Hi, my external hard drive, and possibly my computer seems to be by some sort of trojan/worm called Ghost.pif. It attaches itself to files and passes through any external hard drives including thumb drives, ipods and even psps. I think I might have deleted it when I connected my external hard drive to the computer but now I can double click my external hard drive (under my computer), I can only right click and open. If I select auto run, it will give me an option to choose a program.

I’ve already checked the net around for ways to delete it. I’ve checked my registry for certain strings but they don’t appear to be there. Trend Micro’s forum believes it is a WORM_DROM.A. I’ve also checked the autorun.inf but it doesn’t contain anything to do with Ghost.pif either.

Nothing seems to be going noticeably wrong so far, but it’s really annoying how I can’t double click my external hard drives, and the trojan/worm seems to be spreading really quickly from thumb drives to pcs. Any help would be greatly appreciated. Thanks.

Hi Kyosuke,

Is this what you tried?

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DROM.A&VSect=Sn

I’d recommend some online scans:

(Disable avast! while scanning.)

F-Secure
BitDefender
Panda
Trend Micro Housecall

Yeah thats the one I tried, couldn’t find anything in the registry and all my autorun.inf files were clean of the ghost.pif command. However I did notice a ghost.pif in my registry search, not sure if its safe to remove it though.

No good with the scans. Might have actually already removed the worm but deleted a file in the process, and the worm would’ve played with my registry. Need to find out which files I can remove/alter.

What was the exact entry?
Ghost.pif doesn’t seem to be an active component of the malware, but the file by which it is transferred from computer to computer.

Might be easier if I show you the print screens.
Here’s the print for the regedit where I found ghost.pif

http://img297.imageshack.us/img297/9641/problemtn6.th.jpg

This is what happens if I try to double click on my external hard drive.

http://img337.imageshack.us/img337/2413/problem1ci3.th.jpg

And this is the response I get when I select autoplay option.

http://img228.imageshack.us/img228/5805/problem2so2.th.jpg

Hope that helps, thanks for the quick replies.

Download and run the following programme. This will show me the registry entries that are corrupt and then I could work a registry fix for you

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Deckard’s System Scanner v20070905.67
Run by Ray on 2007-09-22 19:23:23
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable…success.

– Last 1 Restore Point(s) –
1: 2007-09-22 11:23:27 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

– HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-22 19:25:18
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Microsoft ActiveSync\rapimgr.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Ray\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar4.dll
O4 - HKEY_LOCAL_MACHINE..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKEY_LOCAL_MACHINE..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKEY_LOCAL_MACHINE..\Run: [nwiz] nwiz.exe /install
O4 - HKEY_LOCAL_MACHINE..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKEY_LOCAL_MACHINE..\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 -noicon
O4 - HKEY_LOCAL_MACHINE..\Run: [DelPnPDirver] C:\Program Files\panasonic\panasonic KX-P7100\DelPnPD.exe
O4 - HKEY_LOCAL_MACHINE..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKEY_LOCAL_MACHINE..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKEY_LOCAL_MACHINE..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKEY_LOCAL_MACHINE..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKEY_LOCAL_MACHINE..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKEY_LOCAL_MACHINE..\Run: [Sony Ericsson PC Suite] “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKEY_LOCAL_MACHINE..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKEY_LOCAL_MACHINE..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKEY_LOCAL_MACHINE..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [H/PC Connection Agent] “C:\PROGRA~1\MICROS~3\wcescomm.exe”
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra ‘Tools’ menuitem: (no name) - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra ‘Tools’ menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://localhost.fm (HKCU)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - “C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe”
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - “C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe”
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

– File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe,2
.js - JSFile - shell\open\command - “C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe” “%1”

