Plz help me with trojan zlob.pornadvertiser.ba

M

mand1

New Member
Hello friends, plz help me., my computer has a serious problem and am not able to do anything. i get an error saying that my computer has zlob.pornadvertiser.ba virus and nothing seems to be working. the alert keeps popping. browser is closing everytime I click on anything. i got this site by logging through a different login. plz help :mad:

I saw a few responses on the site and i have got the log from hijack this. and remaining whatever was there in the post i was not able to understand.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:13 PM, on 7/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Eset\nod32kui.exe
D:\Program Files\BlazeVideo\BlazeDVD 5 Professional\MediaDetector.exe
D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Console Flash v.4.1 - {BCC8A4AB-C055-461E-B4B5-1B0EA8647897} - C:\WINDOWS\system32\confl.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvnf.exe] C:\WINDOWS\system32\kdvnf.exe
O4 - HKCU\..\Run: [BlazeServoTool] "D:\Program Files\BlazeVideo\BlazeDVD 5 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F78793-C4E9-43AC-B077-EC4B720BB791}: NameServer = 218.248.240.23,218.248.240.135
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 6014 bytes
 
grk77536

grk77536

New Member
do you have a spyware/adware blocker? I had a similar problem where a software title kept installing by itself and caused a huge memory dump.
I had to format my hdd and start over viruses suck!
 
M

mand1

New Member
i tried installing but currently no online tool is working here. i tried nod32 it did not work and i tried uniblue, even that did not show it up
 
Punk

Punk

Moderator
Staff member
Hello,


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
M

mand1

New Member
Thanks a ton for your quick solution to my problem. You were my savior today. I followed all the steps. Currently I am sending this from my login and its working, I dont know if the virus is deleted completely. But I dont have those icons on the desktop anymore. I dont even get pop ups. Does this mean that there is no more virus in my computer.

This is the report for sdfix


SDFix: Version 1.201
Run by mand on Thu 07/03/2008 at 10:40 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
SysLibrary

Path :
\??\C:\WINDOWS\system32\DefLib.sys

SysLibrary - Deleted



Restoring Default Security Values
Restoring Default Hosts File
-------

This is the log file of combifix

ComboFix 08-07-02.5 - mand 2008-07-03 22:49:14.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.79 [GMT 5.5:30]
Running from: C:\Documents and Settings\mand\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\mand\Desktop\BDSM galleries.URL
C:\Documents and Settings\mand\Desktop\CP illegal content.URL
C:\Documents and Settings\mand\Desktop\Uncensored porn.URL
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\igfxhk.dll
C:\WINDOWS\system32\kdvnf.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\ntload.dll
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\sex3.ico
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wscmp.dll
C:\WINDOWS\system32\zlib.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SysLibrary


((((((((((((((((((((((((( Files Created from 2008-06-03 to 2008-07-03 )))))))))))))))))))))))))))))))
.

