autorun.inf virus...cant remove it..help...pls...

Viruses and worms
1

ok last night i copyed some files from my frd usb to my pc…and after that my avast antivirus detected a virus ‘‘autorun.inf’’ in both C: and D: drives…so i deleted, but after 5~7 seconds it pop out again asking the same thing…and i cant get rib of that, it only stops popping out when i stop the avast…can anyone hlep me with this problem?please…ill apreciate.thx

PS:ok i when to ''Run>then i typed ‘‘cmd’’ a dark background window popped out and i typed ‘‘D:’’ to search for the virus ‘‘autorun.inf’’ and it says in the notepad:
[AutoRun]
open=ntdelect.com
;shell\open=Open(&O)
shell\open\Command=ntdeIect.com
shell\open\Default=1
;shell\explore=Manager(&X)
shell\explore\Command=ntdeIect.com

i cant find the ‘‘autorun.inf’’ in my C: drive coz everytime i type ‘‘C:’’ in the dark background window it shows: ‘‘C:/Documents and Settings/user>’’ i cant acess to just the ‘‘C:’’.

2

ok…so i used Bitdefender online scanner to scan and it seems everything is alright for now…i scanned again with avast for my C and D drives and it apears to not show the virus ‘‘autorun.inf’’ anymore. hope so. anyway thx.

3

I don’t think autorun.inf is a virus… it just got infected with a virus. If you deleted that file then when you insert a CD or a pen drive. It wouldn’t autorun anymore.

4

True it is not a virus however, it will initiate the virus/malware everytime that drive is accessed

5

we discussed it many times… autorun.inf itself isn’t a virus, but is used as a virus dropper sometimes and our users want to detect also these droppers…

6

But can you help us fix it? I’ve got the same problem here. When I insert a CD or a USB pendrive it does not autorun anymore. It used to untill combofix deleted some files which I don’t remember. After which autorun does not work no matter what I insert.

7

you can restore your autoruns on specified drives through PowerTweak XP / TweakUI… you can find it on MS site… :wink:

8

Hi jase,

Here is the fix for the USB stick: http://www.softpedia.com/get/System/System-Miscellaneous/APO-USB-Autorun.shtml well only if autorun can be found, else to create a new one use Autorun CD Assistant freeware, the download is from here:
http://www.snapfiles.com/php/download.php?id=108261&a=7122851&tag=1222458&loc=2

polonus

9

Could you please tell me where i should save the downloaded file to?

10

Hi jase,

A five steps wizard to create in secure the Autorun CD files,in the chosen directory were the rest of the CD-to-burn files are.

The aim of this application’s existence is to help PC users with non or less experience to create safely the files with the appropriate commands,when they decide to create an Autorun CD with their data.
The application is a five steps wizard who checks and guides in every step if the user made the correct selections, and if she/he didn’t, it suggests or it stops the procedure.
Certainly the Autorun.inf file which is responsible to start a CD as it’s being inserted in the CD-ROM can be made with less elements, but the intention is to ensure that an amateur will create a professional result. It also gives the opportunity to by-pass the 8.3 file names of Hypertext files restriction, by using the GreenSpring engine.
So collect all the files you want to be included in your CD in a directory and start the wizard from Step 1 button. Don’t worry if the Startup Application (or file) and the desired Icon are somewhere else in your HD, Autorun CD Assistant will fix it for you.
AutorunCD Assistant now supports ALL KIND of files to Autorun a CD.

pol

11

I thought windows xp SP2 had a default autorun.inf. Even after i tried to repair windows with my windows CD it failed to autorun. Also I noticed something in the autorun.inf…

AutoRun]
open=ntdelect.com
;shell\open=Open(&O)
shell\open\Command=ntdelect.com
shell\open\Default=1
;shell\explore=Manager(&X)
shell\explore\Command=ntdelect.com

Line 2: says open=ntdelect.com.

now my computer does not have this ntdelect.com I tried a search for it in C: but nothing came up. I think ntdelect.com is a virus or something. Previously in my other thread I had mentioned about kavo.exe and avast didn’t detect it. I suppose you have followed that thread also.

this is one of the sites that talks about kavo.

http://www.filination.com/tech/2007/11/29/kill-kavo-the-ntdelect-worm-trojan-removal-tool-patch/

12

double post

13

Yes that is an “infected” autorun file, so it’s not any good to you.