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 pnpshark - c:\windows\system32\drivers\pnpshark.sys
R0 st3shark - c:\windows\system32\drivers\st3shark.sys
R1 aslm75 - c:\windows\system32\drivers\aslm75.sys
R1 kbfilter (Keyboard Filter Driver) - c:\windows\system32\drivers\kbfilter.sys <Not Verified; WayTech Development, Inc.; Keyboard filter driver>
R1 KPSYSDRV - c:\windows\system32\drivers\kpsysdrv.sys <Not Verified; Destiny Technology Corporation; WinStyler NT>
R2 atksgt - c:\windows\system32\drivers\atksgt.sys
R2 lirsgt - c:\windows\system32\drivers\lirsgt.sys
R4 PREVXTdi (PREVX TDI filter) - c:\windows\system32\drivers\pxtdi.sys (file missing)
R4 PXRDDriver (PREVX Rootkitscan driver) - c:\windows\system32\drivers\pxrd.sys (file missing)

S2 BulkUsb (Genesys Logic USB Controller NT 5.0) - c:\windows\system32\drivers\usbprn.sys
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 hamachi (Hamachi Network Interface) - c:\windows\system32\drivers\hamachi.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver>
S3 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
S3 RT25USBAP (Nintendo Wi-Fi USB Connector Service) - c:\windows\system32\drivers\rt25usbap.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11g Wireless USB Adapters>
S3 SE27bus (Sony Ericsson Device 039 Driver driver (WDM)) - c:\windows\system32\drivers\se27bus.sys <Not Verified; MCCI; Sony Ericsson Device 039 Driver>
S3 SE27mdfl (Sony Ericsson Device 039 USB WMC Modem Filter) - c:\windows\system32\drivers\se27mdfl.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC Modem Filter Driver>
S3 SE27mdm (Sony Ericsson Device 039 USB WMC Modem Driver) - c:\windows\system32\drivers\se27mdm.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC Data Modem>
S3 SE27mgmt (Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\se27mgmt.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC Device Management>
S3 se27nd5 (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS)) - c:\windows\system32\drivers\se27nd5.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB Ethernet Emulation>
S3 SE27obex (Sony Ericsson Device 039 USB WMC OBEX Interface) - c:\windows\system32\drivers\se27obex.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC OBEX Interface>
S3 se27unic (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM)) - c:\windows\system32\drivers\se27unic.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB Ethernet Emulation>
S3 U400bus (LGE U400 driver (WDM)) - c:\windows\system32\drivers\u400bus.sys (file missing)
S3 U400mdfl (LGE U400 USB WMC Modem Filter) - c:\windows\system32\drivers\u400mdfl.sys (file missing)
S3 U400mdm (LGE U400 USB WMC Modem Driver) - c:\windows\system32\drivers\u400mdm.sys (file missing)
S3 U400mgmt (LGE U400 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\u400mgmt.sys (file missing)
S3 U400obex (LGE U400 USB WMC OBEX Interface) - c:\windows\system32\drivers\u400obex.sys (file missing)

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe

– Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Nintendo Wi-Fi USB Connector
Device ID: USB\VID_0411&PID_008B\000D0B5D1E6A
Manufacturer: Nintendo
Name: Nintendo Wi-Fi USB Connector
PNP Device ID: USB\VID_0411&PID_008B\000D0B5D1E6A
Service: RT25USBAP

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hamachi Network Interface
Device ID: ROOT\NET\0000
Manufacturer: Applied Networking Inc.
Name: Hamachi Network Interface
PNP Device ID: ROOT\NET\0000
Service: hamachi

– Files created between 2007-08-22 and 2007-09-22 -----------------------------

2007-09-22 19:09:47 0 d-------- C:\WINDOWS\SxsCaPendDel
2007-09-22 19:08:36 0 d-------- C:\WINDOWS\LastGood
2007-09-22 18:25:29 0 d-------- C:\Documents and Settings\Ray.housecall6.6
2007-09-22 12:43:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Prevx
2007-09-22 12:42:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-09-18 15:06:46 0 d-------- C:\Program Files\Western Digital Technologies

– Find3M Report ---------------------------------------------------------------

2007-09-22 06:26:59 0 d-------- C:\Documents and Settings\Ray\Application Data\Azureus
2007-09-21 13:08:18 0 d-------- C:\Program Files\Java
2007-08-20 04:46:55 0 d-------- C:\Program Files\PSP ISO Compressor
2007-08-17 14:21:34 0 -ra------ C:\logwmemory.bin
2007-08-17 14:17:16 0 d-------- C:\Documents and Settings\Ray\Application Data\Soldat