2008-07-03 22:36 . 2008-07-03 22:36 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-03 22:31 . 2008-07-04 14:46 <DIR> d-------- C:\SDFix
2008-07-03 22:26 . 2008-07-03 22:26 <DIR> d-------- C:\Documents and Settings\neel\Phone Browser
2008-07-03 22:26 . 2008-07-03 22:26 <DIR> d-------- C:\Documents and Settings\neel\Application Data\Datalayer
2008-07-03 20:46 . 2008-07-03 20:46 <DIR> d-------- C:\Documents and Settings\neel\Application Data\Apple Computer
2008-07-03 19:55 . 2008-07-03 19:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-03 16:06 . 2008-07-03 16:06 <DIR> d-------- C:\Program Files\SpyNoMore
2008-07-03 16:06 . 2008-07-03 16:06 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-07-03 16:05 . 2008-07-03 16:05 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-03 15:45 . 2008-07-03 15:45 262,144 --a------ C:\WINDOWS\system32\wscmp.dll.tmp
2008-07-03 15:41 . 2008-07-03 15:41 0 --a------ C:\WINDOWS\system32\sex3.ico.tmp
2008-07-03 15:40 . 2008-07-03 15:40 0 --a------ C:\WINDOWS\system32\sex2.ico.tmp
2008-07-03 15:40 . 2008-07-03 15:40 0 --a------ C:\WINDOWS\system32\sex1.ico.tmp
2008-06-19 10:46 . 2008-06-19 10:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InterVideo
2008-06-19 10:46 . 2002-09-27 07:53 9,856 --------- C:\WINDOWS\system32\drivers\pfc.sys
2008-06-19 10:45 . 2001-12-10 17:42 204,800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-06-19 10:45 . 2001-12-10 17:42 200,704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-06-19 10:45 . 2001-12-10 17:42 192,512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-06-19 10:45 . 2001-12-10 17:42 192,512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-06-19 10:45 . 2001-12-10 17:42 188,416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-06-19 10:45 . 2001-12-10 17:42 20,480 --a------ C:\WINDOWS\system32\IVIresize.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
1998-12-08 13:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-08 13:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-08 13:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-08 13:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-08 13:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-08 13:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
2007-04-27 20:16 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-27 20:16 88 --sh--r C:\WINDOWS\system32\0C448332F0.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC8A4AB-C055-461E-B4B5-1B0EA8647897}]
2007-06-03 18:20 208384 --a------ C:\WINDOWS\system32\confl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-02-08 23:06 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-02-08 23:02 126976]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10 49263]
"PCSuiteTrayApplication"="D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2005-12-13 08:49 217088]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-11 15:10 949376]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-04-13 11:51 14156800 C:\WINDOWS\RTHDCPL.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\mand\Start Menu\Programs\Startup\
REALHOUND IP Tune and Lube.LNK - C:\Program Files\REALHOUND IP Client\realhoundiptuneandlube.exe [2006-10-09 11:11:04 303104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Symantec Fax Starter Edition Port.lnk - D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 14:21:54 45568]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^mand^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\mand\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^mand^Start Menu^Programs^Startup^REALHOUND IP Tune and Lube.LNK]
path=C:\Documents and Settings\mand\Start Menu\Programs\Startup\REALHOUND IP Tune and Lube.LNK
backup=C:\WINDOWS\pss\REALHOUND IP Tune and Lube.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-04-27 11:25 257088 D:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\nsl_host_process.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\HelpCtr.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\WINDOWS\\system32\\svchost.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Prvflder;Prvflder;C:\WINDOWS\system32\DRIVERS\prvflder.sys [2006-04-21 08:22]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-10 10:54:18 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-QuickPhrase - D:\Program Files\TypingMaster\quickphrase\quickphrase.exe
HKCU-Run-DLD.EXE - D:\Program Files\Download Direct\DLD.exe
HKLM-Run-C:\WINDOWS\system32\kdvnf.exe - C:\WINDOWS\system32\kdvnf.exe
MSConfigStartUp-Act! Preloader - D:\Program Files\ACT\Act for Windows\ActSage.exe
MSConfigStartUp-Act.Outlook - D:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-03 22:53:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\sccfg.sys 8192 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\PROGRAM FILES\CANON\CAL\CALMAIN.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
.
**************************************************************************
.
Completion time: 2008-07-03 22:54:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-03 17:24:36

Pre-Run: 4,179,795,968 bytes free
Post-Run: 4,228,128,768 bytes free

157
---------

If this is fixed can I delete the files that I had downloaded. I have 2 files in my C drive with these names- SDfix and Qoobox(dont know what this is). Please let me know if I need to delete anything else.

And once thanks a lotttttttt :)
 
Punk

Punk

Moderator
Staff member
mand1 said:
If this is fixed can I delete the files that I had downloaded. I have 2 files in my C drive with these names- SDfix and Qoobox(dont know what this is). Please let me know if I need to delete anything else.

And once thanks a lotttttttt :)
Click to expand...

We'll get rid of them when we're sure we're done.

I'm currently reading the log to make sure nothing is still on your computer.
 
M

mand1

New Member
This is the new hijack log. I also wanted to let you know that I ran Uniblue spyeraser and I found 3 spyware SearchExe Hijacker(severe) , Adware.BHO.t(high), Trojan-spy.BZub.hv(elevated). Dont know if it is related to the same problem.

