hi Oldman, i’ll try to scan again but chances r slim as i’ve attempted a few scan previously wt DSS but w/o success.

will pass my log again once i’m finished wt scan.

thx Oldman for all ur time n effort spend in helping me to solve this virus issue.

may u be in good health always

long live Oldman

best regards
michaelong

Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

– System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) M processor 1600MHz
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 511.48 MiB / 252.54 MiB
Pagefile Memory (total/avail): 1249.44 MiB / 953.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.85 MiB

C: is Fixed (FAT32) - 54.98 GiB total, 3.68 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 0.87 GiB total, 0.87 GiB free.

\.\PHYSICALDRIVE0 - HTS541060G9AT00 - 55.89 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 55.01 GiB - C:
\PARTITION1 - Installable File System - 894.24 MiB - E:

– Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: avast! antivirus 4.7.1043 [VPS 071125-0] v4.7.1043 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\MSN Messenger\msnmsgr.exe”="C:\Program Files\MSN Messenger\msnmsgr.exe::Enabled:Windows Live Messenger 8.1”
“C:\Program Files\MSN Messenger\livecall.exe”=“C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)”

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\ICQ6\ICQ.exe”="C:\Program Files\ICQ6\ICQ.exe::Enabled:ICQ6”
“C:\Program Files\MSN Messenger\msnmsgr.exe”=“C:\Program Files\MSN Messenger\msnmsgr.exe::Enabled:Windows Live Messenger 8.1"
“C:\Program Files\MSN Messenger\livecall.exe”="C:\Program Files\MSN Messenger\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)”
“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe::Enabled:Yahoo! Messenger"
“C:\Program Files\Yahoo!\Messenger\YServer.exe”="C:\Program Files\Yahoo!\Messenger\YServer.exe::Enabled:Yahoo! FT Server”
“C:\Program Files\Xider\EsR\Game.exe”=“C:\Program Files\Xider\EsR\Game.exe::Enabled:Game"
“C:\Program Files\FlashGet\flashget.exe”="C:\Program Files\FlashGet\flashget.exe::Enabled:Flashget”
“C:\Program Files\BearFlix\bearflix.exe”="C:\Program Files\BearFlix\bearflix.exe::Enabled:BearFlix"
“C:\Program Files\Skype\Phone\Skype.exe”="C:\Program Files\Skype\Phone\Skype.exe::Enabled:Skype. Take a deep breath "

– Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\myself\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_01\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ACER-D137MZMHOW
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\myself
LOGONSERVER=\ACER-D137MZMHOW
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\myself\LOCALS~1\Temp
TMP=C:\DOCUME~1\myself\LOCALS~1\Temp
USERDOMAIN=ACER-D137MZMHOW
USERNAME=myself
USERPROFILE=C:\Documents and Settings\myself
windir=C:\WINDOWS

– User Profiles ---------------------------------------------------------------

myself I[/I]
Administrator I[/I]

– Add/Remove Programs ---------------------------------------------------------

→ C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
→ C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Acer Inc.\Acer English Online Help Creator\Uninst.isu"
→ RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ËÀÍöÖ®ÎÝ3 °²×°³ÌÐò → C:\HOD3\UNWISE.EXE C:\HOD3\INSTALL.LOG
ËÀÍö´ò×ÖÔ± °²×°³ÌÐò → C:\TODC\UNWISE.EXE C:\TODC\INSTALL.LOG
ËÀÍö¹íÎÝ °²×°³ÌÐò → C:\EAIÖ1IIY\UNWISE.EXE C:\EAIÖ1IIY\INSTALL.LOG
5 Spots II → C:\Program Files\reflexive games\5 Spots II\UNWISE.EXE C:\Program Files\reflexive games\5 Spots II\INSTALL.LOG
Ad-Aware 2007 → MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX → C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player Plugin → C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9 → MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Agere Systems AC’97 Modem → agrsmdel
Air Strike II Gulf Thunder → C:\Program Files\reflexive games\Air Strike II Gulf Thunder\UNWISE.EXE C:\Program Files\reflexive games\Air Strike II Gulf Thunder\INSTALL.LOG
Alien Shooter → C:\Program Files\reflexive games\Alien Shooter\UNWISE.EXE C:\Program Files\reflexive games\Alien Shooter\INSTALL.LOG
Apple Software Update → MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Aspire Arcade 3.0 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{2637C347-9DAD-11D6-9EA2-00055D0CA761}\Setup.exe” -uninstall
Aspire Series → C:\Program Files\Aspire Series\uninstall.exe
ATI Control Panel → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe”
ATI Display Driver → rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
avast! Antivirus → rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
BearFlix → C:\PROGRA~1\BEARFLIX\UNWISE.EXE C:\PROGRA~1\BEARFLIX\INSTALL.LOG
Bengal - Game of Gods (remove only) → C:\Program Files\GameHouse\Bengal - Game of Gods\Uninstall.exe
Big Kahuna Reef → C:\Program Files\GameHouse\Big Kahuna Reef\UNWISE.EXE C:\Program Files\GameHouse\Big Kahuna Reef\INSTALL.LOG
Big Kahuna Reef 2 - Chain Reaction → “C:\Program Files\reflexive games\Big Kahuna Reef 2\ReflexiveArcade\unins000.exe”
Casino Island To Go → “C:\Program Files\reflexive games\Casino Island To Go\ReflexiveArcade\unins000.exe”
Chicken Attack (remove only) → C:\Program Files\GameHouse\Chicken Attack\Uninstall.exe
Chuzzle Deluxe → “C:\Program Files\reflexive games\Chuzzle Deluxe\unins000.exe”
CRW Series Driver v1.17r019 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{39AE0413-CEFC-4559-AC5F-855A1C006D2F}\SETUP.EXE” -l0x9
Cubis Gold 2 → C:\PROGRA~1\GAMEHO~1\CUBISG~1\UNWISE.EXE C:\PROGRA~1\GAMEHO~1\CUBISG~1\INSTALL.LOG
Cute Knight → “C:\Program Files\reflexive games\Cute Knight\ReflexiveArcade\unins000.exe”
Deep Sea Tycoon 2 → “C:\Program Files\reflexive games\Deep Sea Tycoon 2\unins000.exe”
Dynomite → C:\Program Files\PopCap Games\Dynomite\UNWISE.EXE C:\Program Files\PopCap Games\Dynomite\INSTALL.LOG
ERUNT 1.1j → “C:\Program Files\ERUNT\unins000.exe”
EsR 1.0 → C:\PROGRA~1\Xider\EsR\Setup.exe /remove
FeedingFrenzy → C:\Program Files\GameHouse\FeedingFrenzy\UNWISE.EXE C:\Program Files\GameHouse\FeedingFrenzy\INSTALL.LOG
Fishing Trip → “C:\Program Files\reflexive games\Fishing Trip\unins000.exe”
FlashGet 1.9.6.1073 → C:\Program Files\FlashGet\uninst.exe
Golf Adventure Galaxy → C:\Program Files\reflexive games\Golf Adventure Galaxy\UNWISE.EXE C:\Program Files\reflexive games\Golf Adventure Galaxy\INSTALL.LOG
Google Toolbar for Internet Explorer → MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer → regsvr32 /u /s “c:\program files\google\googletoolbar1.dll”
Gutterball 2 → C:\Program Files\GameHouse\Gutterball 2\UNWISE.EXE C:\Program Files\GameHouse\Gutterball 2\INSTALL.LOG
Hammer Heads 1.0 → C:\Program Files\PopCap Games\Hammer Heads Deluxe\PopUninstall.exe “C:\Program Files\PopCap Games\Hammer Heads Deluxe\Install.log”
Heavy Weapon Deluxe → C:\Program Files\PopCap Games\Heavy Weapon\UNWISE.EXE C:\Program Files\PopCap Games\Heavy Weapon\INSTALL.LOG
Hidden Expedition Titanic (remove only) → C:\Program Files\GameHouse\Hidden Expedition Titanic\Uninstall.exe
HijackThis 2.0.2 → “C:\Program Files\Trend Micro\HijackThis\HijackThis.exe” /uninstall

