1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Infostealer type trojans

Discussion in 'Malware and Virus Removal Archive' started by JasonDax, 2007/10/25.

  1. 2007/10/25
    JasonDax

    JasonDax Inactive Thread Starter

    Joined:
    2007/10/25
    Messages:
    6
    Likes Received:
    0
    Hi recently I was hit by this very nasty group of baddies. I helped remove a few unwanted monsters on a friend laptop and used my USB key to install some software on said laptop. I consider myself a fairly tech savy individual but have been humbled by the rampage that this trojan/virus/malware has caused on my system. I completely wasnt thinking when I used my USB key several days later on my own system. The files that were the culprits in this attack were auto.exe and autorun.inf which I have done alot of digging up on.

    I read a post on this forum that had a similar case happening. The autorun.inf file was placing an extra command on all drives in my system. If I had right clicked on every hard drive and clicked open then the virus would have never injected itself. But what these bad boy files did were replaced the left click command to open with the auto.exe command which would then execute the trojan or whatever malware it was programmed to install.

    I spent 2 sleepless days repairing the problem. I had an account comprimised during due to the trojan and have been keeping close watch on my system since. After long long sleepless days of reparation i finally reached a point where i was getting now red flags.. everything seemed clean and clear. but i still ran a scan every night. Last night i got hit again. at some point 2am and later symantec started picking up infostealer.lemir files in the windows/system32 folder. Which had been clean earlier days. So something has remained and it is eluding my detection.

    I humbley request your help at rooting out the source of my infection. I ran the suggested scan and will paste it here:

    Deckard's System Scanner v20071014.68
    Run by Ronin on 2007-10-25 17:34:33
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    System Restore is disabled; attempting to re-enable...success.


    -- Last 2 Restore Point(s) --
    2: 2007-09-05 23:10:34 UTC - RP78 - Logitech Camera Driver Install
    1: 2007-08-14 06:06:58 UTC - RP9 - Software Distribution Service 3.0


    Backed up registry hives.
    Performed disk cleanup.



    -- HijackThis (run as Ronin.exe) -----------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:34:55 PM, on 10/25/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Documents and Settings\Ronin\Desktop\dss.exe
    C:\HIJACK~1\Ronin.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe "
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [H2O] "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe "
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: M-Audio Series II MIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 4720 bytes

    -- HijackThis Fixed Entries (C:\HIJACK~1\backups\) -----------------------------

    backup-20060119-232451-261 O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    backup-20060119-232451-482 O1 - Hosts: 70.85.188.162 L2testauthd.lineage2.com
    backup-20060119-232451-564 O1 - Hosts: 70.85.188.162 l2authd.lineage2.com
    backup-20060119-233451-659 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    -- File Associations -----------------------------------------------------------

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R3 CLEDX (Team H2O CLEDX service) - c:\windows\system32\drivers\cledx.sys <Not Verified; Team H2O; CLEDX>
    R3 MA_CMIDI (M-Audio USB Driver) - c:\windows\system32\drivers\ma_cmidi.sys <Not Verified; M-Audio; M-Audio USB MIDI Keyboard Interface>
    R3 NVR0Dev - c:\windows\nvoclock.sys <Not Verified; NVidia Corp.; NVidia System Utility Driver>
    R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
    R3 rrau0001 - c:\windows\system32\drivers\rrau0001.sys <Not Verified; BridgeCo AG; BridgeCo 1394 Audio Drivers>
    R3 rrwd0001 - c:\windows\system32\drivers\rrwd0001.sys <Not Verified; BridgeCo AG; BridgeCo 1394 Audio Drivers>

    S3 BS_DEF - c:\program files\asus\asusupdate\bs_def.sys (file missing)
    S3 catchme - c:\docume~1\ronin\locals~1\temp\catchme.sys (file missing)
    S3 cxwibu (Team H2O WIBU Driver) - c:\h2o\cxwibu.sys (file missing)


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    R2 MA_CMIDI_InstallerService (M-Audio Series II MIDI Installer) - c:\program files\m-audio\m-audio series ii midi\ma_cmidi_inst.exe <Not Verified; ; MA_CMIDI USB MIDI Installer Service>
    R2 nTuneService (nTune Service) - c:\program files\nvidia corporation\ntune\ntuneservice.exe /startservice <Not Verified; NVIDIA; NVIDIA nTune>

    S4 1492406C - c:\windows\system32\c38b9b22.exe -k (file missing)
    S4 287200EE - c:\windows\system32\bf1919b6.exe -k (file missing)


    -- Device Manager: Disabled ----------------------------------------------------

    No disabled devices found.