Here is the hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:18 PM, on 7/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Eset\nod32kui.exe
D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Console Flash v.4.1 - {BCC8A4AB-C055-461E-B4B5-1B0EA8647897} - C:\WINDOWS\system32\confl.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvnf.exe] C:\WINDOWS\system32\kdvnf.exe
O4 - Startup: REALHOUND IP Tune and Lube.LNK = C:\Program Files\REALHOUND IP Client\realhoundiptuneandlube.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F78793-C4E9-43AC-B077-EC4B720BB791}: NameServer = 218.248.240.23,218.248.240.135
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 5549 bytes
 
Punk

Punk

Moderator
Staff member
Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decide

If you wish to continue, do the following:

Download Avenger, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

  • Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
  • Click Format, and ensure Word Wrap is unchecked.
  • Copy and Paste the text in the box below into Notepad.
  • Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
C:\WINDOWS\system32\sex3.ico.tmp
C:\WINDOWS\system32\sex2.ico.tmp
C:\WINDOWS\system32\sex1.ico.tmp
C:\WINDOWS\system32\perfc000.dat
Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.
  • Check Load script from file:
  • Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
  • Double click it to enter it into Avenger.
  • Click the green traffic light symbol.
  • You will be asked if you want to execute the script, answer Yes.
  • At this point you may get prompts from your protection systems, allow them please.
  • Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
  • Answer Yes, and allow your computer to re-boot.
  • Upon re-boot a command window will briefly appear on screen (this is normal).
  • A Notepad text file will be created C:\avenger.txt.
  • Copy and Paste it into your next post please.

Download and Run DSS

Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.
 
Last edited:
M

mand1

New Member
Thanks Punk for offering to help me. I understand what you mean.

I do not do any financial transactions on my computer. The passwords would be of my e-mail addresses and of others who use this computer. I would like to format my computer. But I am not aware of how to do it and cannot take that chance with this as I am not sure if my windows xp cd is working too. The suggestion that you gave for me to contact a computer professional would be wise. But until I do that, I was just thinking if I can temporarily try your suggestions.

I am not an expert in technical field. The suggestions which you had given me till now were quite easy to follow. So plz suggest me if you think that it would be okay for us to try cleaning the machine. I would definitely try to do it for now and see if it can get fixed> if you feel its not going to be a very tough one plz let me know how to proceed.
 
adarsh

adarsh

New Member
Hi :),
Please follow Punk's earlier post to save time and attempt clearing the infection.
He has clearly mentioned that you may proceed the removal steps in case you wanted to continue with the fix.
 
M

mand1

New Member
Hi Punk, how are you

Today I followed the steps of running avenger and DSS. Here are the results

Avenger-

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\sex3.ico.tmp" deleted successfully.
File "C:\WINDOWS\system32\sex2.ico.tmp" deleted successfully.
File "C:\WINDOWS\system32\sex1.ico.tmp" deleted successfully.

Error: file "C:\WINDOWS\system32\perfc000.dat" not found!
Deletion of file "C:\WINDOWS\system32\perfc000.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

--------

Main-

Deckard's System Scanner v20071014.68
Run by mand on 2008-07-05 16:38:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
18: 2008-07-05 11:08:09 UTC - RP321 - Deckard's System Scanner Restore Point
17: 2008-07-03 09:33:16 UTC - RP320 - System Checkpoint
16: 2008-07-02 08:44:34 UTC - RP319 - System Checkpoint
15: 2008-06-30 17:12:50 UTC - RP318 - System Checkpoint
14: 2008-06-29 15:30:05 UTC - RP317 - System Checkpoint


-- First Restore Point --
1: 2008-04-17 15:18:01 UTC - RP304 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 479 MiB (512 MiB recommended).


