OLD MAN...help~ autorun.inf trojan problem..failure to remove

Viruses and worms
1

since i search on web how to remove this autorun.inf trj
and i found a person face da same problem v me
the step u teach are Download “superantispyware”
den if the problem still …download HJTsetup.exe

i had already using superantispy…but seem like the virus stil there bcoz i cant view my hidden file yet…everytimes i enable the “show hidden files and folder” it’s doesn’t work at all!

follow up wad u teach …download hjtsetup…den
Click on the Do a system scan and save a logfile button. and select all the detail in notepad…stop here

after select all detail in notepad…wad shud i do for da next?

2

Hi welcome to the forum. Please post the log here in your next reply.

3

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:56 AM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pc.support.global.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pc.support.global.toshiba.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM..\Run: [LaunchApp] launchapp
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM..\Run: [Toshiba Hotkey Utility] “C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe” /lang en
O4 - HKLM..\Run: [TPSMain] TPSMain.exe
O4 - HKLM..\Run: [IntelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
O4 - HKLM..\Run: [IntelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘Default user’)
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ??? - {0A155D3C-68E2-4215-A47A-E800A446447A} - C:\Program Files\haofang\GameClient.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {FDD6CEF8-3C6E-42E0-BC7B-D730085CFABC} (Jaxtr Outlook Importer) - http://www.jaxtr.com/user/activex/JaxtrOutlookImporter.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


End of file - 7147 bytes

4

oldman~ will it taking a long time to solve?
coz i’m rushing for da assignment :cry:
and this virus really annoying me…!

5

post here the content of autorun.inf file… it should be plain ASCII…

6

the autorun.inf file is hidden…
and my problem is cant “show da hidden files and folder”
:‘(
itz really piss me off…coz my assignment some i use in hidden
pls to help :’(
and thanks a lot of wasting time on this

7

do you know the location of your mal autorun.inf? you can “unhide” it through cmdline, if it realy is hidden by its attribute…

8

Windows Explorer, Tools, Folder Options, View, scroll down to Hidden Files and Folders and check ‘Show hidden files and folders,’ uncheck ‘Don’t show hidden files and system files’ there are some other options, see image.

You don’t appear to have an active firewall, what is your firewall ?

FIX in HJT
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Suspect - Did you install a U3 device ?
O4 - HKLM..\Run: [LaunchApp] launchapp - This is likely to be what would normally be installed for a U3 pen drive to launch applications when you plug it in.

Unknown what do you know about these, did you install them ?
O9 - Extra button: HuhHuh - {0A155D3C-68E2-4215-A47A-E800A446447A} - C:\Program Files\haofang\GameClient.exe

O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab

O16 - DPF: {FDD6CEF8-3C6E-42E0-BC7B-D730085CFABC} (Jaxtr Outlook Importer) - http://www.jaxtr.com/user/activex/JaxtrOutlookImporter.CAB

Your JAVA version is well out of date and could pose a security threat.
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.

Then get the latest update from here http://www.java.com/en/download/index.jsp
Or JRE version 6 update 3 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html

9

1)i had tried to set it as “show hidden files and folders”…but even i click ok or apply
its seems like workless bcoz when i opened da folder option again…its already auto set back to " dont show hidden files and folders"

in my folder option didn’t hav this–‘Don’t show hidden files and system files’

2)i just only using da window firewall which provide by window XP

3)U3 device? i’m not really get da meaning…i do plug in my pendrive and external hardisk, both of them also infected virus :cry:

4)bout’ da application u mention , i juz uninstall them… juznow

5)izit necessary to updated my J2SE runtime environment?

thanks for patient

10

I can’t say for sure how long it would take. But let’s try to see what is going on.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

11

Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

– System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel(R) CPU T1350 @ 1.86GHz
Percentage of Memory in Use: 69%
Physical Memory (total/avail): 502.05 MiB / 155.26 MiB
Pagefile Memory (total/avail): 870.02 MiB / 445.85 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1921.95 MiB

C: is Fixed (NTFS) - 80.01 GiB total, 69.25 GiB free.
D: is Fixed (NTFS) - 13.15 GiB total, 0.9 GiB free.
E: is CDROM (No Media)
F: is Removable (FAT32)
H: is CDROM (CDFS)
I: is Fixed (NTFS) - 22.6 GiB total, 2.05 GiB free.
J: is Fixed (NTFS) - 14.65 GiB total, 2.52 GiB free.