    -- Files created between 2007-09-25 and 2007-10-25 -----------------------------

    2007-10-22 17:20:59 0 d-------- C:\Program Files\Symantec AntiVirus
    2007-10-22 17:20:59 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
    2007-10-21 20:19:45 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\DVD Shrink
    2007-10-21 20:19:43 0 d-------- C:\Program Files\DVD Shrink
    2007-10-20 23:34:28 163840 --a------ C:\WINDOWS\system32\ArtFfct.dll <Not Verified; ; Bibliothèque de liaison dynamique FDlg>
    2007-10-20 16:17:03 0 d-------- C:\Program Files\Music Rescue
    2007-10-20 03:22:53 0 d-------- C:\Documents and Settings\Ronin\.housecall6.6 <HOUSEC~1.6>
    2007-10-20 03:15:32 0 d-------- C:\VundoFix Backups
    2007-10-20 01:24:20 0 d-------- C:\Program Files\Trend Micro
    2007-10-20 01:14:29 0 d-------- C:\WINDOWS\system32\ActiveScan
    2007-10-19 23:53:06 0 d-------- C:\Documents and Settings\Ronin\Application Data\Grisoft
    2007-10-19 23:52:56 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
    2007-10-19 23:42:58 164 --a------ C:\install.dat
    2007-10-19 23:38:56 0 d-------- C:\Documents and Settings\Ronin\Application Data\GetRightToGo
    2007-10-19 23:00:57 1903 --a------ C:\trojdelete.bat
    2007-10-19 23:00:57 1367 --a------ C:\autofix.bat
    2007-10-19 22:40:12 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx
    2007-10-19 22:39:55 0 d-------- C:\Temp
    2007-10-19 22:24:46 0 d--hs---- C:\WINDOWS\CSC
    2007-10-19 22:02:21 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
    2007-10-19 21:11:34 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
    2007-10-19 21:05:12 0 d-------- C:\WINDOWS\pss
    2007-10-18 21:11:49 0 d-------- C:\Documents and Settings\Ronin\Application Data\Ableton
    2007-10-18 21:11:48 225280 --a------ C:\WINDOWS\system32\ReWire.dll <Not Verified; Propellerhead Software AB; ReWire>
    2007-10-18 21:11:37 0 d-------- C:\Program Files\Ableton
    2007-10-12 17:33:16 0 d-------- C:\WINDOWS\NV668660.TMP
    2007-10-12 17:32:00 0 d-------- C:\NVIDIA
    2007-10-12 17:28:46 0 d-------- C:\Documents and Settings\Ronin\Application Data\SystemRequirementsLab
    2007-10-09 17:46:13 0 d-------- C:\Documents and Settings\Ronin\Application Data\Codemasters
    2007-10-09 17:45:29 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallShield
    2007-10-09 17:45:02 0 d-------- C:\WINDOWS\system32\AGEIA
    2007-10-09 17:45:02 0 d-------- C:\Program Files\AGEIA Technologies
    2007-09-29 15:10:58 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SlySoft
    2007-09-29 15:04:51 0 d--h----- C:\WINDOWS\Modules
    2007-09-28 12:07:52 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
    2007-09-28 12:05:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
    2007-09-28 12:05:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
    2007-09-28 12:05:40 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
    2007-09-28 12:05:40 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
    2007-09-28 12:05:40 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
    2007-09-28 12:05:40 739840 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
    2007-09-28 12:05:08 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


    -- Find3M Report ---------------------------------------------------------------

    2007-10-23 20:05:58 0 d-------- C:\Program Files\Steam
    2007-10-22 19:37:36 0 d-------- C:\Documents and Settings\Ronin\Application Data\uTorrent
    2007-10-22 17:21:17 0 d-------- C:\Program Files\Symantec
    2007-10-22 17:21:00 0 d-------- C:\Program Files\Common Files\Symantec Shared
    2007-10-21 20:13:30 0 d-------- C:\Program Files\DVD2one
    2007-10-20 16:18:15 235 --a------ C:\Documents and Settings\Ronin\Application Data\com.kennettnet.MusicRescueProfiles.plist
    2007-10-20 16:18:15 3590 --a------ C:\Documents and Settings\Ronin\Application Data\com.kennettnet.MusicRescue.plist
    2007-10-20 03:33:24 0 d-------- C:\Program Files\Java
    2007-10-20 01:27:04 0 d-------- C:\Program Files\DAEMON Tools
    2007-10-19 21:11:34 0 d-------- C:\Program Files\Lavasoft
    2007-10-19 21:11:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-10-11 22:59:19 0 d-------- C:\Documents and Settings\Ronin\Application Data\Adobe
    2007-10-09 17:45:29 0 d-------- C:\Documents and Settings\Ronin\Application Data\InstallShield
    2007-10-09 17:43:37 0 d--h----- C:\Program Files\InstallShield Installation Information
    2007-10-07 17:00:39 0 d-------- C:\Program Files\DivX
    2007-09-29 03:35:11 0 d-------- C:\Program Files\Soulseek
    2007-09-19 14:10:38 0 d-------- C:\Program Files\id Software
    2007-09-17 01:07:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
    2007-09-17 01:07:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
    2007-09-17 01:07:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
    2007-09-17 01:07:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
    2007-09-17 01:07:00 1478656 --a------ C:\WINDOWS\system32\nview.dll
    2007-09-17 01:07:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
    2007-09-17 01:07:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
    2007-09-17 01:07:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
    2007-09-15 01:29:31 0 d-------- C:\Program Files\M-Audio
    2007-09-06 08:41:01 0 d-------- C:\Documents and Settings\Ronin\Application Data\Ahead
    2007-09-05 19:17:51 0 d-------- C:\Program Files\Common Files
    2007-09-05 19:17:51 0 d-------- C:\Program Files\Common Files\Logitech
    2007-09-05 19:17:45 0 d-------- C:\Program Files\Logitech
    2007-09-05 19:17:01 0 d-------- C:\Program Files\Common Files\LogiShrd
    2007-09-02 15:22:33 0 d-------- C:\Documents and Settings\Ronin\Application Data\CopyToDvd
    2007-09-02 14:56:19 0 d-------- C:\Program Files\VSO
    2007-09-01 18:04:43 0 d-------- C:\Program Files\Xvid
    2007-08-31 19:32:38 0 d-------- C:\Program Files\Vstplugins
    2007-08-31 19:32:20 0 d-------- C:\Program Files\YAMAHA
    2007-08-31 19:25:16 0 d-------- C:\Program Files\URS
    2007-08-30 22:32:32 0 d-------- C:\Program Files\Native Instruments
    2007-08-26 20:48:26 0 d-------- C:\Program Files\Common Files\Adobe
    2007-08-26 06:35:37 0 d-------- C:\Program Files\Steinberg
    2007-08-26 06:33:49 0 d-------- C:\Program Files\Syncrosoft
    2007-08-25 21:15:17 0 d-------- C:\Program Files\QuickTime
    2007-08-25 21:14:49 0 d-------- C:\Program Files\Apple Software Update
    2007-08-25 15:33:19 0 d-------- C:\Documents and Settings\Ronin\Application Data\Real
    2007-08-25 15:33:03 0 d-------- C:\Program Files\Common Files\xing shared
    2007-08-25 15:33:01 0 d-------- C:\Program Files\Common Files\Real
    2007-08-21 17:43:03 666 --a------ C:\WINDOWS\mozver.dat
    2007-08-19 19:25:42 73 --a------ C:\WINDOWS\system32\ssprs.dll
    2007-08-19 19:25:42 205 --a------ C:\WINDOWS\system32\lsprst7.dll
    2007-08-19 19:25:39 1025 --a------ C:\WINDOWS\system32\sysprs7.dll
    2007-08-19 19:25:39 1025 --a------ C:\WINDOWS\system32\clauth2.dll
    2007-08-19 19:25:39 1025 --a------ C:\WINDOWS\system32\clauth1.dll
    2007-08-14 12:11:49 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
    2007-08-14 01:46:15 0 --a------ C:\WINDOWS\nsreg.dat


