Author Topic: Spysheriff, vista, and a very sad man (Read 1148 times)

HTPConvert · « **on:** April 04, 2008, 05:07:02 AM »

Hi guys,

Sad news, after setting up my new HTPC, it has gotten a virus. Somehow.

It must have come in from a website, but it started with fake warnings (that were made to look like real vista warnings) that my comp was at risk and i needed to run a virus scan. I cancelled these. Then my symantec anti-virus went crazy and tried to stop this thing called spysheriff but couldn't - it couldn't quarantine or delete it.

So i thought i would try to find it and delete it. But i couldn't find it in explorer (it said it was in a sub folder of temp internet files - but there was no sub folder). So i just deleted the temp internet files hoping that would get it. It didn't.

After this i was locked out of windows explorer and control panel - appartently a side effect of the virus. Since then i have tried all the ideas people have come up with (programmes running in safe mode to find it) that i found by googling spysherrif...but the prob still exists.

I also tried a system restore to days before it happened. But no luck still.

So i am here asking for assistance or solutions. I am worried that my only course of action is a re-install of windows - but i don't want to do that if i can help it.

I hope someone can help.

Cheers!

HTPConvert · « **Reply #1 on:** April 04, 2008, 05:09:10 AM »

p.s.

I looked in registry stuff etc.. nothing. no sign of spysheriff. The only place it seems to be (according to symantec) is:

users\Media Centre\AppData\Local\Microsoft\winÂ dows\temporary internet files\low\content.IE5\NFI75PO5\webÂ inst[1].cab

guestolo · « **Reply #2 on:** April 04, 2008, 08:21:30 AM »

Download Hijackthis Installer from [color=\"#FF0000\"]HERE[/color]
For an alternate download location, you can try HERE
SAVE it to your desktop
Double click on HJTInstall.exe to run it
Choose Install

Hijackthis v2.0.2 will open

Under Main Menu, Select
Do a system scan and save a Log file
A log will open in Notepad
Copy and Paste the Whole log back here to the forum----It is all important!

HTPConvert · « **Reply #3 on:** April 05, 2008, 04:24:10 AM »

Thanks for the fast reply -

here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:09 PM, on 5/04/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\EZVCR\Agent.exe
C:\Program Files\ASUS\EZVCR\ASUS_IRAppl.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehshell.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\rundll32.exe
C:\Windows\explorer.exe
C:\Windows\Explorer.exe
C:\Windows\system32\rundll32.exe
C:\Windows\Explorer.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A26B9E2-C269-416D-9962-28C332818CEB} - C:\Windows\system32\nnnml.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {98159628-D979-45A1-A568-C148B40ECAF8} - C:\Windows\system32\wvwvw.dll (file missing)
O2 - BHO: {6a0d8b83-aa89-06ba-4964-e1835081729d} - {d9271805-381e-4694-ab60-98aa38b8d0a6} - C:\Windows\system32\sggdmjhs.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BM95ef33eb] Rundll32.exe "C:\Windows\system32\payskxgv.dll",s
O4 - HKLM\..\Run: [96dc0077] rundll32.exe "C:\Windows\system32\cofktlif.dll",b
O4 - HKLM\..\RunOnce: [GEST] "C:\Program Files\GIGABYTE\GEST\run.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [Windows Media Center] RunDLL32.exe C:\Windows\ehome\ehuihlp.dll,BootMediaCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E7EEE6F-FA99-4CD3-8EEB-0199DEBFE605}: NameServer = 192.168.0.20
O20 - Winlogon Notify: cupluadx - C:\Windows\SYSTEM32\cupluadx.dll
O20 - Winlogon Notify: ysntnefw - C:\Windows\SYSTEM32\ysntnefw.dll
O20 - Winlogon Notify: __c007C29 - C:\Windows\SYSTEM32\__c007C29.dat
O20 - Winlogon Notify: __c007C920 - C:\Windows\SYSTEM32\__c007C920.dat
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EZSERVICE - Unknown owner - C:\Program Files\ASUS\EZVCR\EZSERVICE.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7461 bytes

guestolo · « **Reply #4 on:** April 05, 2008, 11:05:33 AM »