\.\PHYSICALDRIVE0 - TOSHIBA MK1032GSX - 93.16 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 80.01 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 13.15 GiB - D:

\.\PHYSICALDRIVE2 - TOSHIBA USB MEM USB Device - 1953.22 MiB - 1 partition
\PARTITION0 - Unknown - 1960.98 MiB - F:

\.\PHYSICALDRIVE1 - IC25N040 ATCS04-0 USB Device - 37.26 GiB - 2 partitions
\PARTITION0 - Installable File System - 22.6 GiB - I:
\PARTITION1 - Extended w/Extended Int 13 - 14.65 GiB - J:

– Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.7.1043 [VPS 071118-1] v4.7.1043 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\MSN Messenger\msnmsgr.exe”="C:\Program Files\MSN Messenger\msnmsgr.exe::Enabled:Windows Live Messenger 8.1”
“C:\Program Files\MSN Messenger\livecall.exe”=“C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)”

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“C:\Program Files\MSN Messenger\msnmsgr.exe”=“C:\Program Files\MSN Messenger\msnmsgr.exe::Enabled:Windows Live Messenger 8.1"
“C:\Program Files\MSN Messenger\livecall.exe”="C:\Program Files\MSN Messenger\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)”
“C:\Documents and Settings\All Users\Start Menu\Programs\Games\W3\Warcraft III.exe”=“C:\Documents and Settings\All Users\Start Menu\Programs\Games\W3\Warcraft III.exe::Enabled:Warcraft III"
“C:\Program Files\Internet Explorer\IEXPLORE.EXE”="C:\Program Files\Internet Explorer\IEXPLORE.EXE::Enabled:Internet Explorer”
“C:\Program Files\eMule\emule.exe”=“C:\Program Files\eMule\emule.exe::Enabled:eMule"
“C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe”="C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe::Enabled:BlueSoleil”
“C:\WINDOWS\system32\dpvsetup.exe”=“C:\WINDOWS\system32\dpvsetup.exe::Enabled:Microsoft DirectPlay Voice Test"
“C:\WINDOWS\system32\sessmgr.exe”="C:\WINDOWS\system32\sessmgr.exe::Disabled:@xpsp2res.dll,-22019”

– Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\angela\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ANN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\angela
LOGONSERVER=\ANN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Program Files\Microsoft SQL Server\90\Tools\binn
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\angela\LOCALS~1\Temp
TMP=C:\DOCUME~1\angela\LOCALS~1\Temp
USERDOMAIN=ANN
USERNAME=angela
USERPROFILE=C:\Documents and Settings\angela
VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools
windir=C:\WINDOWS

12

– User Profiles ---------------------------------------------------------------

angela I[/I]
Administrator (new local, admin)