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "RUNDLL32.exe" [08/04/2004 12:56 AM C:\WINDOWS\system32\rundll32.exe]
    "nwiz "= "nwiz.exe" [09/17/2007 01:07 AM C:\WINDOWS\system32\nwiz.exe]
    "NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
    "SoundMAXPnP "= "C:\Program Files\Analog Devices\Core\smax4pnp.exe" [12/18/2006 09:34 AM]
    "SoundMAX "= "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [07/13/2006 07:12 AM]
    "H2O "= "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [10/23/2005 12:00 AM]
    "!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 07:26 PM]
    "vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 08:33 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools "= "C:\Program Files\DAEMON Tools\daemon.exe" [08/22/2007 08:06 AM]
    "NVIDIA nTune "= "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [07/03/2007 12:32 PM]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools "=0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @= "Volume shadow copy "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusServiceProvider]
    C:\Program Files\ASUS\AASP\1.00.23\aaCenter.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
    C:\Program Files\ASUS\AASP\1.00.23\AsRunHelp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
    "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
    "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
    C:\WINDOWS\System32\JMRaidSetup.exe boot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
    C:\WINDOWS\JM\JMInsIDE.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
    "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
    C:\WINDOWS\system32\LVCOMSX.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
    C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs BthServ


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C3A7A05E-BB1A-B808-DE6D-E20C06564E3B}]
    C:\WINDOWS\svchost.exe



    -- End of Deckard's System Scanner: finished at 2007-10-25 17:35:56 ------------

    Thank you in advance for any help you can offer
     
    JasonDax,
    #1
  2. 2007/10/25
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS JasonDax :)

    We prefer to post the logs rather than link to uploaded files, so I have edited your post above with the contents of main.txt and will add the extra.txt below. I have a few errands yet but will look through your logs and post back with something later tonight.

    Deckard's System Scanner v20071014.68
    Extra logfile - please post this as an attachment with your post.
    --------------------------------------------------------------------------------

    -- System Information ----------------------------------------------------------

    Microsoft Windows XP Professional (build 2600) SP 2.0
    Architecture: X86; Language: English

    CPU 0: Intel(R) Core(TM)2 Duo CPU E6850 @ 3.00GHz
    CPU 1: Intel(R) Core(TM)2 Duo CPU E6850 @ 3.00GHz
    Percentage of Memory in Use: 25%
    Physical Memory (total/avail): 2047.11 MiB / 1520.14 MiB
    Pagefile Memory (total/avail): 3939.5 MiB / 3537.24 MiB
    Virtual Memory (total/avail): 2047.88 MiB / 1939 MiB

    C: is Fixed (NTFS) - 149.05 GiB total, 100 GiB free.
    D: is Fixed (NTFS) - 48.83 GiB total, 7.32 GiB free.
    F: is Fixed (NTFS) - 298.09 GiB total, 15.85 GiB free.
    G: is CDROM (UDF)
    I: is CDROM (No Media)
    M: is Fixed (NTFS) - 62.95 GiB total, 7.8 GiB free.

    \\.\PHYSICALDRIVE0 - ST3160812AS - 149.05 GiB - 1 partition
    \PARTITION0 (bootable) - Installable File System - 149.05 GiB - C:

    \\.\PHYSICALDRIVE1 - WDC WD3200JS-00PDB0 - 298.09 GiB - 1 partition
    \PARTITION0 - Installable File System - 298.09 GiB - F:

    \\.\PHYSICALDRIVE2 - WDC WD12 00JB-00D SCSI Disk Device - 111.79 GiB - 2 partitions
    \PARTITION0 - Extended w/Extended Int 13 - 111.78 GiB - D: - M:



    -- Security Center -------------------------------------------------------------

    AUOptions is scheduled to auto-install.
    Windows Internal Firewall is enabled.

    AntivirusOverride is set.
    FirewallOverride is set.