It is set to run ntdelect.com, which may or may not have infected files in, or it will run an infected file.

open = ntdelect.com

This will happen when a usb device is inserted, or the right click open, or explore is used.

shell\open\Command=ntdelect.com

shell\explore\Command=ntdelect.com

I thing you asked about this before and i suggested you check each mount points2 in the registry. The commands for what actions are done when a device is inserted is stored there. If it has the infected command in it , that’s what it will do.

If the mount point2 is empty, windows should ask you what you want to do and remember your choices.

Back to what is happening now. Combofix probably removed ntdelect.com. This file probably contained commands to open your drive and inject another version of kavo. With out this file, there is a break in the file procees.

ie. device is inserted, commands from mountpoint issued, commands from ntdelect.com ran

with the file gone it goes kinda like this

device is inserted, commands from mountpoint issued…and there it sits

have a look at this post

http://forum.avast.com/index.php?topic=31671.msg264414#msg264414

and

http://forum.avast.com/index.php?topic=31671.msg264493#msg264493

there both from the same thread and you will see what I’m trying to explain.

14

Hi oldman, You see, actually I am really bad at reading registries. I honestly don’t know what you are talking about. If you could please explain to me more clearly and specifically then I might be able to check it and post it here.

But I did create a back up of my registry and if you want I could send it to you and if there is someway for you to check it.

Thanks
jase

15

Actually if you download and run this pprogram we can see the mountpoints2 and determine if they are the cause.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt

An extra.txt will also be produced, but don’t worry about posting it.

16

Hi oldman, below are the DSS scan report…

[b]Deckard’s System Scanner v20071014.68
Run by jase on 2007-12-21 02:59:35
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

Successfully created a Deckard’s System Scanner Restore Point.

– Last 5 Restore Point(s) –
6: 2007-12-20 21:29:42 UTC - RP6 - Deckard’s System Scanner Restore Point
5: 2007-12-19 22:19:51 UTC - RP5 - Installed SUPERAntiSpyware Free Edition
4: 2007-12-19 13:58:57 UTC - RP4 - Installed AVG 7.5
3: 2007-12-19 13:54:42 UTC - RP3 - Installed AVG 7.5
2: 2007-12-19 13:54:06 UTC - RP2 - Removed AVG 7.5

– First Restore Point –
1: 2007-12-19 13:34:03 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

– HijackThis (run as jase.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:38 AM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\jase\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jase.exe[/b]

17

[b]O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9828DDAB-2B7A-4626-885A-5579EA690FEB} - C:\WINDOWS\system32\cd.dll (file missing)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘Default user’)
O4 - HKUS.DEFAULT..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User ‘Default user’)
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - http://jumboplay.bluehyppo.com/class/DragonbackCtl.ocx
O17 - HKLM\System\CCS\Services\Tcpip..{3FF36DEA-5641-4823-ADE6-CA6CB723108B}: NameServer = 125.22.47.125,202.56.250.5
O17 - HKLM\System\CS1\Services\Tcpip..{3FF36DEA-5641-4823-ADE6-CA6CB723108B}: NameServer = 125.22.47.125,202.56.250.5
O17 - HKLM\System\CS2\Services\Tcpip..{3FF36DEA-5641-4823-ADE6-CA6CB723108B}: NameServer = 125.22.47.125,202.56.250.5
O17 - HKLM\System\CS3\Services\Tcpip..{3FF36DEA-5641-4823-ADE6-CA6CB723108B}: NameServer = 125.22.47.125,202.56.250.5
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 6165 bytes

– HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups) -----------

backup-20071216-023757-974 O2 - BHO: (no name) - -{9828DDAB-2B7A-4626-885A-5579EA690FEB} - (no file)
backup-20071216-024238-833 O2 - BHO: (no name) - {9828DDAB-2B7A-4626-885A-5579EA690FEB} - C:\WINDOWS\system32\cd.dll
backup-20071216-024515-830 O2 - BHO: (no name) - {9828DDAB-2B7A-4626-885A-5579EA690FEB} - C:\WINDOWS\system32\cd.dll
backup-20071216-032333-787 O2 - BHO: (no name) - {9828DDAB-2B7A-4626-885A-5579EA690FEB} - C:\WINDOWS\system32\cd.dll
backup-20071216-033203-223 O2 - BHO: (no name) - {9828DDAB-2B7A-4626-885A-5579EA690FEB} - C:\WINDOWS\system32\cd.dll
backup-20071216-033328-126 O2 - BHO: (no name) - {9828DDAB-2B7A-4626-885A-5579EA690FEB} - C:\WINDOWS\system32\cd.dll
backup-20071217-045013-479 O2 - BHO: (no name) - {9828DDAB-2B7A-4626-885A-5579EA690FEB} - C:\WINDOWS\system32\cd.dll (file missing)
backup-20071217-045102-340 O2 - BHO: (no name) - {9828DDAB-2B7A-4626-885A-5579EA690FEB} - C:\WINDOWS\system32\cd.dll (file missing)
backup-20071217-045102-560 O2 - BHO: (no name) - -{9828DDAB-2B7A-4626-885A-5579EA690FEB} - (no file)
backup-20071217-045318-816 O2 - BHO: (no name) - {9828DDAB-2B7A-4626-885A-5579EA690FEB} - C:\WINDOWS\system32\cd.dll (file missing)
backup-20071217-050009-590 O2 - BHO: (no name) - {9828DDAB-2B7A-4626-885A-5579EA690FEB} - C:\WINDOWS\system32\cd.dll (file missing)
backup-20071217-134355-863 O2 - BHO: (no name) - {9828DDAB-2B7A-4626-885A-5579EA690FEB} - C:\WINDOWS\system32\cd.dll (file missing)
backup-20071217-134355-878 O2 - BHO: (no name) - -{9828DDAB-2B7A-4626-885A-5579EA690FEB} - (no file)
backup-20071217-134436-461 O2 - BHO: (no name) - {9828DDAB-2B7A-4626-885A-5579EA690FEB} - C:\WINDOWS\system32\cd.dll (file missing)
backup-20071217-134552-875 O2 - BHO: (no name) - {9828DDAB-2B7A-4626-885A-5579EA690FEB} - C:\WINDOWS\system32\cd.dll (file missing)
backup-20071218-033610-469 O2 - BHO: (no name) - {9828DDAB-2B7A-4626-885A-5579EA690FEB} - C:\WINDOWS\system32\cd.dll (file missing)
backup-20071218-050122-309 O2 - BHO: (no name) - {9828DDAB-2B7A-4626-885A-5579EA690FEB} - C:\WINDOWS\system32\cd.dll (file missing)[/b]

18

[b]-- File Associations -----------------------------------------------------------

All associations okay.

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 mzcxlbyk - c:\windows\system32\drivers\ewjppfle.dat
R1 uzi4odg5 (AVZ-RK Kernel Driver) - c:\windows\system32\drivers\uzi4odg5.sys <Not Verified; ; AVZ Monitoring Driver>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 catchme - c:\docume~1\jase\locals~1\temp\catchme.sys (file missing)
S3 rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - c:\windows\system32\drivers\rtl8139.sys (file missing)
S3 ss_bus (Samsung Mobile USB Device 1.0 driver (WDM)) - c:\windows\system32\drivers\ss_bus.sys <Not Verified; MCCI; Samsung Mobile USB Device 1.0>
S3 ss_mdfl (SAMSUNG Mobile USB Modem 1.0 Filter) - c:\windows\system32\drivers\ss_mdfl.sys <Not Verified; MCCI; SAMSUNG Mobile USB Modem 1.0 Filter>
S3 ss_mdm (SAMSUNG Mobile USB Modem 1.0 Drivers) - c:\windows\system32\drivers\ss_mdm.sys <Not Verified; MCCI; SAMSUNG Mobile USB Modem 1.0>

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

– Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PC Camera
Device ID: USB\VID_0AC8&PID_303B\5&34EA2A24&0&2
Manufacturer:
Name: PC Camera
PNP Device ID: USB\VID_0AC8&PID_303B\5&34EA2A24&0&2
Service:

– Files created between 2007-11-21 and 2007-12-21 -----------------------------

2007-12-21 02:18:51 0 d-------- C:\WINDOWS\system32\appmgmt
2007-12-20 03:50:05 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-20 03:49:52 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-20 03:49:52 0 d-------- C:\Documents and Settings\jase\Application Data\SUPERAntiSpyware.com
2007-12-20 03:49:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-20 03:01:42 1757216 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-20 02:58:33 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-20 02:58:24 4212 —h----- C:\WINDOWS\system32\zllictbl.dat
2007-12-20 02:58:17 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT™ Operating System>
2007-12-20 02:57:43 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-12-20 02:54:11 0 d-------- C:\WINDOWS\Internet Logs
2007-12-20 01:23:05 0 dr-h----- C:\Documents and Settings\jase\Recent
2007-12-20 00:01:37 0 d-------- C:\WINDOWS\msapps
2007-12-19 19:14:28 0 d-------- C:\bin
2007-12-19 19:02:02 0 d-------- C:\WINDOWS\Prefetch
2007-12-19 01:30:26 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-19 01:30:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-18 04:02:17 0 d-------- C:\WINDOWS\system32\bfubackups
2007-12-17 19:23:57 0 d-------- C:\Program Files\Common Files\L&H
2007-12-17 19:23:28 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-12-17 19:22:36 0 d-------- C:\Program Files\Microsoft Works
2007-12-17 19:21:59 0 d–h----- C:\WINDOWS\ShellNew
2007-12-17 19:21:47 0 d-------- C:\Program Files\Microsoft.NET
2007-12-17 19:13:30 0 dr-h----- C:\MSOCache
2007-12-17 04:19:24 11264 --a------ C:\WINDOWS\system32\drivers\uzi4odg5.sys <Not Verified; ; AVZ Monitoring Driver>
2007-12-16 02:33:03 0 d-------- C:\Program Files\Trend Micro
2007-12-15 01:43:49 0 d-------- C:\Documents and Settings\jase.housecall6.6
2007-12-15 01:42:27 0 d-------- C:\WINDOWS\Sun
2007-12-15 01:42:27 0 d-------- C:\Documents and Settings\jase\Application Data\Sun
2007-12-14 04:19:58 0 dr-h----- C:$VAULT$.AVG
2007-12-14 04:16:23 0 d-------- C:\Documents and Settings\jase\Application Data\AVG7
2007-12-14 04:16:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-14 04:15:56 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-14 03:01:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-13 02:44:59 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-13 01:46:14 19456 --a------ C:\WINDOWS\system32\drivers\ewjppfle.dat
2007-12-12 02:23:51 56320 --a------ C:\WINDOWS\system32\iyvu9_32.dll
2007-12-12 02:23:51 136704 --a------ C:\WINDOWS\system32\iacenc.dll <Not Verified; Ligos Corporation; Indeo® Audio Software>[/b]