– Add/Remove Programs ---------------------------------------------------------

→ C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
??? 4.6.9(???) → “C:\Program Files\TTPlayer\uninst.exe”
Adobe Flash Player ActiveX → C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop CS → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe” -l0x9
Adobe Reader 7.0.5 → MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
avast! Antivirus → rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
CD/DVD Drive Acoustic Silencer → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\setup.exe” -l0x9
Conexant HD Audio → C:\Program Files\CONEXANT\CNXT_HDAUDIO\HXFSETUP.EXE -U -IBD1HDAa.inf
DVD-RAM Driver → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\setup.exe” -l0x9 DVD-RAM Driver
eMule VeryCD°æ → C:\Program Files\eMule\uninstall.exe
Eye 310 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{57383270-6F61-4DC8-A9B8-C1745FC29F38}\Setup.exe” -l0x9
FastStone Image Viewer 3.1 → C:\Program Files\FastStone Image Viewer\uninst.exe
Hamachi 1.0.2.3 → C:\Program Files\Hamachi\uninstall.exe
HDAUDIO Soft Data Fax Modem with SmartCP → C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_5047&SUBSYS_1179FF31\HXFSETUP.EXE -U -IBD1HDAm.inf
High Definition Audio Driver Package - KB888111 → “C:\WINDOWS$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe”
HijackThis 2.0.2 → “C:\Program Files\Trend Micro\HijackThis\HijackThis.exe” /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) → “C:\WINDOWS$NtUninstallKB929399$\spuninst\spuninst.exe”
Intel(R) Graphics Media Accelerator Driver → RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel(R) PROSet/Wireless Software → C:\WINDOWS\Installer\iProInst.exe
InterVideo WinDVD Creator 2 → “C:\Program Files\InstallShield Installation Information{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe” REMOVEALL
InterVideo WinDVD for TOSHIBA → “C:\Program Files\InstallShield Installation Information{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe” REMOVEALL
K-Lite Mega Codec Pack 1.45 → “C:\Program Files\K-Lite Codec Pack\unins000.exe”
Macromedia Flash MX 2004 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{2F353D44-73BB-4971-B31D-F7642E9E9531}\Setup.exe” -l0x9 UNINSTALL
Maxthon2 Browser (remove only) → C:\Program Files\Maxthon2\MaxthonUINST.exe
mCore → MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi → MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHelp → MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Compression Client Pack 1.0 for Windows XP → “C:\WINDOWS$NtUninstallMSCompPackV1$\spuninst\spuninst.exe”
Microsoft Device Emulator version 1.0 - ENU → MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Document Explorer 2005 → C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005 → MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Office Professional Edition 2003 → MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2005 → “c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe” /Remove
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS) → MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools → MsiExec.exe /X{1389C6A4-4965-4AEC-9175-08B54A10FA48}
Microsoft SQL Server 2005 Tools Express Edition → MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server Native Client → MsiExec.exe /I{BF251EAF-8697-4E89-BF09-C998F97BBC40}
Microsoft SQL Server Setup Support Files (English) → MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer → MsiExec.exe /I{1CBE3804-20DF-48DA-B048-895C206E80A5}
Microsoft User-Mode Driver Framework Feature Pack 1.0 → “C:\WINDOWS$NtUninstallWudf01000$\spuninst\spuninst.exe”
Microsoft Visual J# 2.0 Redistributable Package → C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft Visual Studio 2005 Professional Edition - ENU → C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Studio 2005 Professional Edition - ENU\setup.exe
mIWA → MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView → MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse → MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr → MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz → MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe → MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSXML 6.0 Parser (KB933579) → MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe → MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML → MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig → MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Overture 4.0 ??? → MsiExec.exe /I{5ECF5FF9-6427-4062-907B-A6E7BC95503A}
REALTEK Gigabit and Fast Ethernet NIC Driver → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe” -l0x9 REMOVE
Security Update for Step By Step Interactive Training (KB898458) →
Security Update for Step By Step Interactive Training (KB923723) → “C:\WINDOWS$NtUninstallKB923723$\spuninst\spuninst.exe”
Synaptics Pointing Device Driver → rundll32.exe “C:\Program Files\Synaptics\SynTP\SynISDLL.dll”,standAloneUninstall
TOSHIBA Assist → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{12B3A009-A080-4619-9A2A-C6DB151D8D67}\setup.exe” -l0x9
TOSHIBA ConfigFree → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe” -l0x9 UNINSTALL
Toshiba Hotkey Utility → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B1F9CB1-349A-43F5-A742-6215C2E2DB6F} /l1033
TOSHIBA PC Diagnostic Tool → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\PCDiag\Uninst.isu"
TOSHIBA Power Saver → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\Power Saver\Uninst.isu" -c"C:\WINDOWS\system32\TPSDel.dll"
TOSHIBA Speech System Applications → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe” -l0x9
TOSHIBA Speech System SR Engine(U.S.) Version1.0 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe” -l0x9 UNINSTALL
TOSHIBA Speech System TTS Engine(U.S.) Version1.0 → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe” -l0x9
Toshiba Touchpad Utility → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{F77890F3-774A-4CBE-A2E3-7BB0DC71D1FA} /l1033
Toshiba Utility → C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{099D12EC-0321-4CAC-A0CC-33D020156FCD} /l1033
TOSHIBA Zooming Utility → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{64212898-097F-4F3F-AECA-6D34A7EF82DF}\setup.exe”
Touch and Launch → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{5D96E2B1-D9AC-46E0-9073-425C5F63E338}\Setup.exe”
Windows Live Messenger → MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime → “C:\WINDOWS$NtUninstallWMFDist11$\spuninst\spuninst.exe”
WinRAR archiver → C:\Program Files\WinRAR\uninstall.exe