Hotfix for Windows Media Format 11 SDK (KB929399) → “C:\WINDOWS$NtUninstallKB929399$\spuninst\spuninst.exe”
ICQ6 → C:\Program Files\InstallShield Installation Information{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe -runfromtemp -l0x0009 -removeonly
Indeo® Software → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\Uninst.isu"
Java™ 6 Update 3 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
JETFIGHTER 2015 → “C:\Program Files\Global Star Software\JETFIGHTER 2015\Uninstall.exe” “C:\Program Files\Global Star Software\JETFIGHTER 2015\install.log”
Launch Manager → C:\WINDOWS\UnInst32.exe CPLFL32.UNI
Magic Ball 2 → C:\Program Files\GameHouse\Magic Ball 2\UNWISE.EXE C:\Program Files\GameHouse\Magic Ball 2\INSTALL.LOG
Magic Vines → C:\Program Files\GameHouse\Magic Vines\UNWISE.EXE C:\Program Files\GameHouse\Magic Vines\INSTALL.LOG
Microsoft Compression Client Pack 1.0 for Windows XP → “C:\WINDOWS$NtUninstallMSCompPackV1$\spuninst\spuninst.exe”
Microsoft User-Mode Driver Framework Feature Pack 1.0 → “C:\WINDOWS$NtUninstallWudf01000$\spuninst\spuninst.exe”
mIRC → “C:\Program Files\mIRC\mirc.exe” -uninstall
Mozilla Firefox (2.0.0.8) → C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mummy Maze Deluxe → C:\Program Files\PopCap Games\Mummy Maze Deluxe\UNWISE.EXE C:\Program Files\PopCap Games\Mummy Maze Deluxe\INSTALL.LOG
NTI CD & DVD-Maker Gold → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778} /l1033 AnyText
Off Road Arena → “C:\Program Files\reflexive games\Off Road Arena\unins000.exe”
Platypus → C:\Program Files\GameHouse\Platypus\UNWISE.EXE C:\Program Files\GameHouse\Platypus\INSTALL.LOG
Poker Superstars → C:\PROGRA~1\GAMEHO~1\POKERS~1\UNWISE.EXE C:\PROGRA~1\GAMEHO~1\POKERS~1\INSTALL.LOG
PowerProducer → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{B7A0CE06-068E-11D6-97FD-0050BACBF861}\SETUP.EXE” -uninstall
QuickTime → MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer → C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC’97 Audio → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe” REMOVE
Rocket Bowl → C:\Program Files\reflexive games\Rocket Bowl\UNWISE.EXE C:\Program Files\reflexive games\Rocket Bowl\INSTALL.LOG
Skype™ 3.5 → MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SMSC IrCC Driver V5.1.2462.0 (WinXP) → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{EC86822D-3A20-11D5-801B-00E029348F40}\setup.exe”
Snail Mail → C:\Program Files\reflexive games\Snail Mail\UNWISE.EXE C:\Program Files\reflexive games\Snail Mail\INSTALL.LOG
Snowy Puzzle Islands → C:\Program Files\reflexive games\Snowy Puzzle Islands\UNWISE.EXE C:\Program Files\reflexive games\Snowy Puzzle Islands\INSTALL.LOG
Spin & Win → C:\Program Files\reflexive games\Spin & Win\UNWISE.EXE C:\Program Files\reflexive games\Spin & Win\INSTALL.LOG
SpongeBob Collapse → C:\Program Files\GameHouse\SpongeBob Collapse\UNWISE.EXE C:\Program Files\GameHouse\SpongeBob Collapse\INSTALL.LOG
Super Jigsaw → C:\Program Files\GameHouse\Super Jigsaw\UNWISE.EXE C:\Program Files\GameHouse\Super Jigsaw\INSTALL.LOG
Synaptics Pointing Device Driver → rundll32.exe “C:\Program Files\Synaptics\SynTP\SynISDLL.dll”,standAloneUninstall
TeamUp → C:\Program Files\reflexive games\TeamUp\UNWISE.EXE C:\Program Files\reflexive games\TeamUp\INSTALL.LOG
Tradewinds 2 → “C:\Program Files\reflexive games\Tradewinds 2\unins000.exe”
Traffic Jam Extreme → C:\Program Files\reflexive games\Traffic Jam Extreme\UNWISE.EXE C:\Program Files\reflexive games\Traffic Jam Extreme\INSTALL.LOG
Tropix → C:\PROGRA~1\GAMEHO~1\TROPIX\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\TROPIX\INSTALL.LOG
Virtual Villagers (remove only) → C:\Program Files\GameHouse\Virtual Villagers\Uninstall.exe
WIDCOMM Bluetooth Software → MsiExec.exe /X{FE90E9E7-A158-4687-8853-DF677A939A61}
Wik And The Fable Of Souls → C:\Program Files\reflexive games\Wik And The Fable Of Souls\UNWISE.EXE C:\Program Files\reflexive games\Wik And The Fable Of Souls\INSTALL.LOG
Windows Live Messenger → MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime → “C:\WINDOWS$NtUninstallWMFDist11$\spuninst\spuninst.exe”
WM Converter 2.0 → C:\Program Files\WM Converter\Uninstal.exe
Yahoo! Messenger → C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG

– Application Event Log -------------------------------------------------------

Event Record #/Type328 / Error
Event Submitted/Written: 11/27/2007 01:23:49 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x000122ba.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type327 / Error
Event Submitted/Written: 11/27/2007 01:17:59 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x000106c3.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type323 / Error
Event Submitted/Written: 11/27/2007 09:16:31 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x000122ba.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type322 / Error
Event Submitted/Written: 11/27/2007 09:14:34 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x000106c3.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type241 / Error
Event Submitted/Written: 11/21/2007 08:36:57 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16544, faulting module jccatch.dll, version 1.8.4.1007, fault address 0x00007859.
Processing media-specific event for [iexplore.exe!ws!]

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

– System Event Log ------------------------------------------------------------

Event Record #/Type507 / Error
Event Submitted/Written: 11/27/2007 04:37:46 AM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address 192.168.0.21 on the
Network Card with network address 00023F17A308.

Event Record #/Type506 / Warning
Event Submitted/Written: 11/27/2007 04:37:46 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00023F17A308. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type505 / Warning
Event Submitted/Written: 11/27/2007 04:37:32 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00023F17A308. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type504 / Warning
Event Submitted/Written: 11/27/2007 04:36:24 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00023F17A308. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type503 / Warning
Event Submitted/Written: 11/27/2007 04:34:06 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00023F17A308. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

– End of Deckard’s System Scanner: finished at 2007-11-27 13:25:38 ------------

hi Oldman,

finally i’m able to complete my DSS scan after few attempt.

previously DSS always stop near the ending part e.g: examining event logs

i’ll be posting my hjt thread after this
.
thx Oldman for paying me an extra attention to my thread

your helps r truly appreciated n will be remembered

sincerely yours
michaelong

Ok but there shoulld be two logs from DSS an extra which you have already posted and a main, I’ll need that one also. Look for at c:\Deckards

It’s getting late so I’ll have to continue tomorrow but get the logs posted for sure.

StartupList report, 11/27/2007, 1:20:01 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16544)

• Using default options
• Including empty and uninteresting sections
• Showing rarely important sections
  ==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CRW\shwicon.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\myself\Start Menu\Programs\Startup]
ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

Shell folders AltStartup:
Folder not found

User shell folders Startup:
Folder not found

User shell folders AltStartup:
Folder not found

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
BTTray.lnk = ?
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Shell folders Common AltStartup:
Folder not found

User shell folders Common Startup:
Folder not found

User shell folders Alternate Common Startup:
Folder not found

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
Registry key not found

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Registry value not found

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
Registry key not found

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LaunchApp = Alaunch
SoundMan = SOUNDMAN.EXE
AGRSMMSG = AGRSMMSG.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
ATIModeChange = Ati2mdxx.exe
ShowIcon_Chander_CRW Series Driver v1.17r019 = “C:\Program Files\CRW\shwicon.exe” -t"Chander\CRW Series Driver v1.17r019"
PCMService = “C:\Program Files\Aspire Arcade\PCMService.exe”
LManager = C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
IMJPMIG8.1 = “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
QuickTime Task = “C:\Program Files\QuickTime\qttask.exe” -atboottime
SunJavaUpdateSched = “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

No values found

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

No values found

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Registry key not found

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Registry key not found

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
swg = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
updateMgr = C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
kava = C:\WINDOWS\system32\kavo.exe

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

No values found

Deckard’s System Scanner v20071014.68
Run by myself on 2007-11-27 13:24:40
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

– Last 2 Restore Point(s) –
2: 2007-11-27 01:15:16 UTC - RP2 - Deckard’s System Scanner Restore Point
1: 2007-11-27 01:10:54 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

System Drive C: has 3.68 GiB (less than 15%) free.

– HijackThis (run as myself.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:58 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CRW\shwicon.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\myself\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\myself.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [LaunchApp] Alaunch
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..\Run: [ShowIcon_Chander_CRW Series Driver v1.17r019] “C:\Program Files\CRW\shwicon.exe” -t"Chander\CRW Series Driver v1.17r019"
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Aspire Arcade\PCMService.exe”
O4 - HKLM..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra ‘Tools’ menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193064255312
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

–
End of file - 7961 bytes

– File Associations -----------------------------------------------------------

All associations okay.

