:52:49         0 d-------- C:\Program Files\Microsoft ActiveSync
2007-10-10 19:52:10         0 d-------- C:\WINDOWS\SHELLNEW
2007-10-10 19:51:10         0 d-------- C:\Program Files\Microsoft.NET
2007-10-09 16:20:53         0 d-------- C:\Documents and Settings\David\Application Data\Ahead
2007-10-09 16:15:57         0 d-------- C:\Program Files\Nero
2007-10-09 16:15:57         0 d-------- C:\Program Files\Common Files\Ahead
2007-10-09 16:07:31         0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-09 15:25:25         0 d-------- C:\WINDOWS\SxsCaPendDel
2007-10-09 04:09:23         0 d-------- C:\Program Files\Seagate
2007-10-09 03:33:33         0 d-------- C:\Documents and Settings\David\Application Data\uTorrent
2007-10-09 02:36:46         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-08 01:53:15         0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-08 01:18:26         0 d-------- C:\Program Files\Bonjour
2007-10-08 01:10:05         0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-08 00:57:25         0 d-------- C:\Program Files\MagicISO
2007-10-08 00:39:32    639224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-07 00:17:29    237636 --a------ C:\WINDOWS\system32\wsimd.dll <Not Verified; Atheros Communications, Inc.; wsimd>
2007-10-07 00:17:29    245830 --a------ C:\WINDOWS\system32\wsfwDS.dll <Not Verified; Atheros Communications, Inc.; wsfwds>
2007-10-07 00:17:29     53248 -ra------ C:\WINDOWS\system32\dsaNac.dll <Not Verified; Devicescape, Inc.; Devicescape NAC Notify DLL>
2007-10-07 00:17:29   1253432 -ra------ C:\WINDOWS\system32\dsa.dll <Not Verified; Devicescape; Devicescape Windows WPA Supplicant (Core 0.4.3)>
2007-10-07 00:17:29         0 d-------- C:\WINDOWS\pcidevice
2007-10-07 00:17:29         0 d-------- C:\Program Files\D-Link
2007-10-06 18:44:54         0 d-------- C:\Documents and Settings\David\Application Data\Nero
2007-10-06 18:42:18         0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-10-05 19:41:15         0 d-------- C:\Program Files\Marvell
2007-10-05 19:37:24      5824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2007-10-04 13:52:54    399872 --a------ C:\WINDOWS\c4dstand.dll
2007-10-04 13:52:53    438272 --a------ C:\WINDOWS\c4dll.dll <Not Verified; Sequiter Software Inc.; CodeBase>
2007-10-04 13:52:39     98304 --a------ C:\WINDOWS\system32\tsccvid.dll <Not Verified; TechSmith Corporation; TechSmith Screen Capture Codec>
2007-10-04 13:52:39         0 d-------- C:\Program Files\LearnKey
2007-10-04 13:52:36    487936 --a------ C:\WINDOWS\LkUnInst.exe <Not Verified; LearnKey, Inc.; >
2007-10-03 22:55:26         0 d-------- C:\temp
2007-10-02 20:58:47         0 d-------- C:\WINDOWS\PAC207
2007-10-02 00:18:12      1075 --a------ C:\Documents and Settings\David\Application Data\SAS7_000.DAT
2007-10-01 19:09:02         0 d-------- C:\Documents and Settings\David\Application Data\Nuance
2007-10-01 19:03:34         0 d-------- C:\Documents and Settings\All Users\Application Data\Nuance
2007-10-01 17:20:18         0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-10-01 17:17:35         0 d-------- C:\WINDOWS\speech
2007-10-01 02:24:27         0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-10-01 02:23:46         0 d-------- C:\Program Files\MSXML 4.0
2007-10-01 01:53:31         0 d-------- C:\Program Files\Anark
2007-09-30 23:56:43    299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-09-30 23:56:38         0 d-------- C:\Documents and Settings\David\WINDOWS
2007-09-28 23:05:33         0 d-------- C:\Program Files\MSXML 6.0
2007-09-28 20:57:19         0 d-------- C:\WINDOWS\system32\XPSViewer
2007-09-28 20:56:58         0 d-------- C:\Program Files\Reference Assemblies
2007-09-28 20:52:33         0 d-------- C:\WINDOWS\system32\URTTemp
2007-09-28 20:33:08         0 d-------- C:\Program Files\MTV Networks
2007-09-28 20:33:04         0 d-------- C:\WINDOWS\Downloaded Installations
2007-09-28 20:09:30         0 d-------- C:\Program Files\Windows Media Connect 2
2007-09-28 20:08:23         0 d-------- C:\WINDOWS\system32\LogFiles
2007-09-28 20:08:23         0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-09-28 20:00:19         0 d-------- C:\WINDOWS\network diagnostic
2007-09-28 19:59:04         0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-09-28 19:35:44         0 d-------- C:\Program Files\Diskeeper Corporation
2007-09-28 16:52:49         0 d--hs---- C:\Diskeeper
2007-09-28 16:09:53         0 d-------- C:\Documents and Settings\David\Application Data\Softplicity
2007-09-28 01:39:11         0 d-------- C:\WINDOWS\Wallpaper Of Wow
2007-09-27 22:22:02         0 d-------- C:\Documents and Settings\David\Application Data\Yahoo!
2007-09-27 22:09:22         0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-27 22:07:44         0 d-------- C:\Program Files\Yahoo!