13

– Application Event Log -------------------------------------------------------

Event Record #/Type10591 / Success
Event Submitted/Written: 11/19/2007 01:08:45 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type10587 / Warning
Event Submitted/Written: 11/19/2007 00:56:11 AM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type10586 / Warning
Event Submitted/Written: 11/19/2007 00:56:11 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product ‘{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}’, feature ‘Complete’ failed during request for component ‘{A6C8A50F-4808-43A4-A147-ACAA2598DE52}’

Event Record #/Type10585 / Warning
Event Submitted/Written: 11/19/2007 00:56:11 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product ‘{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}’, feature ‘Complete’, component ‘{B2B6EDF3-22B8-47B3-8358-4D1976F0949D}’ failed. The resource 'C:\Program Files\SUPERAntiSpyware\Quarantine' does not exist.

Event Record #/Type10576 / Success
Event Submitted/Written: 11/19/2007 00:14:45 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

– System Event Log ------------------------------------------------------------

Event Record #/Type9734 / Error
Event Submitted/Written: 11/19/2007 03:16:24 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type9731 / Error
Event Submitted/Written: 11/19/2007 03:16:24 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type9728 / Error
Event Submitted/Written: 11/19/2007 03:16:23 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type9725 / Error
Event Submitted/Written: 11/19/2007 03:16:23 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126

Event Record #/Type9722 / Error
Event Submitted/Written: 11/19/2007 03:16:23 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%126
– End of Deckard’s System Scanner: finished at 2007-11-19 03:22:15 ------------

above reply is main part***

14

oopss! sorry above reply is extra part

15

Deckard’s System Scanner v20071014.68
Run by angela on 2007-11-19 03:17:35
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable…success.

– Last 1 Restore Point(s) –
1: 2007-11-18 19:17:38 UTC - RP141 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).

– HijackThis (run as angela.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:37 AM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
J:\software\software\anti-virus\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\angela.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pc.support.global.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pc.support.global.toshiba.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM..\Run: [LaunchApp] launchapp
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM..\Run: [Toshiba Hotkey Utility] “C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe” /lang en
O4 - HKLM..\Run: [TPSMain] TPSMain.exe
O4 - HKLM..\Run: [IntelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
O4 - HKLM..\Run: [IntelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - HKUS\S-1-5-18..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘Default user’)
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ??? - {0A155D3C-68E2-4215-A47A-E800A446447A} - C:\Program Files\haofang\GameClient.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {FDD6CEF8-3C6E-42E0-BC7B-D730085CFABC} (Jaxtr Outlook Importer) - http://www.jaxtr.com/user/activex/JaxtrOutlookImporter.CAB
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


End of file - 6717 bytes

16

– File Associations -----------------------------------------------------------

All associations okay.