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ENECBPTH (ENE Cardbus Patch Driver) - c:\windows\system32\drivers\enecbpth.sys <Not Verified; EnE Technology Inc.; EnE Cardbus Patch Driver for Windows (R) 2000/XP>
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; WIDCOMM, Inc.; Bluetooth Software 1.4.2 Build 10>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

– Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

– Scheduled Tasks -------------------------------------------------------------

2007-11-26 18:54:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

– Files created between 2007-10-27 and 2007-11-27 -----------------------------

2007-11-27 09:12:34 0 d-------- C:\Program Files\Trend Micro
2007-11-27 07:36:59 0 d-------- C:\My Downloads
2007-11-27 07:36:57 0 d-------- C:\Program Files\BearFlix
2007-11-26 10:47:23 92672 -r-hs---- C:\WINDOWS\system32\kavo1.dll
2007-11-26 09:15:36 0 d–h----- C:\Documents and Settings\Administrator\Templates
2007-11-26 09:15:36 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-26 09:15:36 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-26 09:15:36 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-26 09:15:36 0 d–h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-26 09:15:36 0 d–h----- C:\Documents and Settings\Administrator\NetHood
2007-11-26 09:15:36 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-26 09:15:36 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-26 09:15:36 0 d–hs---- C:\Documents and Settings\Administrator\Cookies
2007-11-26 09:15:36 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-11-26 09:15:36 0 d—s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-11-26 09:15:35 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-26 09:15:35 0 d–h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-21 00:32:52 116092 -r-hs---- C:\ntdelect.com
2007-11-21 00:32:22 116092 -r-hs---- C:\WINDOWS\system32\kavo.exe
2007-11-19 19:26:12 0 d-------- C:\Program Files\WM Converter
2007-11-16 19:01:40 0 d-------- C:\Program Files\ms 10
2007-11-16 05:13:13 0 d-------- C:\Program Files\m
2007-11-12 01:16:51 0 d-------- C:\Program Files\FlashGet
2007-11-10 09:27:49 0 d-------- C:\Program Files\Common Files\DirectX
2007-11-10 09:24:30 0 d-------- C:\Program Files\Paris-Dakar Rally
2007-11-08 08:14:13 0 d-------- C:\Program Files\Xider
2007-11-03 00:27:39 0 d-------- C:\Program Files\Apple Software Update
2007-11-03 00:27:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-02 03:15:45 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2007-11-02 03:15:45 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2007-11-01 02:25:16 0 d-------- C:\Program Files\Global Star Software
2007-10-31 08:50:14 0 d-------- C:\Documents and Settings\myself\Application Data\SEGA
2007-10-31 07:39:08 0 d-------- C:\TODC
2007-10-31 07:32:38 0 d-------- C:\ËÀÍö¹íÎÝ
2007-10-31 07:25:31 0 d-------- C:\HOD3
2007-10-28 17:26:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-10-28 17:05:53 0 d-------- C:\Documents and Settings\myself\Application Data\EA
2007-10-28 17:05:45 0 d-------- C:\Documents and Settings\All Users\Application Data\EA
2007-10-28 16:57:11 0 d-------- C:\Program Files\BFG
2007-10-28 01:43:18 0 dr------- C:\Program Files\nepal_everest
2007-10-28 01:26:52 0 dr------- C:\Program Files\mike holidays
2007-10-28 01:15:31 0 d-------- C:\notes 20_10
2007-10-28 00:26:03 0 dr------- C:\Program Files\wmv
2007-10-28 00:02:05 0 d-------- C:\Program Files\video hp
2007-10-27 23:46:11 0 d-------- C:\Program Files\video

– Find3M Report ---------------------------------------------------------------

2007-11-25 10:25:50 46 --a------ C:\WINDOWS\popcinfo.dat
2007-10-25 13:03:44 4096 --a------ C:\WINDOWS\d3dx.dat
2007-10-25 09:06:02 0 dr------- C:\Program Files\ad onli
2007-10-25 08:54:28 0 d-------- C:\Program Files\PopCap Games
2007-10-25 08:44:24 0 d-------- C:\Program Files\reflexive games
2007-10-25 08:36:26 0 d-------- C:\Program Files\GameHouse
2007-10-24 19:32:40 0 d-------- C:\Documents and Settings\myself\Application Data\Apple Computer
2007-10-24 18:24:22 0 dr------- C:\Program Files\scenery
2007-10-24 18:22:30 0 dr------- C:\Program Files\eqtc edu
2007-10-24 18:12:58 0 d-------- C:\Program Files\ReflexiveArcade
2007-10-24 17:53:22 0 dr------- C:\Program Files\songs
2007-10-24 09:50:44 0 d-------- C:\Documents and Settings\myself\Application Data\Talkback
2007-10-24 09:50:34 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-24 09:50:30 0 d-------- C:\Documents and Settings\myself\Application Data\Mozilla
2007-10-24 09:48:10 0 d-------- C:\Program Files\Windows Media Connect 2
2007-10-24 09:38:52 0 d-------- C:\Program Files\mIRC
2007-10-24 09:38:12 0 d-------- C:\Program Files\Yahoo!
2007-10-24 09:37:08 0 d-------- C:\Program Files\MSN Messenger
2007-10-24 09:35:16 0 d-------- C:\Documents and Settings\myself\Application Data\ICQ
2007-10-24 09:34:58 0 d-------- C:\Program Files\ICQ6
2007-10-24 09:34:30 0 d-------- C:\Documents and Settings\myself\Application Data\InstallShield
2007-10-24 09:33:30 0 d-------- C:\Program Files\Common Files\Java
2007-10-23 01:38:26 0 d-------- C:\Documents and Settings\myself\Application Data\Macromedia
2007-10-23 01:13:44 278528 --a------ C:\WINDOWS\system32\livesnth.dll <Not Verified; LiveUpdate; LiveSynth>
2007-10-23 01:13:44 203776 --a------ C:\WINDOWS\system32\clrviddc.dll <Not Verified; Iterated Systems, Inc.; ClearVideo Decoder DLL>
2007-10-22 09:22:10 0 d-------- C:\Program Files\QuickTime
2007-10-22 09:20:58 0 d-------- C:\Program Files\Common Files\xing shared
2007-10-22 09:20:48 0 d-------- C:\Program Files\Real
2007-10-22 09:20:48 0 d-------- C:\Program Files\Common Files\Real
2007-10-22 09:20:38 0 d-------- C:\Documents and Settings\myself\Application Data\Real
2007-10-22 09:19:12 0 d-------- C:\Documents and Settings\myself\Application Data\Skype
2007-10-22 09:19:08 0 d-------- C:\Program Files\Google
2007-10-22 09:19:04 0 d-------- C:\Program Files\Skype
2007-10-22 09:19:02 0 d-------- C:\Program Files\Common Files\Skype
2007-10-22 09:18:08 0 d-------- C:\Program Files\Lavasoft
2007-10-22 09:17:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 09:16:06 0 d-------- C:\Program Files\Alwil Software
2007-10-22 08:04:02 0 d-------- C:\Program Files\WIDCOMM
2007-10-22 08:03:24 0 d-------- C:\Program Files\ATI Technologies
2007-10-21 18:39:50 0 d-------- C:\Documents and Settings\myself\Application Data\Google