    AV: Symantec AntiVirus Corporate Edition v10.1.5.5000 (Symantec Corporation)

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe "= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger "
    "C:\\Documents and Settings\\Ronin\\Desktop\\utorrent.exe "= "C:\\Documents and Settings\\Ronin\\Desktop\\utorrent.exe:*:Enabled:µTorrent "
    "C:\\Program Files\\Steam\\Steam.exe "= "C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam "
    "C:\\Program Files\\Steam\\SteamApps\\awolwabbit@hotmail.com\\team fortress 2\\hl2.exe "= "C:\\Program Files\\Steam\\SteamApps\\awolwabbit@hotmail.com\\team fortress 2\\hl2.exe:*:Enabled:hl2 "


    -- Environment Variables -------------------------------------------------------

    ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
    APPDATA=C:\Documents and Settings\Ronin\Application Data
    CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
    CLIENTNAME=Console
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=RONIN-5U0WROZZQ
    ComSpec=C:\WINDOWS\system32\cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\Ronin
    LOGONSERVER=\\RONIN-5U0WROZZQ
    NUMBER_OF_PROCESSORS=2
    OS=Windows_NT
    Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
    PROCESSOR_LEVEL=6
    PROCESSOR_REVISION=0f0b
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\Ronin\LOCALS~1\Temp
    TMP=C:\DOCUME~1\Ronin\LOCALS~1\Temp
    USERDOMAIN=RONIN-5U0WROZZQ
    USERNAME=Ronin
    USERPROFILE=C:\Documents and Settings\Ronin
    windir=C:\WINDOWS


    -- User Profiles ---------------------------------------------------------------

    Ronin (admin)
    temp (new local, admin)