2007-09-27 19:19:21     29696 -----n--- C:\WINDOWS\system32\dev32.exe <Not Verified; ALi Coporation; Install Program>
2007-09-27 19:19:16    163840 -----n--- C:\WINDOWS\system32\coin5288.dll <Not Verified; ULi Electronics Inc.; Coinstaller Dynamic Link Library>
2007-09-27 18:01:51         0 d-------- C:\Program Files\MSBuild
2007-09-27 17:58:14         0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-27 17:19:07         0 d-------- C:\Documents and Settings\David\Application Data\Adobe
2007-09-27 17:11:35         0 d-------- C:\Documents and Settings\David\Application Data\Media Player Classic
2007-09-27 17:10:34    217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2007-09-27 17:10:34    282624 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-09-27 17:10:34   1559040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-09-27 17:10:33   3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-09-27 17:10:33     73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-09-27 17:10:33    740442 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-27 17:10:32      7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-09-27 17:10:31         0 d-------- C:\Program Files\K-Lite Codec Pack
2007-09-27 17:03:31         0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-09-27 17:03:24         0 d-------- C:\Program Files\Common Files\Adobe
2007-09-27 17:00:32         0 d-------- C:\WINDOWS\pss
2007-09-27 16:47:23         0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-09-27 16:47:23         0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-09-27 16:47:23         0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\Recent
2007-09-27 16:47:23         0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-09-27 16:47:23    524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-09-27 16:47:23         0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\Local Settings
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-09-27 16:47:23         0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-09-27 16:47:23         0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-09-27 16:47:23         0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-09-27 16:47:23         0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-09-27 16:32:20         0 d-------- C:\Documents and Settings\David\Application Data\Macromedia
2007-09-27 16:02:50       830 --a------ C:\WINDOWS\system32\installer.bat
2007-09-27 15:44:50    851456 --a------ C:\WINDOWS\system32\WGA.exe
2007-09-27 15:44:30       512 --a------ C:\ScanSectorLog.dat
2007-09-27 14:36:47         0 d-------- C:\Program Files\DAMN NFO Viewer
2007-09-27 14:36:15         0 d-------- C:\Documents and Settings\David\Application Data\WinRAR
2007-09-27 14:06:58         0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-09-27 14:06:57         0 d-------- C:\Documents and Settings\David\Application Data\Azureus
2007-09-27 14:06:07         0 d-------- C:\Program Files\Azureus
2007-09-27 13:54:35      4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-09-27 13:54:26     11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2007-09-27 13:53:49         0 d-------- C:\WINDOWS\Internet Logs
2007-09-27 13:49:08         0 d-------- C:\WINDOWS\system32\appmgmt
2007-09-27 13:25:13         0 d-------- C:\WINDOWS\system32\PreInstall
2007-09-27 13:25:12         0 d--h----- C:\WINDOWS\$hf_mig$
2007-09-27 13:23:03         0 d--hs---- C:\Documents and Settings\David\UserData
2007-09-27 13:21:20         0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-09-27 13:09:06     40636 -ra------ C:\WINDOWS\system32\drivers\WLANGEN.bin
2007-09-27 13:09:06       912 -ra------ C:\WINDOWS\system32\drivers\RADIO15.bin
2007-09-27 13:09:06       964 -ra------ C:\WINDOWS\system32\drivers\RADIO11.bin
2007-09-27 13:09:06       936 -ra------ C:\WINDOWS\system32\drivers\RADIO0d.bin
2007-09-27 13:09:06    255360 -ra------ C:\WINDOWS\system32\drivers\AIRPLUS.sys <Not Verified; D-Link; D-Link AirPlus 22 Mbps Wireless Network Adapter>
2007-09-27 13:09:06     40636 -ra------ C:\WINDOWS\system\WLANGEN.bin
2007-09-27 13:09:06       912 -ra------ C:\WINDOWS\system\RADIO15.bin
2007-09-27 13:09:06       964 -ra------ C:\WINDOWS\system\RADIO11.bin
2007-09-27 13:09:06       936 -ra------ C:\WINDOWS\system\RADIO0d.bin
2007-09-27 12:59:50         0 d-------- C:\Program Files\AllToAVI
2007-09-27 12:59:21         0 d-------- C:\Documents and Settings\David\Application Data\TuneUp Software
2007-09-27 12:56:18         0 d-------- C:\Program Files\Lavalys
2007-09-27 12:55:13         0 d-------- C:\Program Files\DSC Driver
2007-09-27 12:35:45         0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-09-27 12:35:44         0 d-------- C:\WINDOWS\system32\Data