-- HijackThis (run as mand.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:00 PM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\mand\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\mand.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Console Flash v.4.1 - {BCC8A4AB-C055-461E-B4B5-1B0EA8647897} - C:\WINDOWS\system32\confl.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvnf.exe] C:\WINDOWS\system32\kdvnf.exe
O4 - Startup: REALHOUND IP Tune and Lube.LNK = C:\Program Files\REALHOUND IP Client\realhoundiptuneandlube.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F78793-C4E9-43AC-B077-EC4B720BB791}: NameServer = 218.248.240.23,218.248.240.135
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 5218 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 windrvNT - c:\windows\system32\windrvnt.sys
R3 SMBios (Intel (R) System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel (R) System Management BIOS Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 prfldsvc (Private Folder Service) - d:\program files\microsoft private folder 1.0\prfldsvc.exe

S3 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-10 16:24:18 338 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job


-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-03 22:48:01 68096 --a------ C:\WINDOWS\zip.exe
2008-07-03 22:48:01 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-03 22:48:00 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-03 22:48:00 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-03 22:48:00 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-03 22:48:00 80412 --a------ C:\WINDOWS\grep.exe
2008-07-03 22:48:00 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-03 22:36:42 0 d-------- C:\WINDOWS\ERUNT
2008-07-03 22:26:15 0 d-------- C:\Documents and Settings\neel\Application Data\Datalayer
2008-07-03 22:26:13 0 d-------- C:\Documents and Settings\neel\Phone Browser
2008-07-03 20:46:14 0 d-------- C:\Documents and Settings\neel\Application Data\Apple Computer
2008-07-03 19:55:39 0 d-------- C:\Program Files\Trend Micro
2008-07-03 16:06:36 1152 --a------ C:\WINDOWS\system32\windrv.sys
2008-07-03 16:05:28 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-19 10:46:17 0 d-------- C:\Documents and Settings\All Users\Application Data\InterVideo
2008-06-19 10:46:02 9856 -----n--- C:\WINDOWS\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
2008-06-19 10:45:13 204800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-06-19 10:45:13 188416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-06-19 10:45:13 192512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-06-19 10:45:13 192512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-06-19 10:45:13 200704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-06-19 10:45:13 20480 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-06-07 10:35:55 0 dr-h----- C:\Documents and Settings\mand\Recent


-- Find3M Report ---------------------------------------------------------------

2008-07-05 16:35:06 12 --a------ C:\WINDOWS\bthservsdp.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC8A4AB-C055-461E-B4B5-1B0EA8647897}]
06/03/2007 06:20 PM 208384 --a------ C:\WINDOWS\system32\confl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [02/08/2005 11:06 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [02/08/2005 11:02 PM]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 05:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [04/13/2005 11:51 AM C:\WINDOWS\RTHDCPL.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 12:56 AM C:\WINDOWS\system32\bthprops.cpl]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [10/12/2006 03:10 AM]
"PCSuiteTrayApplication"="D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [12/13/2005 08:49 AM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [06/11/2007 03:10 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 09:41 AM]
"C:\WINDOWS\system32\kdvnf.exe"="C:\WINDOWS\system32\kdvnf.exe" []

C:\Documents and Settings\mand\Start Menu\Programs\Startup\
REALHOUND IP Tune and Lube.LNK - C:\Program Files\REALHOUND IP Client\realhoundiptuneandlube.exe [10/9/2006 11:11:04 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Symantec Fax Starter Edition Port.lnk - D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [12/23/1998 2:21:54 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^mand^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\mand\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^mand^Start Menu^Programs^Startup^REALHOUND IP Tune and Lube.LNK]
path=C:\Documents and Settings\mand\Start Menu\Programs\Startup\REALHOUND IP Tune and Lube.LNK
backup=C:\WINDOWS\pss\REALHOUND IP Tune and Lube.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"D:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-07-05 16:39:30 ------------

Extra-

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 3.06GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.06GHz
Percentage of Memory in Use: 79%
Physical Memory (total/avail): 478.73 MiB / 98.27 MiB
Pagefile Memory (total/avail): 1426.36 MiB / 1109.7 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1912.75 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 9.76 GiB total, 3.89 GiB free.
D: is Fixed (FAT32) - 9.76 GiB total, 1.12 GiB free.
E: is Fixed (FAT32) - 9.75 GiB total, 1.59 GiB free.
F: is Fixed (FAT32) - 7.94 GiB total, 1.22 GiB free.
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST340014A - 37.27 GiB - 4 partitions
\PARTITION0 (bootable) - Unknown - 9.77 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 27.49 GiB - D: - E: - F:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

UpdatesDisableNotify is set.

AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\HelpCtr.exe"="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"D:\\Program Files\\iTunes\\iTunes.exe"="D:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\WINDOWS\\system32\\svchost.exe"="C:\\WINDOWS\\system32\\svchost.exe:*:Enabled:svchost"
"D:\\Program Files\\Skype\\Phone\\Skype.exe"="D:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\mand\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\mand
LOGONSERVER=\\COMPUTER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Intuwave\Shared\mRouterRuntime;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0409
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\mand\LOCALS~1\Temp
TMP=C:\DOCUME~1\mand\LOCALS~1\Temp
USERDOMAIN=COMPUTER
USERNAME=mand
USERPROFILE=C:\Documents and Settings\mand
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

mand (admin)
neel (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> d:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> MsiExec.exe /X{09959E11-AD5D-408E-96AF-E3346954D6B8}
--> MsiExec.exe /X{64F3B15C-24C7-4B2B-9B72-65CCBBD7F06B}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
BlazeDVD 5.0 Professional --> "D:\Program Files\BlazeVideo\BlazeDVD 5 Professional\unins000.exe"
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "D:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
FileZilla (remove only) --> "D:\Program Files\FileZilla\uninstall.exe"
Folder Lock --> D:\Program Files\Folder Lock\Uninstall.exe
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel(R) Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
iTunes --> MsiExec.exe /I{3592F5CB-B524-43AA-92F2-2377268199CC}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
m-Router 3.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A2092B2A-A4FB-4464-A4C0-023D2C9993F8}\Setup.exe" -l0x9
Megaupload Toolbar --> C:\Program Files\MegauploadToolbar\uninstall.exe
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Access 2003 Runtime --> MsiExec.exe /I{901C0409-6000-11D3-8CFE-0150048383C9}
Microsoft Private Folder 1.0 --> MsiExec.exe /I{644EA08F-87D2-48C0-AE94-B327D1C85A97}
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX --> "C:\Program Files\Eset\unins000.exe"
Nokia Connectivity Cable Driver --> MsiExec.exe /X{B7757137-0A71-4A9F-8A82-1AE4A1B73420}
Nokia Multimedia Factory --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{BD72E64C-F0DB-40CB-846B-611C57D8AB0C} /l2057
Nokia PC Suite --> MsiExec.exe /I{FF059F2A-62A7-4E6A-B305-559591D2769E}
Nokia Software Updater --> MsiExec.exe /X{447AC5D6-8520-4151-AECA-323C36507EFB}
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
REALHOUND IP --> D:\realhndip\Uninst_REALHOUND IP.exe /U "D:\realhndip\Uninst_REALHOUND IP.log"
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
RECIPE ORGANIZER DELUXE (S) --> MsiExec.exe /I{B5A9399E-A38F-489D-BAB5-A14EDBE55E1B}
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Skype 3.1 --> "D:\Program Files\Skype\Phone\unins000.exe"
Switch Off --> "D:\Program Files\Switch Off\uninstall.exe"
Uniblue PowerSuite --> "D:\Program Files\Uniblue\unins000.exe"
Unlocker 1.8.5 --> D:\Program Files\Unlocker\uninst.exe
VideoLAN VLC media player 0.8.5 --> D:\Program Files\VideoLAN\VLC\uninstall.exe
WinDVR --> "C:\Program Files\InstallShield Installation Information\{6BF4613C-0A46-43AA-8FA8-0CB9F2C1A548}\setup.exe" REMOVEALL
WinRAR archiver --> D:\Program Files\WinRAR\uninstall.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger --> D:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U D:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
YoutubeGet 4 --> "D:\Program Files\YoutubeGet\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type14070 / Warning
Event Submitted/Written: 07/05/2008 04:34:30 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type14031 / Error
Event Submitted/Written: 07/03/2008 07:35:02 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.2180, fault address 0x0012bd68.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type14030 / Error
Event Submitted/Written: 07/03/2008 07:34:39 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.2180, fault address 0x0012bd68.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type14029 / Error
Event Submitted/Written: 07/03/2008 07:33:53 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.2180, fault address 0x0012bd68.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type14024 / Error
Event Submitted/Written: 07/03/2008 04:12:45 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module kernel32.dll, version 5.1.2600.2180, fault address 0x0001eb33.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type30768 / Warning
Event Submitted/Written: 07/03/2008 11:43:34 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type30739 / Error
Event Submitted/Written: 07/03/2008 10:45:31 PM
Event ID/Source: 1003 / System Error
Event Description:
Error code 1000000a, parameter1 00000023, parameter2 00000002, parameter3 00000000, parameter4 804fccd6.