    -- Add/Remove Programs ---------------------------------------------------------

    --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
    --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
    --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
    --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
    --> MsiExec /X{85EBB283-65AF-4C53-9EBE-7C0A232762F7}
    --> MsiExec.exe /X{69495273-FCDC-4A86-BCB7-49B504D3FB0E}
    --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    Ableton Live v5.0.3 --> C:\PROGRA~1\Ableton\LIVE50~1.3\UNWISE.EXE C:\PROGRA~1\Ableton\LIVE50~1.3\INSTALL.LOG
    Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
    Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
    Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
    AGEIA PhysX v7.03.21 --> MsiExec.exe /X{85EBB283-65AF-4C53-9EBE-7C0A232762F7}
    AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D= "C:\Program Files\SlySoft\AnyDVD "
    Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
    Applied Accoustics String Studio VS 1 VST DX v1.0 --> M:\PROGRA~1\AAS\STRING~1.0\UNWISE.EXE M:\PROGRA~1\AAS\STRING~1.0\INSTALL.LOG
    Applied Accoustics UltraAnalog VA-1 v1.01 --> M:\PROGRA~1\AAS\ULTRAA~1.0\UNWISE.EXE M:\PROGRA~1\AAS\ULTRAA~1.0\INSTALL.LOG
    Applied Acoustics Lounge Lizard EP VSTi DXi v3.0 --> M:\PROGRA~1\LOUNGE~1.0\UNWISE.EXE M:\PROGRA~1\LOUNGE~1.0\INSTALL.LOG
    Arturia Arp2600 V v1.0 --> M:\PROGRA~1\Arturia\ARP260~1\UNWISE.EXE M:\PROGRA~1\Arturia\ARP260~1\INSTALL.LOG
    ASUSUpdate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\Setup.exe" -l0x9
    Attansic Giga Ethernet Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F698102-5739-441E-96F0-74F4EA540F06}\setup.exe" -l0x9
    Attansic L1 Gigabit Ethernet Driver --> rundll32.exe C:\WINDOWS\System32\Attansic\L1\atcInst.dll,AtcUninst C:\WINDOWS\System32\Attansic\L1 x86 1969 1048 L1
    Audiorealism Bassline Pro v1.0.1 --> M:\PROGRA~1\VSTPLU~1\AUDIOR~1\BASSLI~1\UNINST~1\UNWISE.EXE M:\PROGRA~1\VSTPLU~1\AUDIOR~1\BASSLI~1\UNINST~1\INSTALL.LOG
    AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
    BuzComp --> MsiExec.exe /I{8066D0CB-C217-4673-BAFA-ED420F483CE9}
    BuzComp_KeyMaker --> MsiExec.exe /I{1C53D51A-7F4F-435A-B292-A2395DFAF090}
    DiscoDSP Discovery VSTi v2.5 --> M:\PROGRA~1\VSTPLU~1\DiscoDSP\DISCOV~1\UNWISE.EXE M:\PROGRA~1\VSTPLU~1\DiscoDSP\DISCOV~1\INSTALL.LOG
    DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
    DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
    DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
    DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
    DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
    DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe "
    DVD2one 1.5.2 --> C:\Program Files\DVD2one\uninst.exe
    EDIROL FA-101 Driver --> C:\Program Files\EDIROL\FA-101\uninst.exe Software\EDIROL\FA-101\Setup
    Enemy Territory - QUAKE Wars(TM) Demo --> C:\Program Files\InstallShield Installation Information\{AEF04476-51FA-41F2-80F0-0AD9B026F46A}\setup.exe -runfromtemp -l0x0409
    FabFilter Timeless v1.00 VST --> M:\PROGRA~1\FABFIL~1\Timeless\UNWISE.EXE M:\PROGRA~1\FABFIL~1\Timeless\INSTALL.LOG
    GForce.Software.Minimonsta.RTAS.VSTi.v1.03-DAC --> M:\PROGRA~1\GForce\MINIMO~1\UNWISE.EXE M:\PROGRA~1\GForce\MINIMO~1\INSTALL.LOG
    GMedia Music impOSCar VSTi v1.0.0.1 --> M:\PROGRA~1\VSTPLU~1\GMEDIA~1\UNINST~1\UNWISE.EXE M:\PROGRA~1\VSTPLU~1\GMEDIA~1\UNINST~1\INSTALL.LOG
    GMediaMusic - Oddity VST2 --> C:\WINDOWS\unvise32.exe M:\Program Files\VstPlugins\GMediaMusic\Oddity VST2\uninstal.log
    Half-Life 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/220
    Half-Life 2: Episode One --> "C:\Program Files\Steam\steam.exe" steam://uninstall/380
    Half-Life 2: Episode Two --> "C:\Program Files\Steam\steam.exe" steam://uninstall/420
    Half-Life 2: Lost Coast --> "C:\Program Files\Steam\steam.exe" steam://uninstall/340
    High Definition Audio Driver Package - KB888111 --> C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe
    HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
    Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe "
    Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
    Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
    JMB36X Raid Configurer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\setup.exe" -l0x9 -removeonly
    LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
    Logitech Audio Echo Cancellation Component --> MsiExec.exe /X{BEF726DD-4037-4214-8C6A-E625C02D2870}
    Logitech QuickCam Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C43048A9-742C-4DAD-90D2-E3B53C9DB825}\setup.exe" -l0x9
    Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
    M-Audio Series II MIDI --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{379BD39E-F13E-458F-96D8-56BD7F2CC516}\setup.exe" -l0x9 -removeonly
    M-Tron --> "M:\Program Files\VstPlugins\uninstall_MTron.exe "
    Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe "
    Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
    Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe "
    Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
    Mozilla Firefox (2.0.0.8) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
    Music Rescue 3.1.6 --> "C:\Program Files\Music Rescue\unins000.exe "
    MVision --> MsiExec.exe /I{35725FBC-A136-4A46-9F29-091759D9BB93}
    Native Instruments B4 v2.0.0.7 --> M:\PROGRA~1\NATIVE~1\B4II~1\UNWISE.EXE M:\PROGRA~1\NATIVE~1\B4II~1\INSTALL.LOG
    Native Instruments Battery v2.1 --> M:\PROGRA~1\NATIVE~1\BATTER~1\UNWISE.EXE M:\PROGRA~1\NATIVE~1\BATTER~1\INSTALL.LOG
    Native Instruments Battery VSTi DXi RTAS v2.1.5 Incl Keygen Update Only --> C:\PROGRA~1\NATIVE~1\BATTER~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\BATTER~1\INSTALL.LOG
    Native Instruments Guitar Rig 2 --> M:\PROGRA~1\NATIVE~1\GUITAR~2\UNWISE.EXE M:\PROGRA~1\NATIVE~1\GUITAR~2\INSTALL.LOG
    Native.Instruments.Kontakt.v2.0.2.007 --> M:\PROGRA~1\NATIVE~1\KONTAK~1\UNWISE.EXE M:\PROGRA~1\NATIVE~1\KONTAK~1\INSTALL.LOG
    Nero PhotoShow Express --> "C:\Program Files\Nero\data\Xtras\Uninstall.exe "
    Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=" "
    NeroMIX --> C:\WINDOWS\UNNMIX.exe /UNINSTALL
    NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
    NVIDIA nTune --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF} /l1033
    Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
    PC Probe II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\setup.exe" -l0x9
    Peggle Extreme --> "C:\Program Files\Steam\steam.exe" steam://uninstall/3483
    Portal --> "C:\Program Files\Steam\steam.exe" steam://uninstall/400
    PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
    PSP MixPack 1.8 --> M:\PROGRA~1\PSPMIX~1.8\UNWISE.EXE M:\PROGRA~1\PSPMIX~1.8\INSTALL.LOG
    PSP VintageWarmer v1.6.5 --> M:\PROGRA~1\PSPVIN~1\UNWISE.EXE M:\PROGRA~1\PSPVIN~1\INSTALL.LOG
    QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
    RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
    Sonic Charge µTonic VSTi v2.0 --> M:\PROGRA~1\VSTPLU~1\SONICC~1\MICROT~1\UNWISE.EXE M:\PROGRA~1\VSTPLU~1\SONICC~1\MICROT~1\INSTALL.LOG
    Sony Noise Reduction Plug-In 2.0e --> MsiExec.exe /X{D533C9D4-ED96-4191-B9C3-279C0DD6BABA}
    Sony Sound Forge 9.0 --> MsiExec.exe /X{6842DCCB-2840-4E46-8AF3-BEA9CFF3455B}
    SoulSeek Client 156c --> "C:\Program Files\Soulseek\uninstall.exe "
    SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
    Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe "
    Steinberg Cubase SX v3.1.1.944 --> C:\PROGRA~1\STEINB~1\CUBASE~1\UNWISE.EXE C:\PROGRA~1\STEINB~1\CUBASE~1\INSTALL.LOG
    Symantec AntiVirus --> MsiExec.exe /I{33CFCF98-F8D6-4549-B469-6F4295676D83}
    Syncrosoft's License Control --> C:\PROGRA~1\SYNCRO~1\UNWISE.EXE C:\PROGRA~1\SYNCRO~1\INSTALL.LOG
    SyncroSoft Emu (Remove only) --> C:\Program Files\SyncroSoft\Pos\H2O\Uninst.exe
    Team Fortress 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/440
    Tom Clancy's Rainbow Six Vegas --> C:\Program Files\InstallShield Installation Information\{5731C0A8-B266-451A-8D3F-8066AA21836F}\setup.exe -runfromtemp -l0x0009 -removeonly
    URS Everything EQ Bundle v4.0 --> M:\PROGRA~1\VSTPLU~1\URSINS~1\UNWISE.EXE M:\PROGRA~1\VSTPLU~1\URSINS~1\INSTALL.LOG
    VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
    VSO CopyToDVD 3 --> "C:\Program Files\VSO\unins000.exe "
    Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe "
    Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
    Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
    Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe "
    WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
    Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe "
    YAMAHA VST Plugin Vocal Rack Trial --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6CA280F4-B354-4167-A262-ABE8347109D2}\Setup.exe" -l0x9


    -- Application Event Log -------------------------------------------------------

    Event Record #/Type3193 / Warning
    Event Submitted/Written: 10/25/2007 08:56:16 AM
    Event ID/Source: 6 / Symantec AntiVirus
    Event Description:
    Could not scan 2 files inside C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc6.zip due to extraction errors encountered by the Decomposer Engines.