2007-09-27 12:35:36     49152 --a------ C:\WINDOWS\CTDCRES.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2007-09-27 12:24:35    593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2007-09-27 12:24:27         0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-27 12:24:16         0 d-------- C:\Program Files\Common Files\InstallShield
2007-09-27 12:24:11         0 d-------- C:\ATI
2007-09-27 12:23:27         0 d-------- C:\Documents and Settings\David\Application Data\Identities
2007-09-27 12:23:20         0 d--h----- C:\Documents and Settings\David\Templates
2007-09-27 12:23:20         0 dr------- C:\Documents and Settings\David\Start Menu
2007-09-27 12:23:20         0 dr-h----- C:\Documents and Settings\David\SendTo
2007-09-27 12:23:20         0 d--h----- C:\Documents and Settings\David\PrintHood
2007-09-27 12:23:20         0 d--h----- C:\Documents and Settings\David\NetHood
2007-09-27 12:23:20         0 dr------- C:\Documents and Settings\David\My Documents
2007-09-27 12:23:20         0 d--h----- C:\Documents and Settings\David\Local Settings
2007-09-27 12:23:20         0 dr------- C:\Documents and Settings\David\Favorites
2007-09-27 12:23:20         0 d-------- C:\Documents and Settings\David\Desktop
2007-09-27 12:23:20         0 d--hs---- C:\Documents and Settings\David\Cookies
2007-09-27 12:23:20         0 dr-h----- C:\Documents and Settings\David\Application Data
2007-09-27 12:23:19   4456448 --a------ C:\Documents and Settings\David\NTUSER.DAT
2007-09-27 12:22:37         0 d-------- C:\WINDOWS\SoftwareDistribution
2007-09-27 12:22:36         0 d---s---- C:\WINDOWS\system32\Microsoft
2007-09-27 12:22:36         0 d-------- C:\WINDOWS\Prefetch
2007-09-27 12:22:35    229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2007-09-27 12:22:35         0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-09-27 12:22:35         0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2007-09-27 12:22:35         0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-09-27 12:22:35         0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-09-27 12:18:04    229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-09-27 12:18:04         0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-09-27 12:18:04         0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2007-09-27 12:18:04         0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-09-27 12:18:04         0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-09-27 12:14:59         0 d-------- C:\WINDOWS\system32\xircom
2007-09-27 12:14:59         0 d-------- C:\Program Files\microsoft frontpage
2007-09-27 12:14:51    229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-09-27 12:14:47         0 -rahs---- C:\MSDOS.SYS
2007-09-27 12:14:47         0 -rahs---- C:\IO.SYS
2007-09-27 12:14:47         0 --a------ C:\CONFIG.SYS
2007-09-27 12:14:47         0 -----n--- C:\AUTOEXEC.BAT
2007-09-27 12:14:03         0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-09-27 12:13:57         0 d-------- C:\WINDOWS\Offline Web Pages
2007-09-27 12:13:57         0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-09-27 12:13:48         0 d--h----- C:\Program Files\WindowsUpdate
2007-09-27 12:13:34         0 d-------- C:\WINDOWS\system32\DirectX
2007-09-27 12:13:04         0 d---s---- C:\WINDOWS\Tasks
2007-09-27 12:13:03         0 d-------- C:\Program Files\Common Files\MSSoap
2007-09-27 12:12:59         0 d-------- C:\WINDOWS\system32\Macromed
2007-09-27 12:12:59         0 d-------- C:\WINDOWS\srchasst
2007-09-27 12:12:51         0 d-------- C:\Program Files\Movie Maker
2007-09-27 12:12:43         0 d-------- C:\WINDOWS\system32\Restore
2007-09-27 12:12:14     21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-09-27 12:12:02         0 d-------- C:\WINDOWS\Registration
2007-09-27 12:11:57         0 d-------- C:\Program Files\Online Services
2007-09-27 12:11:52         0 d-------- C:\Program Files\Messenger
2007-09-27 12:11:48         0 d-------- C:\Program Files\MSN Gaming Zone
2007-09-27 12:11:12         0 d-------- C:\Program Files\Windows NT
2007-09-27 12:11:09         0 d-------- C:\WINDOWS\system32\MsDtc
2007-09-27 12:11:07         0 d-------- C:\WINDOWS\system32\Com
2007-09-27 08:05:30         0 d--hs---- C:\WINDOWS\Installer
2007-09-27 08:05:30         0 d-------- C:\Program Files\Common Files\ODBC
2007-09-27 08:05:27         0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-09-27 08:05:26         0 d-------- C:\Program Files
2007-09-27 08:05:26         0 d-------- C:\Program Files\Common Files
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\Default User\Templates
2007-09-27 08:05:05         0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-09-27 08:05:05         0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\Default User\Recent
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\Default User\PrintHood
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\Default User\NetHood