Event Record #/Type30724 / Error
Event Submitted/Written: 07/03/2008 10:36:40 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
nod32drv
RasAcd
Rdbss
Tcpip
WS2IFSL

Event Record #/Type30723 / Error
Event Submitted/Written: 07/03/2008 10:36:40 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type30722 / Error
Event Submitted/Written: 07/03/2008 10:36:40 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-07-05 16:39:30 ------------

I just wanted to add 1 more query. I hope I am not troubling you too much with my questions. As soon as I switch on my computer I get a screen saying EPROM MISS. I have an external tv tuner card connected. After sometime it will start working if I try to check any connections or by itslf. But when that message is displayed I would not be able to do anything till it gets fixed. And when it works ,the whole screen monitor has the picture when I use TV. But when I change to computer mode, a very small part at the end of of the screen is not used. Is there any resolution problem. I have tried my best to explain the problem in words here. If you have any resolution, plz let me know. Thanks
 
Punk

Punk

Moderator
Staff member
Hello,
Sorry for the late reply, had graduation day :p
There is still a file I want to get rid of, then we'll start the registry cleaning and I will try to help you on your resolution problem.

  • Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
  • Click Format, and ensure Word Wrap is unchecked.
  • Copy and Paste the text in the box below into Notepad.
  • Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
C:\WINDOWS\system32\kdvnf.exe
Click to expand...



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.
  • Check Load script from file:
  • Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
  • Double click it to enter it into Avenger.
  • Click the green traffic light symbol.
  • You will be asked if you want to execute the script, answer Yes.
  • At this point you may get prompts from your protection systems, allow them please.
  • Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
  • Answer Yes, and allow your computer to re-boot.
  • Upon re-boot a command window will briefly appear on screen (this is normal).
  • A Notepad text file will be created C:\avenger.txt.
  • Copy and Paste it into your next post please.



Please post a fresh Hijackthis log after you've done that :)
Are you still having symptoms of the Trojan infection?
 
M

mand1

New Member
Hey Punk, you seem to be so knowledgeable that you would have had a great graduation day :)

I do not have such symptoms as I had that day. But there are a few things I would let you know that has been happening from quite a few months which I did not bother much, but I dont think it would be a trojan. When I open a link from google search , sometimes a spyware called thermicosoft opens in IE. My uniblue spyeraser detects low threat viruses of the threat type Tracking Cookie, named Double click, mediaplex.com, stat counter, tribalfusion.com and few more. These had not caused any problem til now so I had just left it.

Here is the result of avenger

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\kdvnf.exe" not found!
Deletion of file "C:\WINDOWS\system32\kdvnf.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

--------

Here is the hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:18 PM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Eset\nod32kui.exe
D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Eset\nod32krn.exe
D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Console Flash v.4.1 - {BCC8A4AB-C055-461E-B4B5-1B0EA8647897} - C:\WINDOWS\system32\confl.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvnf.exe] C:\WINDOWS\system32\kdvnf.exe
O4 - Startup: REALHOUND IP Tune and Lube.LNK = C:\Program Files\REALHOUND IP Client\realhoundiptuneandlube.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F78793-C4E9-43AC-B077-EC4B720BB791}: NameServer = 218.248.240.23,218.248.240.135
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 5221 bytes
 
Punk

Punk

Moderator
Staff member
Ok the file was not deleted, let's try something else. I need another expert to create a combofix-script that will try to delete the file.

In the meantime, please post a Kapersky log:

Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.