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“LaunchApp”=“Alaunch”
“SoundMan”=“SOUNDMAN.EXE” [02/09/2004 04:54 PM C:\WINDOWS\SOUNDMAN.EXE]
“AGRSMMSG”=“AGRSMMSG.exe” [11/19/2003 03:41 PM C:\WINDOWS\AGRSMMSG.exe]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [03/12/2004 12:15 PM]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [03/12/2004 12:14 PM]
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [10/02/2003 02:37 PM]
“HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [10/02/2003 02:19 PM]
“ATIModeChange”=“Ati2mdxx.exe” [09/04/2001 04:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
“ShowIcon_Chander_CRW Series Driver v1.17r019”=“C:\Program Files\CRW\shwicon.exe” [01/09/2003 12:05 AM]
“PCMService”=“C:\Program Files\Aspire Arcade\PCMService.exe” [03/25/2004 06:41 PM]
“LManager”=“C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE” [04/05/2004 09:46 PM]
“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [03/22/2004 09:10 PM]
“IMJPMIG8.1”=“C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe” [08/04/2004 01:32 PM]
“MSPY2002”=“C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe” [03/31/2003 12:00 PM]
“PHIME2002ASync”=“C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe” [03/31/2003 12:00 PM]
“PHIME2002A”=“C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe” [03/31/2003 12:00 PM]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [09/06/2007 06:06 PM]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [06/29/2007 06:24 AM]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [09/25/2007 01:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/04/2004 03:56 PM]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [10/23/2007 07:58 PM]
“updateMgr”=“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [03/30/2006 04:45 PM]
“kava”=“C:\WINDOWS\system32\kavo.exe” [11/27/2007 01:15 PM]

C:\Documents and Settings\myself\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [8/14/2003 1:28:28 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=“Volume shadow copy”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
AutoRun\command- C:\ntdelect.com
explore\Command- C:\ntdelect.com
open\Command- C:\ntdelect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\ntdelect.com
explore\Command- E:\ntdelect.com
open\Command- E:\ntdelect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{44aec12e-803c-11dc-ac38-000b6b581de1}]
AutoRun\command- E:\ntdelect.com
explore\Command- E:\ntdelect.com
open\Command- E:\ntdelect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4d8963b4-9976-11dc-aee9-000b6b581de1}]
AutoRun\command- F:\ntdelect.com
explore\Command- F:\ntdelect.com
open\Command- F:\ntdelect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b925cbac-8af4-11dc-ac5e-000b6b581de1}]
AutoRun\command- F:\ntdelect.com
explore\Command- F:\ntdelect.com
open\Command- F:\ntdelect.com

– End of Deckard’s System Scanner: finished at 2007-11-27 13:25:38 ------------

hi Oldman,

indeed the r 2 log files,

sorry for my unattentiveness in addressing this issue.

thousand apologies if i’m causing u any inconvenience in reading as it was

no longer filed in system metrical order.

thank you for being patient wt my carelessness.

i’m not sure wat is ur time now but since it was quite late at ur place,

i would like to wish u hv a good night n a sweet dreams to u.

thanks
michaelong

Hi

Yes it’s quite late here, should be sleeping by now.

You may want to look at this, The operating system isn’t mentioned, but have a look. If you try it and have some success, please post back with a new DSS log and I will have a look to see how well it worked.

http://forum.avast.com/index.php?topic=31671.msg264502#msg264502

If not I will work on a fix as soon as I can.

hi Oldman,

no intention of disturbing u fr getting a good rest,

knowing that u hv been quite exhausting urself over this virus issue.

juz to let u know that the link is dead.

but i’m not giving up yet,

i’ll try to keep in touch wt the provider of the link as well as other user who manage to access the site.

hv a good rest

good night
michaelong

hi Oldman, i’m submitting my DSS n HJT log file for your verification after downloading from the link provided by 63099703

n the virus no longer runs during start up.

my DSS now scan without error n completed in secs. ;D

HJT also runs smoothly.

pls verify if it’s safe for other users wt similar virus to use the kavo 1.bat n 2.bat file to rectify the virus problem.

thanks Oldman for all those trouble that i’ve given u for the past few days.

regards
michaelong

Deckard’s System Scanner v20071014.68
Run by myself on 2007-11-27 22:50:21
Computer is in Normal Mode.

System Drive C: has 3.7 GiB (less than 15%) free.