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\Default User\My Documents
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\Default User\Local Settings
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\Default User\Favorites
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\Default User\Desktop
2007-09-27 08:05:05         0 d---s---- C:\Documents and Settings\Default User\Cookies
2007-09-27 08:05:05         0 d--h----- C:\Documents and Settings\All Users\Templates
2007-09-27 08:05:05         0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\All Users\Favorites
2007-09-27 08:05:05         0 dr------- C:\Documents and Settings\All Users\Documents
2007-09-27 08:05:05         0 d-------- C:\Documents and Settings\All Users\Desktop
2007-09-27 08:04:47         0 d-------- C:\WINDOWS\system32\CatRoot2
2007-09-27 08:04:47         0 d-------- C:\WINDOWS\system32\CatRoot
2007-09-27 08:04:41         0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-09-27 08:04:41         0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-09-27 08:04:41         0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-09-27 08:04:41         0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-09-27 08:04:04         0 d-------- C:\Documents and Settings
2007-09-27 08:04:03         0 d--hs---- C:\System Volume Information
2007-09-27 07:57:20         0 d-------- C:\WINDOWS
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\WinSxS
2007-09-27 07:57:20         0 dr------- C:\WINDOWS\Web
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\twain_32
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\wins
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\wbem
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\usmt
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\spool
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\ShellExt
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\Setup
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\ras
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\oobe
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\npp
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\mui
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\inetsrv
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\IME
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\icsxml
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\ias
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\export
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\drivers
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\drivers\etc
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-09-27 07:57:20         0 d------c- C:\WINDOWS\system32\dllcache
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\dhcp
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\config
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\3com_dmi
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\3076
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\2052
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1054
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1042
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1041
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1037
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1033
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1031
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1028
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system32\1025
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\system
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\security
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Resources
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Provisioning
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\PeerNet
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\pchealth
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\mui
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\msapps
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\msagent
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Media
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\java
2007-09-27 07:57:20         0 d--h----- C:\WINDOWS\inf
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\ime
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Help
2007-09-27 07:57:20         0 dr--s---- C:\WINDOWS\Fonts
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\ehome
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Driver Cache
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Debug
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Cursors
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Connection Wizard
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\Config
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\AppPatch
2007-09-27 07:57:20         0 d-------- C:\WINDOWS\addins