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [10/08/2004 04:04 AM]
“SoundMan”=“SOUNDMAN.EXE” [15/11/2004 06:20 PM C:\WINDOWS\SOUNDMAN.EXE]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [22/10/2006 12:22 PM]
“nwiz”=“nwiz.exe” [22/10/2006 12:22 PM C:\WINDOWS\system32\nwiz.exe]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [06/09/2007 06:06 PM]
“DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [02/10/2003 02:20 AM]
“DelPnPDirver”=“C:\Program Files\panasonic\panasonic KX-P7100\DelPnPD.exe” [23/05/2001 07:59 PM]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [13/03/2006 10:48 AM]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [12/07/2007 04:00 AM]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [23/02/2006 03:45 PM]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [21/05/2006 06:34 PM]
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [12/01/2006 04:40 PM]
“@”=“”
“Sony Ericsson PC Suite”=“C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” [26/10/2005 05:17 PM]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [22/10/2006 12:22 PM]
“KernelFaultCheck”=“C:\WINDOWS\system32\dumprep 0 -k”
“UserFaultCheck”=“C:\WINDOWS\system32\dumprep 0 -u”

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MsnMsgr”=“C:\Program Files\MSN Messenger\MsnMsgr.exe” [19/01/2007 11:54 AM]
“P2kAutostart”=“”
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [01/06/2006 01:32 PM]
“H/PC Connection Agent”=“C:\PROGRA~1\MICROS~3\wcescomm.exe” [15/11/2005 07:44 PM]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [26/05/2007 08:16 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 9:05:26 PM]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [21/11/2006 3:33:31 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{2bee6ba4-48b8-11dc-a29f-0013d4d155a6}]
Auto\command- H:\Ghost.pif
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Ghost.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{2bee6ba5-48b8-11dc-a29f-0013d4d155a6}]
Auto\command- I:\Ghost.pif
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Ghost.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7225f0e4-4bc9-11dc-a2a0-0013d4d155a6}]
Auto\command- Ghost.pif
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Ghost.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c2ece75c-ae60-11da-a238-0013d4d155a6}]
AutoRun\command- G:\setupSNK.exe

– End of Deckard’s System Scanner: finished at 2007-09-22 19:25:42 ------------

Deckard’s System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.

– System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3200+
Percentage of Memory in Use: 27%
Physical Memory (total/avail): 2047.48 MiB / 1492.23 MiB
Pagefile Memory (total/avail): 3939.96 MiB / 3622.45 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1963.34 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 46.58 GiB total, 10.5 GiB free.
D: is Fixed (NTFS) - 186.3 GiB total, 6.39 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is CDROM (No Media)
I: is Fixed (FAT32) - 74.51 GiB total, 59.91 GiB free.

\.\PHYSICALDRIVE0 - WDC WD2500KS-00MJB0 - 232.88 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 46.58 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 186.3 GiB - D:

\.\PHYSICALDRIVE1 - WD 800BEVSExternal USB Device - 74.53 GiB - 1 partition
\PARTITION0 - Unknown - 74.53 GiB - I:

– Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.7.1043 [VPS 000775-6] v4.7.1043 (ALWIL Software)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\MSN Messenger\msncall.exe”="C:\Program Files\MSN Messenger\msncall.exe::Enabled:Windows Live Messenger 8.0 (Phone)”
“C:\Program Files\Microsoft ActiveSync\rapimgr.exe”=“C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager”
“C:\Program Files\Microsoft ActiveSync\wcescomm.exe”=“C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager”
“C:\Program Files\Microsoft ActiveSync\WCESMgr.exe”=“C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application”
“C:\Program Files\MSN Messenger\msnmsgr.exe”=“C:\Program Files\MSN Messenger\msnmsgr.exe::Enabled:Windows Live Messenger 8.1"
“C:\Program Files\MSN Messenger\livecall.exe”="C:\Program Files\MSN Messenger\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)”

