Answers to your tech questions
Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

      
2 Pages V   1 2 >  
 Closed TopicStart new topic
> [Closed] computer infected, log looks clean, nod32 warns regarding NZP trojans/win32 variants
dave_t
post Jul 26 2008, 02:52 AM
Post #1


Authentic Member
**

Group: Authentic Member
Posts: 68
Joined: 8-August 07
Member No.: 71,972
Operating System: Windows xp
Problem started about a week ago, out of the blue. I'm not on my computer all the time and other people use it, so I'm guessing somebody pressed OK on something they shouldn't have. HJT log appears clean, NOD32 founds many many infections, adaware and spybot both just came up with cookies. Here are some logs.

HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:46 AM, on 7/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\b2E2c4OA.dll (file missing)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A27027D-9371-47B2-A07A-1B5CC3A6F3B3}: NameServer = 192.168.1.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 2674 bytes

NOD32:

Time Module Object Name Threat Action User Information
7/26/2008 11:07:44 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\crdVS3lu.exe. The file was moved to quarantine. You may close this window.
7/26/2008 11:07:43 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\crdVS3lu.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/26/2008 8:34:23 AM AMON file C:\WINDOWS\SYSTEM32\B2E2C4OA.DLL Win32/Agent.NZP trojan deleted SKODA\Administrator Event occurred when attempting to access the file.
7/26/2008 8:30:00 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2KJRbO83.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/26/2008 8:29:59 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mAnjIJrc.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/26/2008 8:29:58 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\T836IK78.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/26/2008 1:23:04 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ow32sqay.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/26/2008 0:20:44 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/26/2008 0:20:42 AM AMON file C:\WINDOWS\SYSTEM32\B2E2C4OA.DLL Win32/Agent.NZP trojan SKODA\Administrator Event occurred when attempting to access the file.
7/26/2008 0:19:42 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/26/2008 0:19:15 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/26/2008 0:18:30 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/26/2008 0:18:20 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/26/2008 0:18:11 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/26/2008 0:17:14 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/26/2008 0:16:06 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/26/2008 0:14:16 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/26/2008 0:14:11 AM AMON file C:\WINDOWS\SYSTEM32\B2E2C4OA.DLL Win32/Agent.NZP trojan SKODA\Administrator Event occurred when attempting to access the file.
7/26/2008 0:13:40 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/26/2008 0:12:15 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/26/2008 0:11:30 AM AMON file C:\WINDOWS\SYSTEM32\B2E2C4OA.DLL Win32/Agent.NZP trojan SKODA\Administrator Event occurred when attempting to access the file.
7/26/2008 0:10:41 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/26/2008 0:08:35 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/26/2008 0:08:26 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/26/2008 0:08:12 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/26/2008 0:08:03 AM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/25/2008 23:26:57 PM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/25/2008 23:25:55 PM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/25/2008 23:25:12 PM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/25/2008 23:25:01 PM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/25/2008 23:24:57 PM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/25/2008 23:24:48 PM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/25/2008 23:24:01 PM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/25/2008 23:22:45 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dhlt7G40.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/25/2008 23:22:07 PM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/25/2008 23:21:11 PM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/25/2008 23:20:47 PM AMON file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/25/2008 23:20:03 PM AMON file C:\WINDOWS\SYSTEM32\B2E2C4OA.DLL Win32/Agent.NZP trojan SKODA\Administrator Event occurred at an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe.
7/25/2008 23:18:52 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OXL5TT4t.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/25/2008 23:18:49 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gp6FKy4U.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/25/2008 18:56:50 PM Kernel file C:\WINDOWS\system32\b2E2c4OA.dll Win32/Agent.NZP trojan Alert was generated during the system startup file check.
7/25/2008 18:56:46 PM Kernel file c:\windows\system32\b2e2c4oa.dll Win32/Agent.NZP trojan Alert was generated during the system startup file check.
7/25/2008 18:41:44 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pDSDcxqr.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/25/2008 18:41:41 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\X2NXH0Vd.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/25/2008 18:41:40 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\x3r3O8Dc.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/25/2008 8:31:47 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\J06fPcGL.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/25/2008 8:31:47 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\62pY5JK0.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/25/2008 8:31:46 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8x5X2Voa.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/25/2008 8:31:41 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\41Tib363.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
7/25/2008 1:45:18 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\n420Hx5W.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/24/2008 22:13:27 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PuifMX81.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/24/2008 20:12:37 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\P0s0uaCy.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