-- Find3M Report ---------------------------------------------------------------

2007-09-27 08:05:05        62 --ahs---- C:\Documents and Settings\David\Application Data\desktop.ini
2007-07-20 15:54:30     77824 --a------ C:\WINDOWS\system32\xcomm.dll <Not Verified; Softwin; Softwin BitDefender Communicator>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [08/27/2007 03:24 PM]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [10/01/2007 03:23 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [02/16/2005 04:15 PM]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [02/16/2005 04:15 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe [10/7/2007 12:17:30 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)
"ClearRecentDocsOnExit"=01

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Icatch(VI) SnapDetect.lnk]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNS7reminder]
"C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.exe" -r "C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.ini"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update Machine]
famrbe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx      scan




-- End of Deckard's System Scanner: finished at 2007-10-16 20:20:15 ------------

 

by: IndiGenusPosted on 2007-10-16 at 17:44:46ID: 20090095

>"When you run Deckards it will ask you if it can install and run HijackThis.  Is this normal?  Looks like it found something."<

Yes, HJT is run as part of the DSS scan.  

>'How radicial is this trojan and how can I ensure their is nothing else resident and laying in incoignito on my PC?"<

Well, it's a backdoor. Any time one of these are present there should be some concern that there may be things we can't see. Some would consider this kind of discovery a reason to reformat and install fresh. In some cases I agree with this. But we also have good tools to deal with these infections, like SDFix and others. We also would want to run some other scans.

One of the concerns I have now is you have another one of these disabled with msconfig. We can see it from your DSS log.
-----------------------
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update Machine]
famrbe.exe
-----------------------
So don't make any changes with msconfig. There is a couple of other items in there too that I need to research. At this point I would recommend running Combofix and getting a log. We can also use combofix as a script tool to remove the malicious entries waiting to do damage from msconfig.

Download and Run ComboFix

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Disconnect from the Internet, than disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply with a HijackThis log.

HijackThis can be downloaded here:

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

 

by: IndiGenusPosted on 2007-10-16 at 19:17:45ID: 20090393

Okay no problem rpggamergirl. Will have them use http://www.ee-stuff.com.

I'm obviously used to working in the forums where we have them post everything for all to see. I'll adjust accordingly here.

Thanks,
Dave

 

by: rpggamergirlPosted on 2007-10-16 at 19:32:59ID: 20090449

Thanks for understanding Dave, I know it's a little different here at EE. It's kinda "question and answer" site.
EE prefers that no logs are posted in the questions.
At least, it's better now that there's a Hijackthis zone for hijackthis logs, they didn't used to, :)

Keep up the good work!

~rpg

 

by: HeumanPosted on 2007-10-16 at 20:17:58ID: 20090586

 

by: IndiGenusPosted on 2007-10-16 at 20:49:16ID: 20090706

Thanks for following up on rpg's request. I'm still kind of new here....although not new to doing this stuff.