PS:
Hey Punk, you seem to be so knowledgeable that you would have had a great graduation day
Click to expand...

Thanks :)
 
Punk

Punk

Moderator
Staff member
Buzz1927 said:
It's already been deleted, just fix the Hijackthis entry ;)
Click to expand...

Oh ok :D

Please do the Kapersky log then this:

Open Hijackthis, this time do a system scan only

Place a checkmark next to this line:

[C:\WINDOWS\system32\kdvnf.exe] C:\WINDOWS\system32\kdvnf.exe
Click to expand...

Close all browsers and click on Fix.

Post a fresh Hijackthis log after you've done that along with Kapersky log.

:)
 
M

mand1

New Member
This found so many viruses on my computer!!!!!!! :-(
My PC is behaving the same way as I had mentioned in my last reply, that is the results of spyeraser I had mentioned. I dont see any other issues. If you meant anything particular plz let me know

Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 8, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 08, 2008 14:13:44
Records in database: 927382
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 43969
Threat name: 16
Infected objects: 22
Suspicious objects: 0
Duration of the scan: 01:08:20


File name / Threat name / Threats count
C:\WINDOWS\system32\confl.dll//ASPack/C:\WINDOWS\system32\confl.dll//ASPack Infected: not-a-virus:AdWare.Win32.Delf.l 2
C:\WINDOWS\system32\confl.dll Infected: not-a-virus:AdWare.Win32.Delf.l 1
C:\Program Files\ESET\infected\4JAR3YDA.NQF Infected: Trojan-Downloader.Win32.Firu.b 1
C:\Program Files\ESET\infected\LLC0SFCA.NQF Infected: Trojan-Spy.Win32.Goldun.ms 1
C:\Program Files\ESET\infected\DKVJLLDA.NQF Infected: Trojan-Spy.Win32.Goldun.ms 1
C:\Program Files\ESET\infected\3RQHMZBA.NQF Infected: Trojan-Proxy.Win32.Xorpix.cs 1
C:\Program Files\ESET\infected\PQPESFDA.NQF Infected: Packed.Win32.Tibs.gu 1
C:\Program Files\ESET\infected\WS2Z12DA.NQF Infected: Trojan-Downloader.Win32.Injecter.dr 1
C:\Program Files\ESET\infected\SWL3EMAA.NQF Infected: Trojan.Win32.Agent.dkw 1
C:\Program Files\ESET\infected\AZHCV2BA.NQF Infected: Trojan.Win32.Agent.asu 1
C:\Program Files\ESET\infected\ZZPKQICA.NQF Infected: Trojan-Dropper.Win32.Small.azk 1
C:\Program Files\ESET\infected\AIC3VTAA.NQF Infected: Trojan.Win32.Pakes.brk 1
C:\Program Files\ESET\infected\03RLOHAA.NQF Infected: Trojan.Win32.Pakes.cti 1
C:\Program Files\ESET\infected\RR0AMQDA.NQF Infected: Trojan-Downloader.Win32.Cntr.ca 1
C:\Program Files\ESET\infected\GDTWT2AA.NQF Infected: Rootkit.Win32.Clbd.dc 1
C:\Program Files\ESET\infected\GBZ4LFBA.NQF Infected: Rootkit.Win32.Clbd.dc 1
C:\Program Files\REALHOUND IP Client\rhsupport.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP320\A0106350.exe Infected: Trojan-Proxy.Win32.Agent.arf 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\svchost.exe.vir Infected: Trojan-Proxy.Win32.Agent.arf 1
D:\realhndip\40.txt Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
F:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP306\A0098875.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1

The selected area was scanned.
------

Hi jackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:39 PM, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Console Flash v.4.1 - {BCC8A4AB-C055-461E-B4B5-1B0EA8647897} - C:\WINDOWS\system32\confl.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: REALHOUND IP Tune and Lube.LNK = C:\Program Files\REALHOUND IP Client\realhoundiptuneandlube.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F78793-C4E9-43AC-B077-EC4B720BB791}: NameServer = 218.248.240.23,218.248.240.135
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 5110 bytes
 
You must log in or register to reply here.
Top