    Event Record #/Type3192 / Warning
    Event Submitted/Written: 10/25/2007 08:56:16 AM
    Event ID/Source: 6 / Symantec AntiVirus
    Event Description:
    Could not scan 2 files inside C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc5.zip due to extraction errors encountered by the Decomposer Engines.

    Event Record #/Type3191 / Warning
    Event Submitted/Written: 10/25/2007 08:56:16 AM
    Event ID/Source: 6 / Symantec AntiVirus
    Event Description:
    Could not scan 2 files inside C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc4.zip due to extraction errors encountered by the Decomposer Engines.

    Event Record #/Type3190 / Warning
    Event Submitted/Written: 10/25/2007 08:56:16 AM
    Event ID/Source: 6 / Symantec AntiVirus
    Event Description:
    Could not scan 2 files inside C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc3.zip due to extraction errors encountered by the Decomposer Engines.

    Event Record #/Type3189 / Warning
    Event Submitted/Written: 10/25/2007 08:56:16 AM
    Event ID/Source: 6 / Symantec AntiVirus
    Event Description:
    Could not scan 2 files inside C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc2.zip due to extraction errors encountered by the Decomposer Engines.



    -- Security Event Log ----------------------------------------------------------

    No Errors/Warnings found.


    -- System Event Log ------------------------------------------------------------

    Event Record #/Type4330 / Error
    Event Submitted/Written: 10/25/2007 05:23:10 PM
    Event ID/Source: 10005 / DCOM
    Event Description:
    DCOM got error "%%1084" attempting to start the service EventSystem with arguments " "
    in order to run the server:
    {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Event Record #/Type4329 / Error
    Event Submitted/Written: 10/25/2007 08:54:36 AM
    Event ID/Source: 7026 / Service Control Manager
    Event Description:
    The following boot-start or system-start driver(s) failed to load:
    AFD
    AsIO
    AVG Anti-Spyware Driver
    eeCtrl
    ElbyCDIO
    Fips
    intelppm
    IPSec
    MRxSmb
    NetBIOS
    NetBT
    RasAcd
    Rdbss
    SAVRT
    SAVRTPEL
    SPBBCDrv
    SYMTDI
    Tcpip

    Event Record #/Type4328 / Error
    Event Submitted/Written: 10/25/2007 08:54:36 AM
    Event ID/Source: 7001 / Service Control Manager
    Event Description:
    The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
    %%31

    Event Record #/Type4327 / Error
    Event Submitted/Written: 10/25/2007 08:54:36 AM
    Event ID/Source: 7001 / Service Control Manager
    Event Description:
    The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error:
    %%31

    Event Record #/Type4326 / Error
    Event Submitted/Written: 10/25/2007 08:54:36 AM
    Event ID/Source: 7001 / Service Control Manager
    Event Description:
    The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
    %%31



    -- End of Deckard's System Scanner: finished at 2007-10-25 17:35:56 ------------
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2007/10/25
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    The only thing I see is a couple of leftover rogue services. Lets get those removed. Click Start>Run and paste the following command, then hit enter.

    sc delete 1492406C

    Then do this one.

    sc delete 287200EE

    Make sure the following two files are gone.

    c:\windows\system32\c38b9b22.exe
    c:\windows\system32\bf1919b6.exe


    Run an online scan to see if there's something hidden from us.

    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.

    Post the Kaspersky log.
     
    noahdfear,
    #3
  5. 2007/10/26
    JasonDax

    JasonDax Inactive Thread Starter

    Joined:
    2007/10/25
    Messages:
    6
    Likes Received:
    0
    thanks noahdfear, I'll be applying your instructions as soon as i get home from work today. I'll post the Kaspersky log at that time.

    thanks again
     
    JasonDax,
    #4
  6. 2007/10/26
    JasonDax

    JasonDax Inactive Thread Starter

    Joined:
    2007/10/25
    Messages:
    6
    Likes Received:
    0
    Friday, October 26, 2007 7:22:54 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 27/10/2007
    Kaspersky Anti-Virus database records: 446739
    Scan Settings
    Scan using the following antivirus database extended
    Scan Archives true
    Scan Mail Bases true
    Scan Target My Computer
    C:\
    D:\
    F:\
    G:\
    I:\
    M:\
    Scan Statistics
    Total number of scanned objects 168308
    Number of viruses found 6
    Number of infected objects 74
    Number of suspicious objects 3
    Duration of the scan process 01:33:04