7/24/2008 19:33:41 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8INN4swm.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/24/2008 18:16:37 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TrdsGkxm.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/24/2008 18:16:37 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1I3kneg5.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/24/2008 18:16:36 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AXD2ufN7.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/24/2008 11:33:05 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Ql60me7H.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/24/2008 11:33:05 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2i28TX6G.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/24/2008 11:33:04 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qdv071f3.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/24/2008 11:33:04 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1t08h08Q.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/24/2008 11:33:00 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WJWVH78P.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Eset\nod32kui.exe. The file was moved to quarantine. You may close this window.
7/24/2008 0:48:59 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2bXlI557.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/23/2008 23:50:32 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qxReWv0Q.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/23/2008 23:49:56 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lBQxkPuU.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/23/2008 18:20:19 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7M6MTDx3.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/23/2008 18:20:18 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Q7AEcx05.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/23/2008 13:53:21 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\61U6h3ka.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/23/2008 13:15:45 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5o1I42sR.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/23/2008 13:15:44 PM AMON file C:\WINDOWS\system32\7MeM5Doa.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JcaGHswS.exe. The file was moved to quarantine. You may close this window.
7/23/2008 13:15:44 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1HIeinjY.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/23/2008 13:15:42 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fJkxNNu1.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/23/2008 13:15:40 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8A5p5Hu3.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/23/2008 1:20:27 AM AMON file C:\WINDOWS\system32\7MeM5Doa.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TiDL3H5t.exe. The file was moved to quarantine. You may close this window.
7/22/2008 23:37:33 PM AMON file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NLW8TWP0\news[1].htm HTML/TrojanClicker.Agent.A trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/22/2008 23:37:28 PM IMON file http://www.thenewsvault.com/cgi/news.pl?t=128 HTML/TrojanClicker.Agent.A trojan SKODA\Administrator
7/22/2008 23:15:12 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\N1FCIVTW.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/22/2008 21:14:57 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\42ctppCV.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/22/2008 19:15:30 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6B75EsEP.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\WINDOWS\system32\mmc.exe. The file was moved to quarantine. You may close this window.
7/22/2008 18:27:05 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\481UPyLc.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/22/2008 18:27:04 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\k2a50G0n.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/22/2008 18:27:03 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2m0N2AWm.exe probably a variant of Win32/Genetik trojan quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/22/2008 11:32:28 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qd5fK17l.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/22/2008 11:32:27 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2fcY712W.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/22/2008 11:32:27 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qu4Q0v1v.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/22/2008 11:32:24 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XLJIe60c.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/22/2008 11:32:19 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wIgaLj05.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/22/2008 0:57:28 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8BlKt2cL.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/21/2008 22:56:59 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\i8M3y1G2.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/21/2008 20:55:36 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hucMFN8f.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/21/2008 18:55:41 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\v18sQm73.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: D:\Program Files\Azureus\Azureus.exe. The file was moved to quarantine. You may close this window.
7/21/2008 16:24:09 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rw45d08o.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/21/2008 15:36:30 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\b43P1aOH.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Eset\nod32kui.exe. The file was moved to quarantine. You may close this window.
7/21/2008 15:31:03 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7LS674na.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: D:\Program Files\Azureus\Azureus.exe. The file was moved to quarantine. You may close this window.
7/21/2008 10:04:41 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Ym60np06.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Eset\nod32kui.exe. The file was moved to quarantine. You may close this window.
7/21/2008 8:22:43 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CTd6XH0v.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/21/2008 8:22:42 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\23gS2I0u.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/21/2008 8:22:37 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\d7B6l4lG.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: c:\program files\internet explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/21/2008 1:52:06 AM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JcfE8csf.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.
7/20/2008 23:51:56 PM AMON file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Spl3cayK.exe probably unknown NewHeur_PE virus quarantined - deleted SKODA\Administrator Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
7/13/2008 22:33:23 PM IMON file http://21centmedia.com/ot/a.php/1216008793....exe?affid=5919 a variant of Win32/TrojanDownloader.Firu trojan SKODA\Administrator

Wondering if maybe a format is in order finally, but would like to avoid that if possible.