Can you disable Windows Defenders' protections so they won't interfere with this tool please
1.Open Windows Defender by clicking the Start button , clicking All Programs, and then clicking Windows Defender.
2.Click Tools, and then click Options.
3.Under Administrator options, select or clear the Use Windows Defender check box, and then click Save. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

Please download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Post the log from MBAM

In addition:
Download [color=\"#008000\"]Deckard's System Scanner (dss.exe)[/color] to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post back just the Whole contents of Main.txt and Extra.txt

HTPConvert · « **Reply #5 on:** April 05, 2008, 05:26:00 PM »

Malwarebytes' Anti-Malware 1.10
Database version: 594

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 116576
Time elapsed: 42 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\cofktlif.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\nnnml.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\ntgnkvrc.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4a26b9e2-c269-416d-9962-28c332818ceb} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{4a26b9e2-c269-416d-9962-28c332818ceb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c007c29 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c007c920 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM95ef33eb (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\nnnml -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\nnnml -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\cofktlif.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\filtkfoc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\nnnml.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\lmnnn.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\lmnnn.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ntgnkvrc.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\crvkngtn.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\muqjbcma.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\wvwvw(381).dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\wvwvw(391).dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\payskxgv.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\__c007C29.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\__c007C920.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\wvurq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

END

HJT -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:57 AM, on 6/04/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\ASUS\EZVCR\Agent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\ASUS\EZVCR\ASUS_IRAppl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehShell.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {98159628-D979-45A1-A568-C148B40ECAF8} - C:\Windows\system32\wvwvw.dll (file missing)
O2 - BHO: {6a0d8b83-aa89-06ba-4964-e1835081729d} - {d9271805-381e-4694-ab60-98aa38b8d0a6} - C:\Windows\system32\sggdmjhs.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [96dc0077] rundll32.exe "C:\Windows\system32\cofktlif.dll",b
O4 - HKLM\..\RunOnce: [GEST] "C:\Program Files\GIGABYTE\GEST\run.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [Windows Media Center] RunDLL32.exe C:\Windows\ehome\ehuihlp.dll,BootMediaCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E7EEE6F-FA99-4CD3-8EEB-0199DEBFE605}: NameServer = 192.168.0.20
O20 - Winlogon Notify: cupluadx - C:\Windows\SYSTEM32\cupluadx.dll
O20 - Winlogon Notify: ysntnefw - C:\Windows\SYSTEM32\ysntnefw.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EZSERVICE - Unknown owner - C:\Program Files\ASUS\EZVCR\EZSERVICE.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6863 bytes

HTPConvert · « **Reply #6 on:** April 05, 2008, 05:31:34 PM »

Deckard's System Scanner v20071014.68
Run by Media Centre on 2008-04-06 08:45:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 3 Restore Point(s) --
3: 2008-04-05 05:26:20 UTC - RP78 - Scheduled Checkpoint
2: 2008-04-04 08:26:40 UTC - RP77 - Scheduled Checkpoint
1: 2008-04-03 08:01:06 UTC - RP76 - Last known good configuration

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Media Centre.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:05 AM, on 6/04/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\ASUS\EZVCR\Agent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\ASUS\EZVCR\ASUS_IRAppl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Users\Media Centre\Desktop\dss.exe
C:\Windows\system32\DllHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Media Centre.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {98159628-D979-45A1-A568-C148B40ECAF8} - C:\Windows\system32\wvwvw.dll (file missing)
O2 - BHO: {6a0d8b83-aa89-06ba-4964-e1835081729d} - {d9271805-381e-4694-ab60-98aa38b8d0a6} - C:\Windows\system32\sggdmjhs.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [96dc0077] rundll32.exe "C:\Windows\system32\cofktlif.dll",b
O4 - HKLM\..\RunOnce: [GEST] "C:\Program Files\GIGABYTE\GEST\run.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [Windows Media Center] RunDLL32.exe C:\Windows\ehome\ehuihlp.dll,BootMediaCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E7EEE6F-FA99-4CD3-8EEB-0199DEBFE605}: NameServer = 192.168.0.20
O20 - Winlogon Notify: cupluadx - C:\Windows\SYSTEM32\cupluadx.dll
O20 - Winlogon Notify: ysntnefw - C:\Windows\SYSTEM32\ysntnefw.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EZSERVICE - Unknown owner - C:\Program Files\ASUS\EZVCR\EZSERVICE.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6765 bytes