– HijackThis (run as myself.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:23 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CRW\shwicon.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\myself\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\myself.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [LaunchApp] Alaunch
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..\Run: [ShowIcon_Chander_CRW Series Driver v1.17r019] “C:\Program Files\CRW\shwicon.exe” -t"Chander\CRW Series Driver v1.17r019"
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Aspire Arcade\PCMService.exe”
O4 - HKLM..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra ‘Tools’ menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193064255312
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

–
End of file - 7989 bytes

– Files created between 2007-10-27 and 2007-11-27 -----------------------------

2007-11-27 21:31:16 0 d-------- C:\EFix
2007-11-27 20:47:31 92672 -----n— C:\WINDOWS\system32\kavo0.dll
2007-11-27 09:12:34 0 d-------- C:\Program Files\Trend Micro
2007-11-27 07:36:59 0 d-------- C:\My Downloads
2007-11-27 07:36:57 0 d-------- C:\Program Files\BearFlix
2007-11-26 09:15:36 0 d–h----- C:\Documents and Settings\Administrator\Templates
2007-11-26 09:15:36 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-26 09:15:36 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-26 09:15:36 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-26 09:15:36 0 d–h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-26 09:15:36 0 d–h----- C:\Documents and Settings\Administrator\NetHood
2007-11-26 09:15:36 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-26 09:15:36 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-26 09:15:36 0 d–hs---- C:\Documents and Settings\Administrator\Cookies
2007-11-26 09:15:36 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-11-26 09:15:36 0 d—s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-11-26 09:15:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-11-26 09:15:35 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-26 09:15:35 0 d–h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-19 19:26:12 0 d-------- C:\Program Files\WM Converter
2007-11-16 19:01:40 0 d-------- C:\Program Files\ms 10
2007-11-16 05:13:13 0 d-------- C:\Program Files\m
2007-11-12 01:16:51 0 d-------- C:\Program Files\FlashGet
2007-11-10 09:27:49 0 d-------- C:\Program Files\Common Files\DirectX
2007-11-10 09:24:30 0 d-------- C:\Program Files\Paris-Dakar Rally
2007-11-08 08:14:13 0 d-------- C:\Program Files\Xider
2007-11-03 00:27:39 0 d-------- C:\Program Files\Apple Software Update
2007-11-03 00:27:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-02 03:15:45 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2007-11-02 03:15:45 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2007-11-01 02:25:16 0 d-------- C:\Program Files\Global Star Software
2007-10-31 08:50:14 0 d-------- C:\Documents and Settings\myself\Application Data\SEGA
2007-10-31 07:39:08 0 d-------- C:\TODC
2007-10-31 07:32:38 0 d-------- C:\ËÀÍö¹íÎÝ
2007-10-31 07:25:31 0 d-------- C:\HOD3
2007-10-28 17:26:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-10-28 17:05:53 0 d-------- C:\Documents and Settings\myself\Application Data\EA
2007-10-28 17:05:45 0 d-------- C:\Documents and Settings\All Users\Application Data\EA
2007-10-28 16:57:11 0 d-------- C:\Program Files\BFG
2007-10-28 01:43:18 0 dr------- C:\Program Files\nepal_everest
2007-10-28 01:26:52 0 dr------- C:\Program Files\mike holidays
2007-10-28 01:15:31 0 d-------- C:\notes 20_10
2007-10-28 00:26:03 0 dr------- C:\Program Files\wmv
2007-10-28 00:02:05 0 d-------- C:\Program Files\video hp
2007-10-27 23:46:11 0 d-------- C:\Program Files\video

– Find3M Report ---------------------------------------------------------------

2007-11-25 10:25:50 46 --a------ C:\WINDOWS\popcinfo.dat
2007-10-25 13:03:44 4096 --a------ C:\WINDOWS\d3dx.dat
2007-10-25 09:06:02 0 dr------- C:\Program Files\ad onli
2007-10-25 08:54:28 0 d-------- C:\Program Files\PopCap Games
2007-10-25 08:44:24 0 d-------- C:\Program Files\reflexive games
2007-10-25 08:36:26 0 d-------- C:\Program Files\GameHouse
2007-10-24 19:32:40 0 d-------- C:\Documents and Settings\myself\Application Data\Apple Computer
2007-10-24 18:24:22 0 dr------- C:\Program Files\scenery
2007-10-24 18:22:30 0 dr------- C:\Program Files\eqtc edu
2007-10-24 18:12:58 0 d-------- C:\Program Files\ReflexiveArcade
2007-10-24 17:53:22 0 dr------- C:\Program Files\songs
2007-10-24 09:50:44 0 d-------- C:\Documents and Settings\myself\Application Data\Talkback
2007-10-24 09:50:34 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-24 09:50:30 0 d-------- C:\Documents and Settings\myself\Application Data\Mozilla
2007-10-24 09:48:10 0 d-------- C:\Program Files\Windows Media Connect 2
2007-10-24 09:38:52 0 d-------- C:\Program Files\mIRC
2007-10-24 09:38:12 0 d-------- C:\Program Files\Yahoo!
2007-10-24 09:37:08 0 d-------- C:\Program Files\MSN Messenger
2007-10-24 09:35:16 0 d-------- C:\Documents and Settings\myself\Application Data\ICQ
2007-10-24 09:34:58 0 d-------- C:\Program Files\ICQ6
2007-10-24 09:34:30 0 d-------- C:\Documents and Settings\myself\Application Data\InstallShield
2007-10-24 09:33:30 0 d-------- C:\Program Files\Common Files\Java
2007-10-23 01:38:26 0 d-------- C:\Documents and Settings\myself\Application Data\Macromedia
2007-10-23 01:13:44 278528 --a------ C:\WINDOWS\system32\livesnth.dll <Not Verified; LiveUpdate; LiveSynth>
2007-10-23 01:13:44 203776 --a------ C:\WINDOWS\system32\clrviddc.dll <Not Verified; Iterated Systems, Inc.; ClearVideo Decoder DLL>
2007-10-22 09:22:10 0 d-------- C:\Program Files\QuickTime
2007-10-22 09:20:58 0 d-------- C:\Program Files\Common Files\xing shared
2007-10-22 09:20:48 0 d-------- C:\Program Files\Real
2007-10-22 09:20:48 0 d-------- C:\Program Files\Common Files\Real
2007-10-22 09:20:38 0 d-------- C:\Documents and Settings\myself\Application Data\Real
2007-10-22 09:19:12 0 d-------- C:\Documents and Settings\myself\Application Data\Skype
2007-10-22 09:19:08 0 d-------- C:\Program Files\Google
2007-10-22 09:19:04 0 d-------- C:\Program Files\Skype
2007-10-22 09:19:02 0 d-------- C:\Program Files\Common Files\Skype
2007-10-22 09:18:08 0 d-------- C:\Program Files\Lavasoft
2007-10-22 09:17:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 09:16:06 0 d-------- C:\Program Files\Alwil Software
2007-10-22 08:04:02 0 d-------- C:\Program Files\WIDCOMM
2007-10-22 08:03:24 0 d-------- C:\Program Files\ATI Technologies
2007-10-21 18:39:50 0 d-------- C:\Documents and Settings\myself\Application Data\Google