Thanks for the help!
Go to the top of the page
 
+Quote Post
ken545
post Jul 30 2008, 11:27 AM
Post #2


SuperHelper
Group Icon

Group: Malware Expert
Posts: 7,789
Joined: 3-December 04
From: Darien, Connecticut
Member No.: 19,436
Operating System: Win Xp Home SP2/ Vista Home Premium
Hello Dave

Welcome to the Whatthetech Malware Removal Forum Sorry for the delay in responding but with the amount of people posting with infected computers there are not enough hours in the day


Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\b2E2c4OA.dll (file missing)




Please download ATF Cleaner by Atribune to your desktop.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up





Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- Don't forget to do this
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a New Hijackthis log.
Go to the top of the page
 
+Quote Post
dave_t
post Jul 30 2008, 11:52 AM
Post #3


Authentic Member
**

Group: Authentic Member
Posts: 68
Joined: 8-August 07
Member No.: 71,972
Operating System: Windows xp
Hi Ken, thanks for the help. Here are the new logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:45 PM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Documents and Settings\Administrator\Desktop\spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A27027D-9371-47B2-A07A-1B5CC3A6F3B3}: NameServer = 192.168.1.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 2507 bytes

-----------------------------------------------------

Malwarebytes' Anti-Malware 1.23
Database version: 1008
Windows 5.1.2600 Service Pack 2

8:07:55 PM 7/30/2008
mbam-log-7-30-2008 (20-07-55).txt

Scan type: Quick Scan
Objects scanned: 42757
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mrdt.log (Malware.Trace) -> Quarantined and deleted successfully.

--------------------------------------------------------

Thanks again.
Go to the top of the page
 
+Quote Post
ken545
post Jul 30 2008, 12:01 PM
Post #4


SuperHelper
Group Icon

Group: Malware Expert
Posts: 7,789
Joined: 3-December 04
From: Darien, Connecticut
Member No.: 19,436
Operating System: Win Xp Home SP2/ Vista Home Premium
Hi Dave,

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
Go to the top of the page
 
+Quote Post
dave_t
post Aug 1 2008, 03:50 AM
Post #5


Authentic Member
**

Group: Authentic Member
Posts: 68
Joined: 8-August 07
Member No.: 71,972
Operating System: Windows xp
Hi Ken, here are the logs from DSS.exe, thanks again for the help!

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-01 12:06:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-08-01 10:06:30 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:16 PM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ADMINI~1\Desktop\spyware\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\b2E2c4OA.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A27027D-9371-47B2-A07A-1B5CC3A6F3B3}: NameServer = 192.168.1.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 2614 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\ADMINI~1\Desktop\spyware\backups\) ----

backup-20070915-144113-201 O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
backup-20070915-144113-543 O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
backup-20070915-144113-688 O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\ofD8pA7E.dll
backup-20070915-144129-531 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20071004-081048-786 O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
backup-20071004-081048-807 O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
backup-20071007-194117-471 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20071124-160406-416 O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
backup-20071124-160406-833 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
backup-20071124-160406-950 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
backup-20071124-160407-369 O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
backup-20071124-160407-379 O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
backup-20071124-160407-524 O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
backup-20071124-160407-598 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
backup-20080106-170659-154 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
backup-20080228-154059-926 O2 - BHO: Gamburg provider - {0CA10898-7F98-4709-A479-B8134AB3D9F3} - bnsock.dll (file missing)
backup-20080309-120232-533 O4 - HKLM\..\Run: [JulaPan] JulaPan.Exe
backup-20080730-195825-586 O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\b2E2c4OA.dll