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil(c)>
R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.9.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.9.0>
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 qkbfiltr (Quanta HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\qkbfiltr.sys <Not Verified; Quanta Computer, Inc.; Quanta HotKey Keyboard Filter Driver>
R3 qmofiltr (Quanta HotKey Mouse Filter Driver) - c:\windows\system32\drivers\qmofiltr.sys <Not Verified; Quanta Computer, Inc.; Quanta Mouse Filter Device Driver>
R3 vaxscsi - c:\windows\system32\drivers\vaxscsi.sys

S3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows (R) 2000 DDK driver>
S3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
S3 sgdcrtaiuhncd - c:\windows\system32\wincab.sys
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)
S3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree™>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>

– Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/Wireless 3945ABG Network Connection
Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10408086&REV_02\4&192AC53F&0&00E0
Manufacturer: Intel Corporation
Name: Intel(R) PRO/Wireless 3945ABG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10408086&REV_02\4&192AC53F&0&00E0
Service: w39n51

– Scheduled Tasks -------------------------------------------------------------

2007-11-14 22:51:11 272 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2007-11-14 22:51:09 394 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job

– Files created between 2007-10-19 and 2007-11-19 -----------------------------

2007-11-19 00:56:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-19 00:52:53 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-19 00:52:53 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-19 00:52:53 0 d–h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-19 00:52:53 0 d–h----- C:\Documents and Settings\Administrator\NetHood
2007-11-19 00:52:53 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-19 00:52:53 0 d–h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-19 00:52:53 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-19 00:52:53 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-19 00:52:53 0 d—s---- C:\Documents and Settings\Administrator\Cookies
2007-11-19 00:52:53 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-19 00:52:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-11-19 00:52:53 0 d—s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-19 00:52:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-11-19 00:52:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-19 00:52:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-11-19 00:52:52 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-19 00:52:52 0 d–h----- C:\Documents and Settings\Administrator\Templates
2007-11-19 00:52:52 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-19 00:52:51 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-19 00:19:46 0 d-------- C:\Program Files\Trend Micro
2007-11-18 22:03:46 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-18 21:50:03 21907 --a------ C:\WINDOWS\system32\wincab.sys
2007-11-18 21:44:00 97138 -r-hs---- C:\ntde1ect.com
2007-11-18 21:43:32 31120 -r-hs---- C:\WINDOWS\system32\avpo0.dll
2007-11-14 22:51:13 0 d-------- C:\Documents and Settings\angela\Application Data\Uniblue
2007-11-11 16:07:06 5242880 --a------ C:\Documents and Settings\angela\ntuser.dat
2007-11-03 03:29:02 0 d–h----- C:\WINDOWS\PIF
2007-10-28 19:02:00 0 d–hs---- C:\WINDOWS\ftpcache
2007-10-28 19:01:36 0 d-------- C:\Documents and Settings\angela\Application Data\U3

17

– Find3M Report ---------------------------------------------------------------

2007-11-19 03:16:13 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 03:31:10 0 d-------- C:\Program Files\Warcraft III
2007-11-18 03:20:50 0 d-------- C:\Documents and Settings\angela\Application Data\Hamachi
2007-11-15 01:36:52 0 d-------- C:\Program Files\eMule
2007-11-09 17:23:51 0 d-------- C:\Documents and Settings\angela\Application Data\Adobe
2007-10-28 11:59:36 0 d-------- C:\Program Files\Online Services
2007-10-28 11:58:09 0 d-------- C:\Program Files\Common Files
2007-10-26 11:07:07 0 d-------- C:\Documents and Settings\angela\Application Data\ppstream
2007-10-25 02:53:31 0 d-------- C:\Program Files\MSN Messenger
2007-10-21 23:32:20 0 d-------- C:\Documents and Settings\angela\Application Data\AdobeUM
2007-10-09 18:31:41 0 d-------- C:\Program Files\Maxthon2
2007-10-08 22:50:42 19 --a------ C:\WINDOWS\popcinfo.dat
2007-09-29 01:16:28 0 d-------- C:\Documents and Settings\angela\Application Data\Sun