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“LaunchApp”=“Alaunch”
“SoundMan”=“SOUNDMAN.EXE” [02/09/2004 04:54 PM C:\WINDOWS\SOUNDMAN.EXE]
“AGRSMMSG”=“AGRSMMSG.exe” [11/19/2003 03:41 PM C:\WINDOWS\AGRSMMSG.exe]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [03/12/2004 12:15 PM]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [03/12/2004 12:14 PM]
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [10/02/2003 02:37 PM]
“HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [10/02/2003 02:19 PM]
“ATIModeChange”=“Ati2mdxx.exe” [09/04/2001 04:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
“ShowIcon_Chander_CRW Series Driver v1.17r019”=“C:\Program Files\CRW\shwicon.exe” [01/09/2003 12:05 AM]
“PCMService”=“C:\Program Files\Aspire Arcade\PCMService.exe” [03/25/2004 06:41 PM]
“LManager”=“C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE” [04/05/2004 09:46 PM]
“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [03/22/2004 09:10 PM]
“IMJPMIG8.1”=“C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe” [08/04/2004 01:32 PM]
“MSPY2002”=“C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe” [03/31/2003 12:00 PM]
“PHIME2002ASync”=“C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe” [03/31/2003 12:00 PM]
“PHIME2002A”=“C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe” [03/31/2003 12:00 PM]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [09/06/2007 06:06 PM]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [06/29/2007 06:24 AM]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [09/25/2007 01:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/04/2004 03:56 PM]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [10/23/2007 07:58 PM]
“updateMgr”=“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” [03/30/2006 04:45 PM]

C:\Documents and Settings\myself\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [8/14/2003 1:28:28 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=“Volume shadow copy”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\ntdelect.com
explore\Command- E:\ntdelect.com
open\Command- E:\ntdelect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{44aec12e-803c-11dc-ac38-000b6b581de1}]
AutoRun\command- E:\ntdelect.com
explore\Command- E:\ntdelect.com
open\Command- E:\ntdelect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4d8963b4-9976-11dc-aee9-000b6b581de1}]
AutoRun\command- F:\ntdelect.com
explore\Command- F:\ntdelect.com
open\Command- F:\ntdelect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{7fbc6c60-9713-11dc-aedf-806d6172696f}]
AutoRun\command- ntdelect.com
explore\Command- ntdelect.com
open\Command- ntdelect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b925cbac-8af4-11dc-ac5e-000b6b581de1}]
AutoRun\command- F:\ntdelect.com
explore\Command- F:\ntdelect.com
open\Command- F:\ntdelect.com

– End of Deckard’s System Scanner: finished at 2007-11-27 22:50:49 ------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:16 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CRW\shwicon.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [LaunchApp] Alaunch
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..\Run: [ShowIcon_Chander_CRW Series Driver v1.17r019] “C:\Program Files\CRW\shwicon.exe” -t"Chander\CRW Series Driver v1.17r019"
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Aspire Arcade\PCMService.exe”
O4 - HKLM..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLFL32.EXE
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra ‘Tools’ menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193064255312
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

–
End of file - 7920 bytes

• Trend Micro HijackThis v2.0.2 *

See bottom for version history.

The different sections of hijacking possibilities have been separated into the following groups.
You can get more detailed information about an item by selecting it from the list of found items OR highlighting the relevant line below, and clicking ‘Info on selected item’.

R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO’s
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of ‘Internet Options’ Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra ‘Tools’ menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE ‘Advanced’ settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - Enumeration of NT Services
O24 - Enumeration of ActiveX Desktop Components

Command-line parameters:

• /autolog - automatically scan the system, save a logfile and open it

• /ihatewhitelists - ignore all internal whitelists

• /uninstall - remove all HijackThis Registry entries, backups and quit

• /silentautuolog - the same as /autolog, except with no required user intervention

• Version history *

[v2.00.0]