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - "D:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 giveio - c:\windows\system32\giveio.sys
R0 prohlp02 (StarForce Protection Helper Driver v2) - c:\windows\system32\drivers\prohlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 prosync1 (StarForce Protection Synchronization Driver v1) - c:\windows\system32\drivers\prosync1.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp01 (StarForce Protection Helper Driver) - c:\windows\system32\drivers\sfhlp01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 speedfan - c:\windows\system32\speedfan.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R1 prodrv06 (StarForce Protection Environment Driver v6) - c:\windows\system32\drivers\prodrv06.sys <Not Verified; Protection Technology; StarForce Protection System>
R3 ipgd (IC Plus IP1000 Family Gigabit Ethernet Adapter Driver) - c:\windows\system32\drivers\ipgdnd51.sys <Not Verified; IC Plus Corp.; IC Plus IP1000 Family Gigabit Ethernet Adapter>
R3 vsbus (Virtual Serial Bus Enumerator) - c:\windows\system32\drivers\vsb.sys <Not Verified; ELTIMA Software; ELTIMA Virtual Serial Bus>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S3 atinrvxx (ATI WDM Rage Theater Video) - c:\windows\system32\drivers\atinrvxx.sys <Not Verified; ATI Technologies Inc.; ATI WDM RT>
S3 btaudio (Bluetooth Audio Device) - c:\windows\system32\drivers\btaudio.sys (file missing)
S3 BTDriver (Bluetooth Virtual Communications Driver) - c:\windows\system32\drivers\btport.sys (file missing)
S3 btwhid - c:\windows\system32\drivers\btwhid.sys (file missing)
S3 BTWUSB (WIDCOMM USB Bluetooth Driver) - c:\windows\system32\drivers\btwusb.sys (file missing)
S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys (file missing)
S3 Ip6Fw (IPv6 Windows Firewall Driver) - c:\windows\system32\drivers\ip6fw.sys (file missing)
S3 JULA_01 (Service for Juli@ 1) - c:\windows\system32\drivers\julawdm.sys
S3 JULA_AA (Service for Juli@ Audio Driver (EWDM)) - c:\windows\system32\drivers\jula.sys
S3 MA_CMIDI (%EVOL_USB.SvcDesc%) - c:\windows\system32\drivers\ma_cmidi.sys (file missing)
S3 MPE (BDA MPE Filter) - c:\windows\system32\drivers\mpe.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 MVDCODEC (ATI WDM Specialized MVD Codec) - c:\windows\system32\drivers\atinmdxx.sys <Not Verified; ATI Technologies Inc.; ATI Specialized MVD VBI Codec>
S3 nm (Network Monitor Driver) - c:\windows\system32\drivers\nmnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 vserial (ELTIMA Virtual Serial Ports Driver) - c:\windows\system32\drivers\vserial.sys <Not Verified; ELTIMA Software; ELTIMA Virtual Serial Ports>
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >

S3 usprserv (User Privilege Service) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 ATMsrvc (ATM Service) - c:\windows\system32\atmsrvc.exe <Not Verified; Adobe Systems Incorporated; Adobe Type Manager>
S4 DCPFLICS - c:\program files\dcpflics\dcpflics.exe (file missing)
S4 LBTServ (Logitech Bluetooth Service) - c:\program files\common files\logitech\bluetooth\lbtserv.exe (file missing)
S4 mi-raysat_3dsmax8 (RaySat_3dsmax8 Server) - "d:\program files\autodesk\3dsmax8\mentalray\satellite\raysat_3dsmax8server.exe"