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“LaunchApp”=“launchapp”
“igfxtray”=“C:\WINDOWS\system32\igfxtray.exe” [11/28/2005 10:55 PM]
“igfxhkcmd”=“C:\WINDOWS\system32\hkcmd.exe” [11/28/2005 10:52 PM]
“igfxpers”=“C:\WINDOWS\system32\igfxpers.exe” [11/28/2005 10:55 PM]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [12/17/2005 01:32 AM]
“NDSTray.exe”=“NDSTray.exe”
“Toshiba Hotkey Utility”=“C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe” [01/28/2006 06:13 AM]
“TPSMain”=“TPSMain.exe” [06/01/2005 01:00 PM C:\WINDOWS\system32\TPSMain.exe]
“IntelZeroConfig”=“C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe” [12/05/2005 12:37 PM]
“IntelWireless”=“C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” [11/28/2005 11:41 AM]
“IMJPMIG8.1”=“C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe” [08/04/2004 01:00 PM]
“MSPY2002”=“C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe” [08/04/2004 01:00 PM]
“PHIME2002ASync”=“C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe” [08/04/2004 01:00 PM]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [09/06/2007 06:06 PM]
“snpstd”=“C:\WINDOWS\vsnpstd.exe” [06/10/2004 01:48 PM]
“SmoothView”=“C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe” [04/27/2005 08:13 AM]
“BluetoothAuthenticationAgent”=“bthprops.cpl” [08/04/2004 12:56 AM C:\WINDOWS\system32\bthprops.cpl]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [08/04/2004 01:00 PM]
“msnmsgr”=“C:\Program Files\MSN Messenger\msnmsgr.exe” [01/19/2007 12:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2/7/2006 5:33:52 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
C:\Program Files\FlashGet\flashget.exe /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“BlueSoleil Hid Service”=2 (0x2)
“Spooler”=2 (0x2)
“O&O Defrag”=2 (0x2)
“MSSQL$SQLEXPRESS”=2 (0x2)
“helpsvc”=2 (0x2)
“avast! Mail Scanner”=3 (0x3)
“StarWindService”=2 (0x2)
“Macromedia Licensing Service”=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0366f18e-2d45-11dc-9c34-0019d286ed86}]
Auto\command- I:\auto.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3298cd0a-850a-11dc-9cb5-00163696e195}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3298cd0b-850a-11dc-9cb5-00163696e195}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3338c07d-337a-11dc-9c40-0019d286ed86}]
AutoRun\command- G:\ntde1ect.com
explore\Command- G:\ntde1ect.com
open\Command- G:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{6a079145-4bb8-11dc-9c75-0019d286ed86}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{9c8171e8-40d1-11dc-9c5d-00116712dd0b}]
Auto\command- F:\auto.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{9c8171e9-40d1-11dc-9c5d-00116712dd0b}]
Auto\command- auto.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{b97d4e17-23a6-11dc-9c23-0019d286ed86}]
AutoRun\command- H:\oxfordec.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e63a7aec-3a7d-11dc-9c4c-0019d286ed86}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e6669414-7b42-11dc-9ca3-00163696e195}]
Auto\command- F:\RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

– End of Deckard’s System Scanner: finished at 2007-11-19 03:22:15 ------------

18

thanks for help… :cry:
i will be waiting for ur good news even in dreams…
:-\

19

It may be that the malware has disabled this ability to stop is getting at the file/s.
That is why I posted the image as the order should be the same even if the language is different.

An active firewall can help by blocking unauthorised outbound Internet Connections. This can stop downloaders downloading more malware making getting your system clean harder. Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

  • There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php.

Some USB pen drives are a little more specialised in that they have a application launcher so when you plug them in they start running some programs (this is different to the autorun.inf). These are called U3 drives and if you don’t know about it, then it is unlikely you have one of these type of pen drives.

If you have an acer laptop this might well be a legit O4 Run entry, http://www.spywareterminator.com/item/1696/LaunchApp.html.

If you don’t use or need them, then no problem, but the suggestion was one to confirm your installed them rather than something else installed them.

It is important to keep the JAVA runtime environment updated, the reason for the updates is often to close exploits. The latest is JRE version 6 update 3 (1.6.0_3)

20

New plan see below. ;D