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“D:\D Drive\mIRC\mirc.exe”="D:\D Drive\mIRC\mirc.exe::Enabled:mIRC”
“C:\WINDOWS\system32\dpvsetup.exe”=“C:\WINDOWS\system32\dpvsetup.exe::Enabled:Microsoft DirectPlay Voice Test"
“C:\WINDOWS\system32\rundll32.exe”="C:\WINDOWS\system32\rundll32.exe::Enabled:Run a DLL as an App”
“D:\World of Warcraft\WoW-1.9.0-enUS-downloader.exe”=“D:\World of Warcraft\WoW-1.9.0-enUS-downloader.exe::Enabled:Blizzard Downloader"
“D:\World of Warcraft\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe”="D:\World of Warcraft\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe::Enabled:Blizzard Downloader”
“C:\Program Files\Teamspeak2_RC2\server_windows.exe”=“C:\Program Files\Teamspeak2_RC2\server_windows.exe::Enabled:Server"
“C:\Program Files\iTunes\iTunes.exe”="C:\Program Files\iTunes\iTunes.exe::Enabled:iTunes”
“C:\Program Files\Azureus\Azureus.exe”=“C:\Program Files\Azureus\Azureus.exe::Enabled:Azureus"
“C:\Program Files\Messenger\msmsgs.exe”="C:\Program Files\Messenger\msmsgs.exe::Enabled:Windows Messenger”
“D:\Ghost Recon Advanced Warfighter\GRAW.exe”=“D:\Ghost Recon Advanced Warfighter\GRAW.exe::Enabled:GRAW"
“D:\SiN\SinEpisodes\SinEpisodes.exe”="D:\SiN\SinEpisodes\SinEpisodes.exe::Enabled:SinEpisodes”
“D:\Starcraft\starcraft.exe”=“D:\Starcraft\starcraft.exe::Enabled:Starcraft"
“C:\Program Files\DAP\DAP.exe”="C:\Program Files\DAP\DAP.exe::Enabled:Download Accelerator Plus (DAP)”
“C:\Documents and Settings\Ray\Application Data\U3\0000060327075456\58EA136C-7E57-4416-B59E-394C46DD505B\Exec\trillian.exe”=“C:\Documents and Settings\Ray\Application Data\U3\0000060327075456\58EA136C-7E57-4416-B59E-394C46DD505B\Exec\trillian.exe::Enabled:Trillian"
“C:\Program Files\MSN Messenger\msncall.exe”="C:\Program Files\MSN Messenger\msncall.exe::Enabled:Windows Live Messenger 8.0 (Phone)”
“D:\FEARCombat\fpupdate.exe”=“D:\FEARCombat\fpupdate.exe::Enabled:fpupdate"
“D:\FEARCombat\FEARMP.exe”="D:\FEARCombat\FEARMP.exe::Enabled:FEAR Combat”
“D:\GunboundWC\GunboundWC\GunBound.gme”=“D:\GunboundWC\GunboundWC\GunBound.gme::Enabled:GunBound"
“C:\Program Files\Microsoft ActiveSync\rapimgr.exe”=“C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager”
“C:\Program Files\Microsoft ActiveSync\wcescomm.exe”=“C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager”
“C:\Program Files\Microsoft ActiveSync\WCESMgr.exe”=“C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application”
“C:\Program Files\WiFiConnector\NintendoWFCReg.exe”="C:\Program Files\WiFiConnector\NintendoWFCReg.exe::Enabled:Nintendo Wi-Fi USB Connector”
“C:\StubInstaller.exe”=“C:\StubInstaller.exe::Enabled:LimeWire swarmed installer"
“C:\Program Files\LimeWire\LimeWire.exe”="C:\Program Files\LimeWire\LimeWire.exe::Enabled:LimeWire”
“D:\PDA Programs\Broken Sword\BrokenSword_v1.0_WM5\Keygen\Registration Tools\POSE\Emulator.exe”=“D:\PDA Programs\Broken Sword\BrokenSword_v1.0_WM5\Keygen\Registration Tools\POSE\Emulator.exe::Enabled:Palm OS® Emulator"
“D:\4Winds2\4Winds2.exe”="D:\4Winds2\4Winds2.exe::Enabled:Four Winds - Traditional Mah Jong for Windows”
“C:\WINDOWS\system32\dplaysvr.exe”=“C:\WINDOWS\system32\dplaysvr.exe::Enabled:Microsoft DirectPlay Helper"
“C:\Program Files\MSN Messenger\msnmsgr.exe”="C:\Program Files\MSN Messenger\msnmsgr.exe::Enabled:Windows Live Messenger 8.1”
“C:\Program Files\MSN Messenger\livecall.exe”=“C:\Program Files\MSN Messenger\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)"
“D:\Soldat\Soldat.exe”="D:\Soldat\Soldat.exe::Enabled:Soldat”

– Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ray\Application Data
CLASSPATH=C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RAY
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ray
LOGONSERVER=\RAY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ZipGenius 6;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Teleca Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Ray\LOCALS~1\Temp
TMP=C:\DOCUME~1\Ray\LOCALS~1\Temp
USERDOMAIN=RAY
USERNAME=Ray
USERPROFILE=C:\Documents and Settings\Ray
windir=C:\WINDOWS

– User Profiles ---------------------------------------------------------------

Ray I[/I]
Administrator I[/I]

– Add/Remove Programs ---------------------------------------------------------

→ C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
→ C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
→ C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
→ C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
→ C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
→ C:\WINDOWS\UNNeroVision.exe /UNINSTALL
→ C:\WINDOWS\UNRecode.exe /UNINSTALL
→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal → C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX → C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.9 → MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Reader for Pocket PC 2.0 → C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{291A772C-FFB9-4681-B720-AB2A0A620896}
Adobe Shockwave Player → C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
arniWORX Daemon-Tools ShellExtension (remove only) → “C:\Program Files\arniWORX\awxDTools\uninstall.exe”
ASUS Probe V2.23.06 → C:\WINDOWS\uninst.exe -f"C:\Program Files\ASUS\Probe\DeIsL1.isu" -c"C:\Program Files\ASUS\Probe\probunis.dll"
Athlon 64 Processor Driver → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe” -l0x9
Australian Phonedisc → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{A8C2ECC8-BB15-11D6-B91C-00C04F689AB6}\Setup.exe” -l0x9
avast! Antivirus → rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Azureus → C:\Program Files\Azureus\Uninstall.exe
Big2 → C:\Program Files\Microsoft ActiveSync\Big2\Uninstall.exe Big2
Bowling Master → C:\Program Files\Microsoft ActiveSync\Bowling Master\Uninstall.exe Bowling Master
Broken Sword: Shadow of the Templars Demo for Pocket PC → C:\Program Files\Astraware\Broken Sword Shadow of the Templars Demo for Pocket PC\uninst.exe
BSPlayer → “C:\Program Files\Webteh\BSplayerPro\uninstall.exe”
DAEMON Tools → MsiExec.exe /I{2DF9A978-DEA1-4433-805D-66790FC28C62}
Disc2Phone → MsiExec.exe /I{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}
FEARCombat → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{75E607CF-7BAE-4B88-84B3-97F3DF44BA28}\setup.exe” -l0x9 /zU -removeonly
ffdshow → “C:\Program Files\ffdshow\uninstall.exe”
Four Winds Mah Jong 1.0 for Pocket PC 2002 → “C:\Program Files\Microsoft ActiveSync\4WindsPPC\4WPPC.exe” -uninstall
Four Winds Mah Jong 2.01 → MsiExec.exe /I{FE4A88C8-A551-4657-8756-E113E3FAEE1D}
G6 U-DISK Manager Uninstall → C:\Program Files\G6 U-DISK Manager\Uninstall.exe
Google Toolbar for Internet Explorer → regsvr32 /u /s “c:\program files\google\googletoolbar4.dll”
Google Video Player → “C:\Program Files\Google\Google Video Player\Uninstall.exe”
Guild Wars → “D:\Guild Wars\Gw.exe” -uninstall
GunboundWC → “D:\GunboundWC\unins000.exe”
Hamachi 0.9.9.9 → C:\Program Files\Hamachi\uninstall.exe
iTunes → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{59C4F14F-7590-45FC-BE9F-A67AB3590709} /l1033
J2SE Runtime Environment 5.0 Update 10 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 2 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Lexisgoo version 2.7 → C:\Program Files\Microsoft ActiveSync\Lexisgoo version 2.7\Uninstall.exe Lexisgoo version 2.7
Macromedia Dreamweaver MX 2004 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}\Setup.exe” -l0x9 mmUninstall
Macromedia Extension Manager → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe” -l0x9 mmUninstall
Macromedia Fireworks MX 2004 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{E583ED6F-BD99-4066-A420-C815BF692B69}\Setup.exe” -l0x9 UNINSTALL
Magic Button → C:\Program Files\Microsoft ActiveSync\Magic Button\Uninstall.exe Magic Button
Matrix Code Emulator 1.50 → “C:\WINDOWS\unins000.exe”