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-01 12:03:23 350 --a------ C:\WINDOWS\Tasks\At37.job
2008-08-01 12:00:01 350 --a------ C:\WINDOWS\Tasks\At13.job
2008-08-01 11:03:13 350 --a------ C:\WINDOWS\Tasks\At36.job
2008-08-01 11:00:01 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-08-01 10:03:23 350 --a------ C:\WINDOWS\Tasks\At35.job
2008-08-01 10:00:01 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-08-01 09:03:14 350 --a------ C:\WINDOWS\Tasks\At34.job
2008-08-01 09:00:01 350 --a------ C:\WINDOWS\Tasks\At10.job
2008-08-01 08:03:13 350 --a------ C:\WINDOWS\Tasks\At33.job
2008-08-01 08:00:01 350 --a------ C:\WINDOWS\Tasks\At9.job
2008-08-01 07:03:23 350 --a------ C:\WINDOWS\Tasks\At32.job
2008-08-01 07:00:01 350 --a------ C:\WINDOWS\Tasks\At8.job
2008-08-01 06:03:13 350 --a------ C:\WINDOWS\Tasks\At31.job
2008-08-01 06:00:01 350 --a------ C:\WINDOWS\Tasks\At7.job
2008-08-01 05:03:23 350 --a------ C:\WINDOWS\Tasks\At30.job
2008-08-01 05:00:01 350 --a------ C:\WINDOWS\Tasks\At6.job
2008-08-01 04:03:12 350 --a------ C:\WINDOWS\Tasks\At29.job
2008-08-01 04:00:01 350 --a------ C:\WINDOWS\Tasks\At5.job
2008-08-01 03:03:12 350 --a------ C:\WINDOWS\Tasks\At28.job
2008-08-01 03:00:01 350 --a------ C:\WINDOWS\Tasks\At4.job
2008-08-01 02:03:13 350 --a------ C:\WINDOWS\Tasks\At27.job
2008-08-01 02:00:01 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-08-01 01:03:23 350 --a------ C:\WINDOWS\Tasks\At26.job
2008-08-01 01:00:01 350 --a------ C:\WINDOWS\Tasks\At2.job
2008-08-01 00:34:01 350 --a------ C:\WINDOWS\Tasks\At1.job
2008-08-01 00:10:23 350 --a------ C:\WINDOWS\Tasks\At25.job
2008-07-31 23:30:14 350 --a------ C:\WINDOWS\Tasks\At48.job
2008-07-31 23:00:01 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-07-31 22:01:16 350 --a------ C:\WINDOWS\Tasks\At46.job
2008-07-31 22:00:10 350 --a------ C:\WINDOWS\Tasks\At47.job
2008-07-31 22:00:01 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-07-31 21:00:01 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-07-31 20:31:24 350 --a------ C:\WINDOWS\Tasks\At45.job
2008-07-31 20:00:01 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-07-31 19:03:13 350 --a------ C:\WINDOWS\Tasks\At44.job
2008-07-31 19:00:01 350 --a------ C:\WINDOWS\Tasks\At20.job
2008-07-31 18:03:13 350 --a------ C:\WINDOWS\Tasks\At43.job
2008-07-31 18:00:01 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-07-31 17:03:23 350 --a------ C:\WINDOWS\Tasks\At42.job
2008-07-31 17:00:01 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-07-31 16:03:13 350 --a------ C:\WINDOWS\Tasks\At41.job
2008-07-31 16:00:01 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-07-31 15:03:23 350 --a------ C:\WINDOWS\Tasks\At40.job
2008-07-31 15:00:01 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-07-31 14:03:13 350 --a------ C:\WINDOWS\Tasks\At39.job
2008-07-31 14:00:01 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-07-31 13:03:13 350 --a------ C:\WINDOWS\Tasks\At38.job
2008-07-31 13:00:01 350 --a------ C:\WINDOWS\Tasks\At14.job


-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-07-30 06:00:28 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia <MACROM~1>
2008-07-28 12:19:13 29184 --a------ C:\WINDOWS\system32\b2E2c4OA.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-07-28 02:00:23 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-07-28 02:00:13 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-07-28 01:17:00 35842 --a------ C:\WINDOWS\system32\7MeM5Doa.exe
2008-07-20 23:33:01 29760 --a------ C:\WINDOWS\system32\3tWBhKcG.exe
2008-07-20 11:38:08 0 d-a------ C:\xampplite
2008-07-13 22:34:12 0 --a------ C:\jfidoj.exe
2008-07-12 14:14:17 0 d-------- C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021
2008-07-12 14:14:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Ipswitch
2008-07-12 14:14:06 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2008-07-12 14:14:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Ipswitch