19

2007-12-12 02:23:49 0 d-------- C:\Program Files\Ligos
2007-12-12 02:22:22 255 --a------ C:\WINDOWS\PowerReg.dat
2007-12-10 03:34:19 0 d-------- C:\Program Files\CCleaner
2007-12-10 02:56:48 70 --a------ C:\WINDOWS\GPlrLanc.dat
2007-12-10 02:56:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Exetender
2007-12-04 01:32:02 84512 -ra------ C:\WINDOWS\system32\drivers\ss_mdm.sys <Not Verified; MCCI; SAMSUNG Mobile USB Modem 1.0>
2007-12-04 01:32:02 6064 -ra------ C:\WINDOWS\system32\drivers\ss_mdfl.sys <Not Verified; MCCI; SAMSUNG Mobile USB Modem 1.0 Filter>
2007-12-04 01:32:02 6080 -ra------ C:\WINDOWS\system32\drivers\ss_cmnt.sys <Not Verified; MCCI; SAMSUNG Mobile USB Modem 1.0>
2007-12-04 01:32:02 6080 -ra------ C:\WINDOWS\system32\drivers\ss_cm.sys <Not Verified; MCCI; SAMSUNG Mobile USB Modem 1.0>
2007-12-04 01:31:42 5744 -ra------ C:\WINDOWS\system32\drivers\ss_whnt.sys <Not Verified; MCCI; Samsung Mobile USB Device 1.0>
2007-12-04 01:31:42 5744 -ra------ C:\WINDOWS\system32\drivers\ss_wh.sys <Not Verified; MCCI; Samsung Mobile USB Device 1.0>
2007-12-04 01:31:42 52384 -ra------ C:\WINDOWS\system32\drivers\ss_bus.sys <Not Verified; MCCI; Samsung Mobile USB Device 1.0>
2007-12-04 01:28:54 0 d-------- C:\Program Files\Samsung
2007-12-03 19:20:12 0 d-------- C:\Documents and Settings\jase\Shared
2007-12-03 19:20:00 0 d-------- C:\Documents and Settings\jase\Incomplete
2007-12-03 18:23:24 0 d-------- C:\Program Files\Java
2007-12-03 18:09:54 0 d-------- C:\Program Files\Common Files\Java
2007-12-03 18:09:03 0 d-------- C:\Program Files\LimeWire
2007-12-03 18:03:08 0 d-------- C:\Documents and Settings\jase.limewire
2007-11-30 18:36:10 0 d-------- C:\Documents and Settings\jase\Application Data\Ahead
2007-11-30 14:22:27 2916352 --a------ C:\WINDOWS\UNNMP.exe <Not Verified; Nero AG; Nero Web Engine>
2007-11-30 14:21:10 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2007-11-30 14:20:50 0 d-------- C:\Program Files\Common Files\Nero
2007-11-30 14:20:07 2977792 --a------ C:\WINDOWS\UNNeroVision.exe <Not Verified; Nero AG; Nero Web Engine>
2007-11-30 14:19:29 364544 --a------ C:\WINDOWS\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corp.; TwnLib4>
2007-11-30 14:19:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2007-11-30 14:19:28 471040 --a------ C:\WINDOWS\system32\ImagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2007-11-30 14:19:28 262144 --a------ C:\WINDOWS\system32\ImagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2007-11-30 14:19:28 1568768 --a------ C:\WINDOWS\system32\ImagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2007-11-30 14:19:27 106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2007-11-30 14:19:27 38912 --a------ C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS>
2007-11-30 14:19:20 0 d-------- C:\Program Files\Common Files\Ahead
2007-11-30 14:19:19 0 d-------- C:\Program Files\Ahead
2007-11-30 14:10:48 0 d-------- C:\Documents and Settings\jase\Application Data\Skype
2007-11-30 14:10:18 0 d-------- C:\Program Files\Skype
2007-11-30 14:10:18 0 d-------- C:\Program Files\Common Files\Skype
2007-11-30 14:10:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2007-11-30 02:22:04 0 d-------- C:\WINDOWS\Profiles
2007-11-30 02:21:57 0 d-------- C:\Documents and Settings\jase\WINDOWS
2007-11-27 01:01:30 0 d–hs---- C:\WINDOWS\CSC
2007-11-26 16:45:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-26 16:45:29 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-26 16:45:29 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-26 16:45:29 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-26 16:45:29 0 d–h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-26 16:45:29 0 d–h----- C:\Documents and Settings\Administrator\NetHood
2007-11-26 16:45:29 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-26 16:45:29 0 d–h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-26 16:45:29 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-26 16:45:29 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-26 16:45:29 0 d—s---- C:\Documents and Settings\Administrator\Cookies
2007-11-26 16:45:29 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-26 16:45:29 0 d—s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-26 16:45:28 0 d–h----- C:\Documents and Settings\Administrator\Templates
2007-11-26 16:45:28 1798144 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-24 14:28:55 0 d-------- C:\Documents and Settings\jase\Application Data\Adobe
2007-11-24 14:27:47 0 d-------- C:\Documents and Settings\jase\Application Data\HP
2007-11-24 14:26:30 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-24 14:13:01 0 d-------- C:\WINDOWS\SendTo
2007-11-24 14:12:23 0 d-------- C:\WINDOWS\forms
2007-11-24 14:12:22 0 d-------- C:\Program Files\Windows Messaging
2007-11-22 00:51:57 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-11-22 00:51:57 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-22 00:51:57 0 d-------- C:\Program Files\Xvid

20

[b]-- Find3M Report ---------------------------------------------------------------