-- File Associations -----------------------------------------------------------

[color=\"red\"].reg - regfile - shell\open\command - regedit.exe "%1" %*[/color]
[color=\"red\"].scr - scrfile - shell\open\command - "%1" %*[/color]

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 giveio - c:\windows\system32\giveio.sys
R0 speedfan - c:\windows\system32\speedfan.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 EZSERVICE - c:\program files\asus\ezvcr\ezservice.exe

S3 Mea0xxoe -

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2008-03-06 and 2008-04-06 -----------------------------

2008-04-06 08:16:26 1158 --a------ C:\Windows\mozver.dat
2008-04-06 07:36:28 0 d-------- C:\Users\All Users\Malwarebytes
2008-04-06 07:36:27 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-05 16:55:25 83520 -----n--- C:\Windows\system32\cofktlif.dll
2008-04-05 16:49:25 87104 -----n--- C:\Windows\system32\payskxgv.dll
2008-04-05 14:14:04 0 --a------ C:\Windows\nsreg.dat
2008-04-05 08:19:33 90176 --a------ C:\Windows\system32\sggdmjhs.dll
2008-04-04 19:40:00 32320 --a------ C:\Windows\system32\cupluadx.dll
2008-04-04 19:39:57 85056 -----n--- C:\Windows\system32\ntgnkvrc.dll
2008-04-04 19:37:36 88640 --a------ C:\Windows\system32\hjsdmxfn.dll
2008-04-03 18:05:35 32320 --a------ C:\Windows\system32\ysntnefw.dll
2008-04-03 18:01:43 88128 --a------ C:\Windows\system32\iavnpvdy.dll
2008-04-03 17:59:28 265728 -----n--- C:\Windows\system32\nnnml.dll
2008-04-03 16:57:05 0 d-------- C:\Program Files\Trend Micro
2008-04-03 16:48:20 0 d-------- C:\VundoFix Backups
2008-04-03 16:23:30 0 d-------- C:\Users\All Users\Lavasoft
2008-04-03 16:23:30 0 d-------- C:\Program Files\Lavasoft
2008-04-03 15:51:21 0 d-------- C:\Windows\pss
2008-04-02 20:04:45 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-01 21:19:26 320 --ahs---- C:\Windows\system32\wvwvw.ini2
2008-04-01 14:53:02 180224 --a------ C:\Windows\system32\xvidvfw.dll
2008-04-01 14:53:02 765952 --a------ C:\Windows\system32\xvidcore.dll
2008-04-01 14:53:02 0 d-------- C:\Program Files\Xvid
2008-04-01 14:41:55 0 d-------- C:\Program Files\real
2008-04-01 14:36:21 0 d-------- C:\Program Files\avi.NET
2008-04-01 14:08:53 0 d-------- C:\Program Files\PC User RockPod 08 (Windows)
2008-04-01 13:47:13 0 d-------- C:\Program Files\PC User DVD Plus 2008
2008-03-31 19:12:15 0 d-------- C:\Windows\system32\appmgmt
2008-03-31 19:02:55 0 d-------- C:\ATI
2008-03-31 17:27:09 0 d-------- C:\Users\All Users\Macrovision
2008-03-31 17:27:07 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-03-30 20:08:44 0 d-------- C:\Program Files\megui
2008-03-30 19:46:26 0 d-------- C:\Users\Media Centre\.mcproencoder
2008-03-30 19:46:03 233472 --a------ C:\Windows\system32\mcmp4dmux.dll <Not Verified; MainConcept AG; MainConceptÂ® MP4 Demuxer>
2008-03-30 16:20:07 408576 --a------ C:\Windows\system32\Smab.dll
2008-03-30 16:20:06 70656 --a------ C:\Windows\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-03-30 16:20:06 70656 --a------ C:\Windows\system32\i420vfw.dll <Not Verified; www.helixcommunity.org; Helix I420 YUV Codec>
2008-03-30 16:20:06 27648 --a------ C:\Windows\system32\AVSredirect.dll
2008-03-30 16:20:06 66560 --a------ C:\Windows\MOTA113.exe
2008-03-30 16:20:06 217073 --a------ C:\Windows\meta4.exe
2008-03-30 15:36:02 0 d-------- C:\Program Files\MediaCoder
2008-03-30 12:43:07 0 d-------- C:\Program Files\StaxRip
2008-03-30 12:12:31 0 d-------- C:\Program Files\AllToAVI