Microsoft ActiveSync 4.0 → MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E}
Microsoft Office Professional Edition 2003 → MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Reader for Pocket PC → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{AEFD48FE-2A76-11D3-928B-00C04FB90523}\Setup.exe” UninstReg
mIRC → “D:\D Drive\mIRC\mirc.exe” -uninstall
Mozilla Firefox (2.0.0.2) → C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (2.0.0.7) → C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mpegable X4 live → C:\WINDOWS\AKDeInstall.exe “/C:\Program Files\mpegable"
MSN → C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Nero 7 Ultra Edition → MsiExec.exe /I{692854CC-97EF-4307-B787-8C6787B91033}
Nintendo Wi-Fi USB Connector Registration Tool → C:\Program Files\WiFiConnector\SoftAPUninst.exe
NVIDIA Drivers → C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OmniGSoft Nine Hole Golf 1.0 for Pocket PC → C:\Program Files\Microsoft ActiveSync\OmniGSoft Nine Hole Golf 1.0 for Pocket PC\Uninstall.exe OmniGSoft Nine Hole Golf 1.0 for Pocket PC
Panasonic KX-P7100 → C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\panasonic\panasonic KX-P7100\Uninst.isu” -c"C:\Program Files\panasonic\panasonic KX-P7100\DeSetDLL.dll"
Pocket Informant Pro 2007 → C:\Program Files\Pocket Informant\uninst.exe
PSP ISO Compressor → MsiExec.exe /X{D47087E7-AA15-4D1D-8C0A-60F7E446D597}
PSP Video 9 2.24 → C:\Program Files\Red Kawa\Video Converter\uninstaller.exe
QuickTime → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
RealPlayer → C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC’97 Audio → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe” REMOVE
SecondLife (remove only) → “D:\SecondLife\uninst.exe” /P=“SecondLife”
Simcity 2000 for Pocket PC → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft ActiveSync\ZIO\Simcity 2000 for Pocket PC\Uninst.isu"
Sony Ericsson Drivers → MsiExec.exe /I{C6E91710-5BF5-43C5-AB81-C3E488133346}
Sony Ericsson PC Suite 1.20.237 → MsiExec.exe /I{D21635EA-7A89-4881-86A9-0C1DCBCD1317}
Sony Sound Forge 7.0 → MsiExec.exe /I{6B629F70-BE1D-456E-AA97-73619020E7A1}
Spb Weather → C:\Program Files\Microsoft ActiveSync\Spb Weather\Uninstall.exe Spb Weather
Spybot - Search & Destroy 1.4 → “C:\Program Files\Spybot - Search & Destroy\unins000.exe”
Starcraft → C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
System Requirements Lab → C:\Program Files\SystemRequirementsLab\Uninstall.exe
TCPMP → C:\Program Files\Microsoft ActiveSync\TCPMP\Uninstall.exe TCPMP
TeamSpeak 2 RC2 → “C:\Program Files\Teamspeak2_RC2\unins000.exe”
TenGO Free → C:\Program Files\Microsoft ActiveSync\TenGO Free\Uninstall.exe TenGO Free
TheDogAteIt → C:\Program Files\Microsoft ActiveSync\TheDogAteIt\Uninstall.exe TheDogAteIt
VideoLAN VLC media player 0.8.5 → C:\Program Files\VideoLAN\VLC\uninstall.exe
WD Diagnostics → MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
Windows Live Messenger → MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant → MsiExec.exe /I{F652D238-5F29-42D5-BAF3-0115EF977EC2}
WinRAR archiver → C:\Program Files\WinRAR\uninstall.exe
WisBar Advance 2 → “C:\Program Files\Microsoft ActiveSync\WisBar Advance 2\unins000.exe”
World of Warcraft → C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
Worms for Pocket PC → C:\WINDOWS\unvise32.exe C:\Program Files\Jamdat\Worms Pocket PC\uninstal.log