2007-12-20 12:13:11 0 d-------- C:\Program Files\IObit
2007-12-20 03:49:24 0 d-------- C:\Program Files\Common Files
2007-12-19 18:52:39 23348 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-12-19 18:52:15 0 d-------- C:\Program Files\Messenger
2007-12-15 03:20:19 0 --a------ C:\AUTOEXEC.BAT
2007-12-14 02:14:03 0 d–h----- C:\Program Files\InstallShield Installation Information
2007-12-14 01:50:33 0 d-------- C:\Program Files\Common Files\InstallShield
2007-11-17 11:44:30 109154 --a------ C:\WINDOWS\hpoins08.dat
2007-11-17 11:36:56 0 d-------- C:\Program Files\Common Files\Sonic Shared
2007-11-17 11:36:33 0 d-------- C:\Program Files\Common Files\HP
2007-11-17 11:34:12 0 d-------- C:\Program Files\Hewlett-Packard
2007-11-17 11:34:11 0 d-------- C:\Program Files\HP
2007-11-17 11:32:07 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-11-15 14:37:11 0 d-------- C:\Documents and Settings\jase\Application Data\Sony Corporation
2007-11-15 14:21:54 0 d-------- C:\Program Files\Sony
2007-11-15 14:21:10 0 d-------- C:\Documents and Settings\jase\Application Data\InstallShield
2007-11-14 01:54:11 0 d-------- C:\Documents and Settings\jase\Application Data\Real
2007-11-14 01:52:21 0 d-------- C:\Program Files\Common Files\xing shared
2007-11-14 01:52:19 0 d-------- C:\Program Files\Common Files\Real
2007-11-14 01:52:10 0 d-------- C:\Program Files\Real
2007-11-11 17:39:35 0 d-------- C:\Documents and Settings\jase\Application Data\Uniblue
2007-11-10 00:51:14 0 d-------- C:\Program Files\Acidx Productions
2007-11-09 22:20:29 0 d-------- C:\Program Files\Common Files\ODBC
2007-11-09 22:20:26 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-11-09 22:20:03 62 --ahs---- C:\Documents and Settings\jase\Application Data\desktop.ini
2007-11-09 17:34:01 0 d-------- C:\Program Files\Alwil Software
2007-11-09 17:29:32 0 d-------- C:\Documents and Settings\jase\Application Data\Macromedia
2007-11-09 17:27:55 0 d-------- C:\Program Files\Yahoo!
2007-11-09 17:22:58 0 d-------- C:\Program Files\Realtek
2007-11-09 17:19:11 0 d-------- C:\Program Files\Realtek AC97
2007-11-09 17:14:47 0 d-------- C:\Program Files\Intel
2007-11-09 17:14:03 0 d-------- C:\Program Files\MSXML 4.0
2007-11-09 17:07:56 0 d-------- C:\Documents and Settings\jase\Application Data\Identities
2007-11-09 17:01:01 0 d-------- C:\Program Files\microsoft frontpage
2007-11-09 17:00:41 0 -rahs---- C:\MSDOS.SYS
2007-11-09 17:00:41 0 -rahs---- C:\IO.SYS
2007-11-09 17:00:41 0 --a------ C:\CONFIG.SYS
2007-11-09 16:59:16 0 d–h----- C:\Program Files\WindowsUpdate
2007-11-09 16:59:13 0 d-------- C:\Program Files\Online Services
2007-11-09 16:58:31 0 d-------- C:\Program Files\Common Files\MSSoap
2007-11-09 16:58:22 0 d-------- C:\Program Files\Movie Maker
2007-11-09 16:57:09 0 d-------- C:\Program Files\MSN Gaming Zone
2007-11-09 16:57:01 0 d-------- C:\Program Files\Windows NT

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{9828DDAB-2B7A-4626-885A-5579EA690FEB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [06/29/2007 12:43 AM]
“nwiz”=“nwiz.exe” [06/29/2007 12:43 AM C:\WINDOWS\system32\nwiz.exe]
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [12/15/2005 11:18 AM]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [07/09/2001 10:50 AM]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [09/25/2007 01:11 AM]
“IMJPMIG8.1”=“C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe” [08/03/2004 10:32 PM]
“IMEKRMIG6.1”=“C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE” [08/23/2001 05:30 PM]
“SoundMan”=“SOUNDMAN.EXE” [03/01/2006 01:52 PM C:\WINDOWS\soundman.exe]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [06/29/2007 12:43 AM]
“AVG7_CC”=“C:\PROGRA~1\Grisoft\AVG7\avgcc.exe” [12/21/2007 12:53 AM]
“ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [11/14/2007 04:05 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Yahoo! Pager”=“C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe” [08/30/2007 05:43 PM]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [08/04/2004 01:06 AM]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/04/2004 12:56 AM]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [12/18/2007 04:29 PM]

[HKEY_USERS.default\software\microsoft\windows\currentversion\runonce]
“tscuninstall”=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11/24/2007 2:26:39 PM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [12/15/2005 1:00:54 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableRegistryTools”=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“LinkResolveIgnoreLinkInfo”=0 (0x0)
“NoResolveSearch”=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet

Newly Created Service - APPMGMT

– End of Deckard’s System Scanner: finished at 2007-12-21 03:01:37 ------------[/b]