2008-03-30 10:05:19 0 d-------- C:\Program Files\Haali
2008-03-30 09:12:39 0 d-------- C:\OEMSettings
2008-03-30 09:12:20 0 d-------- C:\Program Files\NETGEAR
2008-03-30 09:11:25 0 d-------- C:\Windows\Downloaded Installations
2008-03-29 13:08:04 0 d-------- C:\Program Files\VideoLAN
2008-03-29 11:17:19 0 d-------- C:\Program Files\Winnydows
2008-03-28 17:53:46 0 d-------- C:\Program Files\Handbrake
2008-03-28 17:17:04 0 d-------- C:\Users\Media Centre\avidemux
2008-03-28 17:16:51 0 d-------- C:\Program Files\Avidemux 2.4
2008-03-27 15:06:49 116736 --a------ C:\Windows\system32\libsndfile-1.dll
2008-03-26 18:13:22 0 d-------- C:\My Documents
2008-03-26 17:52:09 0 d-------- C:\Program Files\Witcobber
2008-03-26 16:17:21 0 d-------- C:\Program Files\Common Files\ArcSoft
2008-03-26 16:17:20 0 d-------- C:\Program Files\SanDisk
2008-03-24 12:43:11 0 d-------- C:\Users\All Users\Apple Computer
2008-03-24 12:43:11 0 d-------- C:\Program Files\QuickTime
2008-03-24 12:42:53 0 d-------- C:\Users\All Users\Apple
2008-03-24 12:42:53 0 d-------- C:\Program Files\Apple Software Update
2008-03-24 11:49:28 0 d-------- C:\Program Files\DVDFab HD Decrypter 4
2008-03-23 18:02:32 0 d-------- C:\Program Files\SpeedFan
2008-03-22 13:22:30 0 d-------- C:\Windows\Panther
2008-03-22 13:22:15 0 d--hs---- C:\Boot
2008-03-22 11:58:08 0 d-------- C:\Program Files\uTorrent
2008-03-22 10:52:33 0 d-------- C:\Program Files\Gabest
2008-03-22 10:52:23 0 d-------- C:\Program Files\AviSynth 2.5
2008-03-22 10:27:23 0 d-a------ C:\Users\All Users\TEMP
2008-03-22 10:26:40 0 d-------- C:\Program Files\VideoReDoPlus
2008-03-22 09:43:36 0 d-------- C:\Users\All Users\DVD Shrink
2008-03-22 09:43:34 0 d-------- C:\Program Files\DVD Shrink
2008-03-22 09:36:44 0 d-------- C:\Program Files\Pegasys Inc
2008-03-22 08:36:11 0 d-------- C:\Program Files\AC3Filter
2008-03-22 07:35:13 280 --a------ C:\Windows\system32\PDBootState
2008-03-21 22:14:23 0 d-------- C:\Program Files\ASUS
2008-03-21 21:42:29 0 d-------- C:\Program Files\Symantec
2008-03-21 21:42:26 0 d-------- C:\Users\All Users\Symantec
2008-03-21 21:42:26 0 d-------- C:\Program Files\Symantec AntiVirus
2008-03-21 21:42:26 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-21 21:36:45 0 d-------- C:\TEMP
2008-03-21 21:17:49 0 d-------- C:\Users\All Users\SlySoft
2008-03-21 21:15:30 0 d-------- C:\Program Files\SlySoft
2008-03-21 21:11:24 0 d-------- C:\Program Files\PowerArchiver
2008-03-21 20:54:14 118784 --a------ C:\Windows\system32\fxhl2zil.dll <Not Verified; Fuji Xerox Co., Ltd.; FX SimpleMonitor-AP>
2008-03-21 20:35:33 0 d-------- C:\Users\All Users\Raxco
2008-03-21 20:35:13 0 d-------- C:\Program Files\Raxco
2008-03-21 20:32:33 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-21 20:30:25 0 d-------- C:\Windows\system32\Macromed
2008-03-21 20:29:20 0 d-------- C:\Users\All Users\Adobe
2008-03-21 20:29:18 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-21 20:26:50 0 d-------- C:\Program Files\Java
2008-03-21 20:26:49 0 d-------- C:\Program Files\Common Files\Java
2008-03-21 20:15:16 0 d-------- C:\Program Files\DivX
2008-03-21 20:14:10 0 d-------- C:\Users\All Users\ashampoo
2008-03-21 20:14:07 0 d-------- C:\Program Files\Ashampoo
2008-03-21 19:57:15 0 d-------- C:\Program Files\CyberLink
2008-03-21 19:57:13 0 d-------- C:\Program Files\ASUSTek
2008-03-21 19:27:53 0 d-------- C:\PerfLogs