-- Find3M Report ---------------------------------------------------------------

2008-07-27 23:30:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\bibble
2008-07-23 18:19:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\Azureus
2008-07-19 15:13:54 0 d-------- C:\Program Files\PartyGaming
2008-07-12 14:14:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-23 21:28:59 0 d-------- C:\Program Files\Canon
2008-06-23 21:04:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\ZoomBrowser EX
2008-06-23 21:01:23 0 d-------- C:\Program Files\Common Files\Canon
2008-06-23 21:01:10 0 d-------- C:\Program Files\Common Files
2008-06-23 20:47:00 0 d-------- C:\Program Files\Common Files\Bibble Labs
2008-06-23 20:46:08 52032 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-23 20:41:01 0 d-------- C:\Program Files\Google


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}]
07/31/2008 03:13 PM 29184 --a------ C:\WINDOWS\system32\b2E2c4OA.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [11/24/2007 04:39 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma Loader.exe]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma Loader.exe
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^HDD temperature.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\HDD temperature.lnk
backup=C:\WINDOWS\pss\HDD temperature.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^m-trip Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\m-trip Launcher.lnk
backup=C:\WINDOWS\pss\m-trip Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^msn_0802_upd181826.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msn_0802_upd181826.exe
backup=C:\WINDOWS\pss\msn_0802_upd181826.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Suitcase 11.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Suitcase 11.0.lnk
backup=C:\WINDOWS\pss\Suitcase 11.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuru]
; d:\Program Files\ABIT\ABIT uGuru\uGuru.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
; "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
; "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
; "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
; "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
; "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
; "D:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
; "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GuruClock]
; d:\Program Files\ABIT\ABIT uGuru\GuruClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
; C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDDHealth]
; d:\Program Files\HDD Health\hddhealth.exe -wl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JulaPan]
; JulaPan.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
; KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows System Kernel]
; kernel32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
; C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
; D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
C:\Program Files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
; SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
"C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
; "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
; "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PDSched"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-08-01 12:08:48 ------------

-----------------------------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3000+
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 2046.48 MiB / 712.98 MiB
Pagefile Memory (total/avail): 1892.59 MiB / 763.91 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.48 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 18.56 GiB total, 8.96 GiB free.
D: is Fixed (NTFS) - 95.93 GiB total, 92.58 GiB free.
E: is Fixed (NTFS) - 149.05 GiB total, 42.68 GiB free.
F: is Fixed (NTFS) - 279.47 GiB total, 0.16 GiB free.
G: is CDROM (CDFS)
H: is Removable (No Media)
I: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6L300R0 - 279.47 GiB - 1 partition
\PARTITION0 - Installable File System - 279.47 GiB - F:

\\.\PHYSICALDRIVE1 - Maxtor 6Y120L0 - 114.49 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 18.56 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 95.93 GiB - D:

\\.\PHYSICALDRIVE2 - - 149.05 GiB - 1 partition
\PARTITION0 - Installable File System - 149.05 GiB - E:

\\.\PHYSICALDRIVE3 - Generic STORAGE DEVICE USB Device



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: Panda Titanium 2006 Personal Firewall v5.01.00 (Panda Software) Disabled
AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"D:\\Program Files\\Next Limit\\Maxwell\\mxcl.exe"="D:\\Program Files\\Next Limit\\Maxwell\\mxcl.exe:*:Enabled:mxcl"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SKODA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\SKODA
MAXWELL_ROOT=D:\Program Files\Next Limit\Maxwell\
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\PROGRAM FILES\COMMON FILES\ADOBE\AGL;C:\PROGRAM FILES\COMMON FILES\AUTODESK SHARED;C:\PROGRAM FILES\BACKBURNER 2;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;D:\Program Files\Next Limit\Maxwell\;D:\Program Files\Next Limit\RealFlow3\;D:\Program Files\Next Limit\RealFlow4\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f00
ProgramFiles=C:\Program Files
PROMPT=$P$G
RF4PATH=D:\Program Files\Next Limit\RealFlow4\
RFPATH=D:\Program Files\Next Limit\RealFlow3\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=SKODA
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> D:\Program Files\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Illustrator CS2 --> msiexec /I {B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}
Adobe InDesign CS2 --> msiexec /I{7F4C8163-F259-49A0-A018-2857A90578BC}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{47813E93-F2A0-484A-838E-47EC1B28D190}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Adobe Type Manager Deluxe 4.1 --> C:\WINDOWS\uninst.exe -f"d:\Program Files\Adobe Type Manager\DeIsL1.isu" -c"d:\Program Files\Adobe Type Manager\UNINST.DLL"
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Attack 1.2.1 --> C:\WINDOWS\iun6002.exe "D:\Program Files\Steinberg\Cubase SX 3\Vstplugins\Waldorf\irunin.ini"
AutoCAD 2006 - English --> MsiExec.exe /I{5783F2D7-4001-0409-0002-0060B0CE6BBA}
Autodesk 3ds Max 8 --> MsiExec.exe /I{DBB313D6-4B13-4961-BD5F-673CDA1793CC}
Autodesk 3ds Max 8 - Pro Booleans Extension --> MsiExec.exe /I{EDF570A9-A152-4F77-8D44-87198C3B590C}
Autodesk 3ds Max 8 Additional Maps and Materials --> MsiExec.exe /I{59D070F5-CCE6-418B-84A3-CCA63D75ED8A}
Autodesk 3ds Max 8 Architectural Materials --> MsiExec.exe /I{28FDF917-8750-4A54-9E05-D7798E699B47}
Autodesk 3ds Max 8 Reference Files --> MsiExec.exe /I{73C935A7-36C6-48B5-A32E-FD5BD96FD25C}
Autodesk DWF Viewer --> C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
Azureus --> d:\Program Files\Azureus\Uninstall.exe
Bibble Pro --> C:\WINDOWS\unvise32.exe d:\Program Files\Bibble Labs\Prouninstal.log
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.4.0.0\Uninst.exe" "d:\Program Files\Canon\EOS Utility\Uninst.ini"
Cartes du Ciel --> "d:\Program Files\Ciel\Uninstall.exe" "d:\Program Files\Ciel\install.log"
CDDRV_Installer --> MsiExec.exe /I{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}
Color Schemer Studio --> "d:\Program Files\Color Schemer Studio\unins000.exe"
DivX Web Player --> d:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Region+CSS Free 5.9.7.5 --> "d:\Program Files\DVD Region+CSS Free\unins000.exe"
ESET Online Scanner --> C:\WINDOWS\system32\OnlineScannerUninstaller.exe
Extensis Suitcase 11.0.1 --> MsiExec.exe /X{7451C9B5-3E10-4E59-AD37-AB7438D84288}
Filter Forge 1.010 --> "d:\Program Files\Filter Forge\unins000.exe"
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9 -removeonly
Heavenly-Opportunity --> C:\WINDOWS\st6unst.exe -n "D:\Program Files\HeavenlyOpportunity\ST6UNST.LOG"
HijackThis 2.0.2 --> "C:\Documents and Settings\Administrator\Desktop\spyware\HijackThis.exe" /uninstall
Inkscape 0.45 --> "d:\Program Files\Inkscape\uninst.exe"
Ipswitch WS_FTP Professional 2007 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD88355B-A4E0-4DA1-BAC3-EA4FEA930691}\setup.exe" -l0x9 -removeonly
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
K-Lite Codec Pack 2.88 Standard --> "d:\Program Files\K-Lite Codec Pack\unins000.exe"
KhalSetup --> MsiExec.exe /I{C89C8D86-4423-4A58-AA40-DD259ACE07C1}
Macromedia Dreamweaver 8 --> MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks 8 --> MsiExec.exe /I{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}
Macromedia Flash 8 --> MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash 8 Video Encoder --> MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
MainType 2.1.1 --> "d:\Program Files\High-Logic\MainType\unins000.exe"
Malwarebytes' Anti-Malware --> "d:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Maxwell Render --> MsiExec.exe /I{EEB97B65-667A-4D76-ABD4-441FB30D5CE6}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
mIRC --> "D:\Program Files\mIRC\mirc.exe" -unin