– Application Event Log -------------------------------------------------------

Event Record #/Type14295 / Success
Event Submitted/Written: 09/22/2007 05:41:53 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type14286 / Success
Event Submitted/Written: 09/22/2007 00:46:00 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type14278 / Success
Event Submitted/Written: 09/22/2007 00:39:54 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type14268 / Success
Event Submitted/Written: 09/22/2007 00:36:19 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type14258 / Success
Event Submitted/Written: 09/22/2007 00:32:27 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

– System Event Log ------------------------------------------------------------

Event Record #/Type10475 / Error
Event Submitted/Written: 09/22/2007 05:41:34 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Genesys Logic USB Controller NT 5.0 service failed to start due to the following error:
%%1058

Event Record #/Type10473 / Error
Event Submitted/Written: 09/22/2007 05:41:02 PM / 09/22/2007 05:41:26 PM
Event ID/Source: 4 / pnpshark
Event Description:
Driver detected an internal error in its data structures for .

Event Record #/Type10472 / Error
Event Submitted/Written: 09/22/2007 05:41:01 PM / 09/22/2007 05:41:26 PM
Event ID/Source: 4 / pnpshark
Event Description:
Driver detected an internal error in its data structures for .

Event Record #/Type10465 / Error
Event Submitted/Written: 09/22/2007 05:40:30 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error “%%1084” attempting to start the service EventSystem with arguments “”
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type10464 / Error
Event Submitted/Written: 09/22/2007 00:50:57 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Aavmker4
AFD
AmdK8
aslm75
aswTdi
Fips
IPSec
KPSYSDRV
MRxSmb
NetBIOS
NetBT
PREVXTdi
RasAcd
Rdbss
Tcpip

– End of Deckard’s System Scanner: finished at 2007-09-22 19:25:42 ------------

Sorry for the multiple posts, couldn’t fit them all in one post.

No problem it is a big report, while you were posting I read the important part and here is the fix…

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

First we must back up the entire registry.To do this

REGISTRY BACKUP

Go START > RUN and type in REGEDIT then press your enter key.
When Regedit is open ensure that ‘my computer’ is highlighted in the left pane.
Go to FILE and select EXPORT.
Check the ‘all’ button at the bottom of the screen to backup the entire registry.
You will need to select a location to save the exported registry (it will be saved as a single file) I would suggest the Desktop
Choose the FILE NAME as Oldreg
In the drop down box called SAVE AS TYPE select registration files (*.reg).
Then click SAVE
This will create a file on your desktop called Oldreg.reg
http://img127.imageshack.us/img127/433/regtg8.jpg

REGISTRY FIX

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{2bee6ba4-48b8-11dc-a29f-0013d4d155a6}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{2bee6ba5-48b8-11dc-a29f-0013d4d155a6}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7225f0e4-4bc9-11dc-a2a0-0013d4d155a6}]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Also Uninstall the following versions of Java as they are a security risk

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9

Just checking the rest of the report now but this will be enough to be getting on with

Okay, done that already. Still finding ghost.pif in my registry when I do a search.

When I click on my external hard drive, it’ll still open the with ‘Open with’, with the ‘Always use this selected program to open this type of file’ radio button shaded dark so I cant check it. Know anyway I can get around this and make the drive open like it is suppose to?

Did you reboot after the registry fix, I should have made that clear

Yup, rebooted after reg fix

I left this one because it apeared legitimate however, it may be the cause. It is related to the wireless set up wizard. Which in retrospect is a stupid place to have a set up wizard on a cdrom

REGISTRY FIX

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c2ece75c-ae60-11da-a238-0013d4d155a6}]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

I can do a deeper analysis with another programme if you wish

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

Reg - ControlSets
Reg - Disabled MS Config Items
Reg - File Associations

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.