2008-03-21 19:16:21 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; MicrosoftÂ® WindowsÂ® Operating System>
2008-03-21 19:04:03 0 d-------- C:\Users\All Users\ATI
2008-03-21 19:03:41 0 --a------ C:\Windows\ativpsrm.bin
2008-03-21 19:02:01 0 d-------- C:\Program Files\Common Files\ATI Technologies
2008-03-21 19:01:15 0 d--hs---- C:\Windows\Installer
2008-03-21 19:01:15 0 d-------- C:\Program Files\ATI
2008-03-21 19:00:23 0 d-------- C:\Program Files\ATI Technologies
2008-03-21 18:56:45 171136 -rahs---- C:\grldr
2008-03-21 18:48:30 0 d-------- C:\Windows\Cache
2008-03-21 18:42:37 1970176 --a------ C:\Windows\system32\xRaidSetup.exe <Not Verified; JMicron Technology Corp.; JMicron JMB36X RAID Configurer>
2008-03-21 18:42:37 151552 --a------ C:\Windows\system32\xRaidAPI.dll <Not Verified; JMicron Technology Corp.; JMB36X RAID API Dynamic Link Library>
2008-03-21 18:42:37 0 d-------- C:\RaidTool
2008-03-21 18:42:26 0 d-------- C:\Windows\RaidTool
2008-03-21 18:39:06 0 d-------- C:\Windows\system32\RTCOM
2008-03-21 18:38:46 0 d-------- C:\Program Files\Realtek
2008-03-21 18:38:36 520192 -ra------ C:\Windows\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-03-21 18:38:36 315392 --a------ C:\Windows\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-03-21 18:34:43 53248 --a------ C:\Windows\system32\CSVer.dll <Not Verified; Windows XP Bundled build C-Centric Single User; Windows XP Bundled build C-Centric Single User CSVer>
2008-03-21 18:34:43 0 d-------- C:\Program Files\Intel
2008-03-21 18:34:39 0 d-------- C:\Intel
2008-03-21 18:34:26 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-21 18:34:26 0 d-------- C:\Program Files\GIGABYTE
2008-03-21 18:34:19 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-21 18:31:54 0 dr------- C:\Users\Media Centre\Searches
2008-03-21 18:31:45 0 dr------- C:\Users\Media Centre\Contacts
2008-03-21 18:31:42 0 dr------- C:\Users\Media Centre\Videos
2008-03-21 18:31:42 0 d--hs---- C:\Users\Media Centre\Templates
2008-03-21 18:31:42 0 d--hs---- C:\Users\Media Centre\Start Menu
2008-03-21 18:31:42 0 d--hs---- C:\Users\Media Centre\SendTo
2008-03-21 18:31:42 0 dr------- C:\Users\Media Centre\Saved Games
2008-03-21 18:31:42 0 d--hs---- C:\Users\Media Centre\Recent
2008-03-21 18:31:42 0 d--hs---- C:\Users\Media Centre\PrintHood
2008-03-21 18:31:42 0 dr------- C:\Users\Media Centre\Pictures
2008-03-21 18:31:42 1835008 --ahs---- C:\Users\Media Centre\ntuser.dat
2008-03-21 18:31:42 0 d--hs---- C:\Users\Media Centre\NetHood
2008-03-21 18:31:42 0 d--hs---- C:\Users\Media Centre\My Documents
2008-03-21 18:31:42 0 dr------- C:\Users\Media Centre\Music
2008-03-21 18:31:42 0 d--hs---- C:\Users\Media Centre\Local Settings
2008-03-21 18:31:42 0 dr------- C:\Users\Media Centre\Links
2008-03-21 18:31:42 0 dr------- C:\Users\Media Centre\Favorites
2008-03-21 18:31:42 0 dr------- C:\Users\Media Centre\Downloads
2008-03-21 18:31:42 0 dr------- C:\Users\Media Centre\Documents
2008-03-21 18:31:42 0 dr------- C:\Users\Media Centre\Desktop
2008-03-21 18:31:42 0 d--hs---- C:\Users\Media Centre\Cookies
2008-03-21 18:31:42 0 d--hs---- C:\Users\Media Centre\Application Data
2008-03-21 18:31:42 0 dr------- C:\Users\Media Centre\AppData
2008-03-21 18:25:43 0 d-------- C:\Windows\SoftwareDistribution
2008-03-21 18:24:39 0 d-------- C:\Windows\Debug
2008-03-21 18:24:38 0 d-------- C:\Windows\CSC
2008-03-21 18:23:39 0 d-------- C:\Windows\Prefetch
2008-03-21 18:23:30 0 d--hs---- C:\System Volume Information