• AnalyzeThis added for log file statistics
• Recognizes Windows Vista and IE7
• Fixed a few bugs in the O23 method
• Fixed a bug in the O22 method (SharedTaskScheduler)
• Did a few tweaks on the log format
• Fixed and improved ADS Spy
• Improved Itty Bitty Procman (processes are frozen before they are killed)
• Added listing of O4 autoruns from other users
• Added listing of the Policies Run items in O4 method, used by SmitFraud trojan
• Added /silentautolog parameter for system admins
• Added /deleteonreboot [file] parameter for system admins
• Added O24 - ActiveX Desktop Components enumeration
• Added Enhanced Security Confirguration (ESC) Zones to O15 Trusted Sites check
  [v1.99.1]
• Added Winlogon Notify keys to O20 listing
• Fixed crashing bug on certain Win2000 and WinXP systems at O23 listing
• Fixed lots and lots of ‘unexpected error’ bugs
• Fixed lots of inproper functioning bugs (i.e. stuff that didn’t work)
• Added ‘Delete NT Service’ function in Misc Tools section
• Added ProtocolDefaults to O15 listing
• Fixed MD5 hashing not working
• Fixed ‘ISTSVC’ autorun entries with garbage data not being fixed
• Fixed HijackThis uninstall entry not being updated/created on new versions
• Added Uninstall Manager in Misc Tools to manage ‘Add/Remove Software’ list
• Added option to scan the system at startup, then show results or quit if nothing found
  [v1.99]
• Added O23 (NT Services) in light of newer trojans
• Integrated ADS Spy into Misc Tools section
• Added ‘Action taken’ to info in ‘More info on this item’
  [v1.98]
• Definitive support for Japanese/Chinese/Korean systems
• Added O20 (AppInit_DLLs) in light of newer trojans
• Added O21 (ShellServiceObjectDelayLoad, SSODL) in light of newer trojans
• Added O22 (SharedTaskScheduler) in light of newer trojans
• Backups of fixed items are now saved in separate folder
• HijackThis now checks if it was started from a temp folder
• Added a small process manager (Misc Tools section)
  [v1.96]
• Lots of bugfixes and small enhancements! Among others:
• Fix for Japanese IE toolbars
• Fix for searchwww.com fake CLSID trick in IE toolbars and BHO’s
• Attributes on Hosts file will now be restored when scanning/fixing/restoring it.
• Added several files to the LSP whitelist
• Fixed some issues with incorrectly re-encrypting data, making R0/R1 go undetected until a restart
• All sites in the Trusted Zone are now shown, with the exception of those on the nonstandard but safe domain list
  [v1.95]
• Added a new regval to check for from Whazit hijack (Start Page_bak).
• Excluded IE logo change tweak from toolbar detection (BrandBitmap and SmBrandBitmap).
• New in logfile: Running processes at time of scan.
• Checkmarks for running StartupList with /full and /complete in HijackThis UI.
• New O19 method to check for Datanotary hijack of user stylesheet.
• Google.com IP added to whitelist for Hosts file check.
  [v1.94]
• Fixed a bug in the Check for Updates function that could cause corrupt downloads on certain systems.
• Fixed a bug in enumeration of toolbars (Lop toolbars are now listed!).
• Added imon.dll, drwhook.dll and wspirda.dll to LSP safelist.
• Fixed a bug where DPF could not be deleted.
• Fixed a stupid bug in enumeration of autostarting shortcuts.
• Fixed info on Netscape 6/7 and Mozilla saying ‘%shitbrowser%’ (oops).
• Fixed bug where logfile would not auto-open on systems that don’t have .log filetype registered.
• Added support for backing up F0 and F1 items (d’oh!).
  [v1.93]
• Added mclsp.dll (McAfee), WPS.DLL (Sygate Firewall), zklspr.dll (Zero Knowledge) and mxavlsp.dll (OnTrack) to LSP safelist.
• Fixed a bug in LSP routine for Win95.
• Made taborder nicer.
• Fixed a bug in backup/restore of IE plugins.
• Added UltimateSearch hijack in O17 method (I think).
• Fixed a bug with detecting/removing BHO’s disabled by BHODemon.
• Also fixed a bug in StartupList (now version 1.52.1).
  [v1.92]
• Fixed two stupid bugs in backup restore function.
• Added DiamondCS file to LSP files safelist.
• Added a few more items to the protocol safelist.
• Log is now opened immediately after saving.
• Removed rd.yahoo.com from NSBSD list (spammers are starting to use this, no doubt spyware authors will follow).
• Updated integrated StartupList to v1.52.
• In light of SpywareNuker/BPS Spyware Remover, any strings relevant to reverse-engineers are now encrypted.
• Rudimentary proxy support for the Check for Updates function.
  [v1.91]
• Added rd.yahoo.com to the Nonstandard But Safe Domains list.
• Added 8 new protocols to the protocol check safelist, as well as showing the file that handles the protocol in the log (O18).
• Added listing of programs/links in Startup folders (O4).
• Fixed ‘Check for Update’ not detecting new versions.
  [v1.9]
• Added check for Lop.com ‘Domain’ hijack (O17).
• Bugfix in URLSearchHook (R3) fix.
• Improved O1 (Hosts file) check.
• Rewrote code to delete BHO’s, fixing a really nasty bug with orphaned BHO keys.
• Added AutoConfigURL and proxyserver checks (R1).
• IE Extensions (Button/Tools menuitem) in HKEY_CURRENT_USER are now also detected.
• Added check for extra protocols (O18).
  [v1.81]
• Added ‘ignore non-standard but safe domains’ option.
• Improved Winsock LSP hijackers detection.
• Integrated StartupList updated to v1.4.
  [v1.8]
• Fixed a few bugs.
• Adds detecting of free.aol.com in Trusted Zone.
• Adds checking of URLSearchHooks key, which should have only one value.
• Adds listing/deleting of Download Program Files.
• Integrated StartupList into the new ‘Misc Tools’ section of the Config screen!
  [v1.71]
• Improves detecting of O6.
• Some internal changes/improvements.
  [v1.7]
• Adds backup function! Yay!
• Added check for default URL prefix
• Added check for changing of IERESET.INF
• Added check for changing of Netscape/Mozilla homepage and default search engine.
  [v1.61]
• Fixes Runtime Error when Hosts file is empty.
  [v1.6]
• Added enumerating of MSIE plugins
• Added check for extra options in ‘Advanced’ tab of ‘Internet Options’.
  [v1.5]
• Adds ‘Uninstall & Exit’ and ‘Check for update online’ functions.
• Expands enumeration of autoloading Registry entries (now also scans for .vbs, .js, .dll, rundll32 and service)
  [v1.4]
• Adds repairing of broken Internet access (aka Winsock or LSP fix) by New.Net/WebHancer
• A few bugfixes/enhancements
  [v1.3]
• Adds detecting of extra MSIE context menu items
• Added detecting of extra ‘Tools’ menu items and extra buttons
• Added ‘Confirm deleting/ignoring items’ checkbox
  [v1.2]
• Adds ‘Ignorelist’ and ‘Info’ functions
  [v1.1]
• Supports BHO’s, some default URL changes
  [v1.0]
• Original release

A good thing to do after version updates is clear your Ignore list and re-add them, as the format of detected items sometimes changes.