    Infected Object Name Virus Name Last Action
    C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00000\4FB036D1.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00001\4FB036F3.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00002\4FB036F9.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00003\4FB036FE.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00004\4FB03703.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00005\4FB03709.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00006\4FB0370F.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00007\4FB03714.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00008\4FB03719.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00009\4FB03720.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0000A\4FB03725.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0000B\4FB0372A.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0000C\4FB0372E.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0000D\4FB03733.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0000E\4FB03738.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0000F\4FB0373D.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00010\4FB03741.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00011\4FB03746.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00012\4FB0374B.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00013\4FB0374F.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00014\4FB03754.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00015\4FB03759.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00016\4FB0375D.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00017\4FB03762.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00018\4FB03767.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00019\4FB0376B.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0001A\4FB03770.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0001B\4FB03775.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0001C\4FB0377A.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0001D\4FB0377E.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0001E\4FB03783.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0001F\4FB03788.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00020\4FB0378C.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00021\4FB03791.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00022\4FB03796.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00023\4FB0379B.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00024\4FB0379F.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00025\4FB037A4.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00026\4FB037A9.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00027\4FB037AE.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00028\4FB037B2.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00029\4FB037B7.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0002A\4FB037BC.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0002B\4FB037C0.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0002C\4FB037C5.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0002D\4FB037CA.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0002E\4FB037CE.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0002F\4FB037D3.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00030\4FB037D8.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00031\4FB037DE.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00032\4FB037E2.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00033\4FB037E7.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00034\4FB037EC.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00035\4FB037F1.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00036\4FB037F5.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00037\4FB037FA.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00038\4FB037FF.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00039\4FB03804.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0003A\4FB03808.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0003B\4FB0380D.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0003C\4FB03812.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0003D\4FB03816.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0003E\4FB0381B.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB0003F\4FB03820.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00040\4FB03824.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB00041\4FB03829.VBN Infected: Trojan-PSW.Win32.OnLineGames.fju skipped
    C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\r o n i n\Local Settings\Temporary Internet Files\AntiPhishing\6D68D760-5380-40B8-A88E-13A27707960C.dat Object is locked skipped
    C:\Documents and Settings\r o n i n\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\Ronin\Application Data\Mozilla\Firefox\Profiles\t9qkfs2r.default\cert8.db Object is locked skipped
    C:\Documents and Settings\Ronin\Application Data\Mozilla\Firefox\Profiles\t9qkfs2r.default\formhistory.dat Object is locked skipped
    C:\Documents and Settings\Ronin\Application Data\Mozilla\Firefox\Profiles\t9qkfs2r.default\history.dat Object is locked skipped
    C:\Documents and Settings\Ronin\Application Data\Mozilla\Firefox\Profiles\t9qkfs2r.default\key3.db Object is locked skipped
    C:\Documents and Settings\Ronin\Application Data\Mozilla\Firefox\Profiles\t9qkfs2r.default\parent.lock Object is locked skipped
    C:\Documents and Settings\Ronin\Application Data\Mozilla\Firefox\Profiles\t9qkfs2r.default\search.sqlite Object is locked skipped
    C:\Documents and Settings\Ronin\Application Data\Mozilla\Firefox\Profiles\t9qkfs2r.default\urlclassifier2.sqlite Object is locked skipped
    C:\Documents and Settings\Ronin\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Identities\{E44B7A26-7401-4FAC-B878-E3BF44EB529D}\Microsoft\Outlook Express\Deleted Items.dbx/[From xxxxx msn.com][Date Sat, 07 Jun 2003 10:09:46 +0230]/UNNAMED/movie.pif Infected: Email-Worm.Win32.Sobig.c skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Identities\{E44B7A26-7401-4FAC-B878-E3BF44EB529D}\Microsoft\Outlook Express\Deleted Items.dbx/[From xxxxx msn.com][Date Sat, 07 Jun 2003 10:09:46 +0230]/UNNAMED Infected: Email-Worm.Win32.Sobig.c skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Identities\{E44B7A26-7401-4FAC-B878-E3BF44EB529D}\Microsoft\Outlook Express\Deleted Items.dbx/[From xxxxxxx hotmail.com][Date Tue, 08 Jul 2003 09:09:11 +0400]/UNNAMED/your_details.zip/details.pif Infected: Email-Worm.Win32.Sobig.e skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Identities\{E44B7A26-7401-4FAC-B878-E3BF44EB529D}\Microsoft\Outlook Express\Deleted Items.dbx/[From xxxxxxx hotmail.com][Date Tue, 08 Jul 2003 09:09:11 +0400]/UNNAMED/your_details.zip Infected: Email-Worm.Win32.Sobig.e skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Identities\{E44B7A26-7401-4FAC-B878-E3BF44EB529D}\Microsoft\Outlook Express\Deleted Items.dbx/[From xxxxxxx hotmail.com][Date Tue, 08 Jul 2003 09:09:11 +0400]/UNNAMED Infected: Email-Worm.Win32.Sobig.e skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Identities\{E44B7A26-7401-4FAC-B878-E3BF44EB529D}\Microsoft\Outlook Express\Deleted Items.dbx/[From xxxxxxx hotmail.com][Date Sat, 27 Mar 2004 03:39:30 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Identities\{E44B7A26-7401-4FAC-B878-E3BF44EB529D}\Microsoft\Outlook Express\Deleted Items.dbx/[From xxxxxxx hotmail.com][Date Sat, 27 Mar 2004 03:39:30 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Identities\{E44B7A26-7401-4FAC-B878-E3BF44EB529D}\Microsoft\Outlook Express\Deleted Items.dbx/[From xxxxxxx hotmail.com][Date Sat, 27 Mar 2004 03:39:30 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Identities\{E44B7A26-7401-4FAC-B878-E3BF44EB529D}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 5, suspicious - 3 skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Microsoft\Messenger\awolwabbit@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Microsoft\Messenger\awolwabbit@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Microsoft\Messenger\awolwabbit@hotmail.com\SharingMetadata\Working\database_9CC8_D369_C8D3_3FE6\dfsr.db Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Microsoft\Messenger\awolwabbit@hotmail.com\SharingMetadata\Working\database_9CC8_D369_C8D3_3FE6\fsr.log Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Microsoft\Messenger\awolwabbit@hotmail.com\SharingMetadata\Working\database_9CC8_D369_C8D3_3FE6\fsrtmp.log Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Microsoft\Messenger\awolwabbit@hotmail.com\SharingMetadata\Working\database_9CC8_D369_C8D3_3FE6\tmp.edb Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Microsoft\Windows Live Contacts\awolwabbit@hotmail.com\real\members.stg Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Microsoft\Windows Live Contacts\awolwabbit@hotmail.com\shadow\members.stg Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Mozilla\Firefox\Profiles\t9qkfs2r.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Mozilla\Firefox\Profiles\t9qkfs2r.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Mozilla\Firefox\Profiles\t9qkfs2r.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Application Data\Mozilla\Firefox\Profiles\t9qkfs2r.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Temp\~DF388D.tmp Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Temp\~DF3899.tmp Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Temp\~DF5466.tmp Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Temp\~DF5C90.tmp Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Temp\~DFBB3B.tmp Object is locked skipped
    C:\Documents and Settings\Ronin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Ronin\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Ronin\ntuser.dat.LOG Object is locked skipped
    C:\ff9f6d265718e3ee6c33967c55b793e8\$shtdwn$.req Object is locked skipped
    C:\ff9f6d265718e3ee6c33967c55b793e8\common\eula.txt Object is locked skipped
    C:\ff9f6d265718e3ee6c33967c55b793e8\common\spcustom.dll Object is locked skipped
    C:\ff9f6d265718e3ee6c33967c55b793e8\common\spmsg.dll Object is locked skipped
    C:\ff9f6d265718e3ee6c33967c55b793e8\common\spuninst.exe Object is locked skipped
    C:\ff9f6d265718e3ee6c33967c55b793e8\common\update.exe Object is locked skipped
    C:\ff9f6d265718e3ee6c33967c55b793e8\sp1\locator.exe Object is locked skipped
    C:\ff9f6d265718e3ee6c33967c55b793e8\sp1\symbols\exe\locator.pdb Object is locked skipped
    C:\ff9f6d265718e3ee6c33967c55b793e8\sp1\update\q810833.cat Object is locked skipped
    C:\ff9f6d265718e3ee6c33967c55b793e8\sp1\update\update.inf Object is locked skipped
    C:\ff9f6d265718e3ee6c33967c55b793e8\sp1\update\update.ver Object is locked skipped
    C:\ff9f6d265718e3ee6c33967c55b793e8\xpsp1hfm.exe Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\eengine\EPERSIST.DAT Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
    C:\Program Files\Symantec AntiVirus\SAVRT\0361NAV~.TMP Object is locked skipped
    C:\Program Files\Symantec AntiVirus\SAVRT\0942NAV~.TMP Object is locked skipped
    C:\System Volume Information\_restore{9840FB9C-930B-447A-9D19-EB84010C4CE6}\RP1\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{0A8A1116-1957-4C7B-9609-E8CC2C822445}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\TEMP\Perflib_Perfdata_174.dat Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    D:\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.601 skipped
    D:\mIRC\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.591 skipped
    F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    M:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    Scan process completed.
     