Open Notepad and copy/paste in the following text between the lines:
--------------------------------------------------------
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update Machine]
--------------------------------------------------------

Save the above as CFScript.txt on the desktop.

Then drag the CFScript.txt file onto ComboFix.exe on the desktop. This will start ComboFix again. Upload the new log that is produced.

Please do a search for the following file(s):
Start > Search > All Files And Folders
Under More Advanced Options, make sure the following are checked:
*Search system folders
*Search hidden files and folders
*Search subfolders
Then copy and paste the following(one at a time) in the search box:

famrbe.exe
tvgyiy.exe

If found delete all instances of these files.

Let us know how it's running now.

 

by: HeumanPosted on 2007-10-16 at 22:56:41ID: 20091085

- Hey no problem I'm just trying to follow the sites rules, I was the person who decided to copy and paste one of my logs directly into this thread to begin with. This was something that I overlooked in the rules section. I did not mean for you to get into any trouble.  
 - I created the CFScript.txt file and ran it with ComboFix. Please see below for a link to this log file.  I also did a search with making sure that everything you mentioned above is checked: search system folders, search hidden files and folders, search subfolders. My search results did not find any files by the name of famrbe.exe and tvgyiy.exe.

http://www.ee-stuff.com/Expert/Upload/getFile.php?fid=5053

- Please let me know how the log file looks (cross my fingers and hope its clean)& I would like to thank you in advance for all of your hard work and time youve put in to help resolve my issue.  My computer has definitely smoothed out and isnt laggy anymore like it was before. Awesome!
- Question what antivirus/ anti-spyware and personal firewall should I be using??? Since it seems that all of them pick up something that the other one cant...  If that suggestion can be made.
 - Is it safe for people to look at my log files online like this?





 

by: IndiGenusPosted on 2007-10-17 at 05:30:32ID: 20092575

>"- Question what antivirus/ anti-spyware and personal firewall should I be using??? Since it seems that all of them pick up something that the other one cant...  If that suggestion can be made."<

Well ask 10 people this question and you'll probably get 10 different answers. No, there is not one of them that will find "everything". Bit Defender gets good reviews and I believe is solid. But it does not include a Firewall does it. I would recommend adding that as the Windows Firewall is weak at best. Here are a couple of free ideas. I'm using Sunbelt right now and am happy with it.

http://www.sunbelt-software.com/Kerio-Download.cfm - Sunbelt Personal Firewall
http://www.agnitum.com/products/outpost/index.php - Outpost Firewall

>" - Is it safe for people to look at my log files online like this?"<

Well I've never seen or heard of any issues around it. There is nothing that is really helpful to a hacker like an IP address or anything. So I believe you're OK.

Log looks clean. I would recommend an online scan like Kaspersky. It will not fix anything but t's very thorough. You can upload the log that it produces and I'll take a look at it. It will likely take a long time to run on your computer so set it to run overnight or at a time when you don't need it.

Using Internet Explorer, run Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner

 

by: HeumanPosted on 2007-10-17 at 15:21:58ID: 20097499

IndiGenus,
  You're right everyone does have an opinion about something.... actually the BitDefender software I was using was their Internet security suite which came with an antivirus, anti-spyware engine and a personal firewall. I have since uninstalled BitDefender and I have installed the Sun Belt personal firewall which I like a lot better  It seems to have more direct control over the applications on your computer that are trying to reach out to net. Just using a trial version of the firewall and Kaspersky's antivirus.  
 - Oh, I did do a couple of online virus scans that came up CLEAN... YOU DA MAN!!  Now I'd need to learn how to read scripts files that are produced by hijackthis and similar software when system scans are performed.

 

by: IndiGenusPosted on 2007-10-17 at 15:30:46ID: 20097544

There are several good places to learn how to interpret HJT logs and advise on cleanup and prevention. It requires a fair amount of study and work but if you are motivated these are the places to learn.

Malware Removal University: http://forum.malwareremoval.com/viewtopic.php?t=233
Geek U: http://www.geekstogo.com/forum/Would-like-to-learn-to-fight-malware-t4817.html

There are other good places too.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...