    JasonDax,
    #5
  7. 2007/10/26
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Empty the Norton quarantined files and your Outlook Express deleted items folder on all 3 accounts.

    Have you had any more infection notices?


    BTW, I edited out the email addresses to help protect the accounts from spammers. ;)
     
    noahdfear,
    #6
  8. 2007/10/27
    JasonDax

    JasonDax Inactive Thread Starter

    Joined:
    2007/10/25
    Messages:
    6
    Likes Received:
    0
    deleted the norton quarantined files. The outlook accounts have not been used in a long time.

    a couple of days ago symantec found sever infostealer.lemir apps trying to run. So far not in the last day.
     
    JasonDax,
    #7
  9. 2007/10/27
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    After looking at the Kaspersky results again, I see the infected deleted items are on 1 account ..... emails received from 3 different addresses. You can delete the deleted items.dbx file to remove the infected emails.

    C:\Documents and Settings\Ronin\Local Settings\Application Data\Identities\{E44B7A26-7401-4FAC-B878-E3BF44EB529D}\Microsoft\Outlook Express\Deleted Items.dbx

    Empty the recycle bin when done.

    Your computer appears to be clean otherwise. Lets see how it goes for a couple of days and if no more warnings from Symantec by then, we'll mark this topic resolved.
     
    noahdfear,
    #8
  10. 2007/10/27
    JasonDax

    JasonDax Inactive Thread Starter

    Joined:
    2007/10/25
    Messages:
    6
    Likes Received:
    0
    ok sounds good. I appreciate the help, thank you. I'll be keeping watch for the next couple days and post if anything pops up again.
     
    JasonDax,
    #9
  11. 2007/10/27
    JasonDax

    JasonDax Inactive Thread Starter

    Joined:
    2007/10/25
    Messages:
    6
    Likes Received:
    0
    i keep getting notified by comodo that svhosts are doing something suspicious.

    heres a log of the 3 in particular that it has marked as HIGH threat

    Date/Time :2007-10-27 18:05:30
    Severity :High
    Reporter :Application Behavior Analysis
    Description: Suspicious Behaviour (svchost.exe)
    Application: C:\WINDOWS\system32\svchost.exe
    Parent: C:\WINDOWS\system32\services.exe
    Protocol: UDP In
    Destination: 192.168.1.100::dhcp(68)
    Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.


    Date/Time :2007-10-27 18:05:29
    Severity :High
    Reporter :Application Behavior Analysis
    Description: Suspicious Behaviour (svchost.exe)
    Application: C:\WINDOWS\system32\svchost.exe
    Parent: C:\WINDOWS\system32\services.exe
    Protocol: UDP Out
    Destination: 239.255.255.250::upnp-mcast(1900)
    Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.


    Date/Time :2007-10-27 18:05:29
    Severity :High
    Reporter :Application Behavior Analysis
    Description: Suspicious Behaviour (svchost.exe)
    Application: C:\WINDOWS\system32\svchost.exe
    Parent: C:\WINDOWS\system32\services.exe
    Protocol: UDP In
    Destination: 192.168.1.100::1033
    Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.
     
    JasonDax,
    #10
  12. 2007/10/27
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Likely Upnp (Universal Plug and Play) searching for network printers and drives. Shouldn't be a problem whether you deny or allow.
     
    noahdfear,
    #11

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...