-- Find3M Report ---------------------------------------------------------------

2008-04-06 07:36:34 0 d-------- C:\Users\Media Centre\AppData\Roaming\Malwarebytes
2008-04-05 14:14:02 0 d-------- C:\Users\Media Centre\AppData\Roaming\Mozilla
2008-04-05 09:44:13 0 d-------- C:\Users\Media Centre\AppData\Roaming\VideoReDoPlus
2008-04-03 17:52:51 0 d-------- C:\Users\Media Centre\AppData\Roaming\uTorrent
2008-04-03 17:52:51 0 d-------- C:\Users\Media Centre\AppData\Roaming\ArcSoft
2008-04-03 16:23:01 0 d-------- C:\Program Files\Common Files
2008-03-31 17:48:37 0 d-------- C:\Users\Media Centre\AppData\Roaming\Adobe
2008-03-30 14:48:34 0 d-------- C:\Users\Media Centre\AppData\Roaming\Dr. DivX 2.0 OSS
2008-03-29 13:09:09 0 d-------- C:\Users\Media Centre\AppData\Roaming\vlc
2008-03-27 08:31:06 0 d-------- C:\Users\Media Centre\AppData\Roaming\Pegasys Inc
2008-03-24 15:18:09 0 d-------- C:\Users\Media Centre\AppData\Roaming\Ashampoo
2008-03-22 09:39:23 0 d-------- C:\Users\Media Centre\AppData\Roaming\LEAPS
2008-03-21 20:41:01 0 d-------- C:\Users\Media Centre\AppData\Roaming\DivX
2008-03-21 20:30:30 0 d-------- C:\Users\Media Centre\AppData\Roaming\Macromedia
2008-03-21 19:33:03 174 --ahs---- C:\Program Files\desktop.ini
2008-03-21 19:28:27 0 d-------- C:\Program Files\Windows Sidebar
2008-03-21 19:28:27 0 d-------- C:\Program Files\Windows Calendar
2008-03-21 19:28:27 0 d-------- C:\Program Files\Movie Maker
2008-03-21 19:28:26 0 d-------- C:\Program Files\Windows Photo Gallery
2008-03-21 19:28:26 0 d-------- C:\Program Files\Windows Mail
2008-03-21 19:28:26 0 d-------- C:\Program Files\Windows Journal
2008-03-21 19:28:26 0 d-------- C:\Program Files\Windows Collaboration
2008-03-21 19:28:25 0 d-------- C:\Program Files\Windows Defender
2008-03-21 19:04:03 0 d-------- C:\Users\Media Centre\AppData\Roaming\ATI
2008-03-21 18:42:09 0 d-------- C:\Users\Media Centre\AppData\Roaming\InstallShield
2008-03-21 18:31:47 0 d-------- C:\Users\Media Centre\AppData\Roaming\Identities
2008-02-21 12:05:44 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-02-21 12:04:16 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-02-21 12:04:16 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-02-21 12:04:04 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-02-21 12:04:04 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivXÂ®>
2008-02-21 12:04:04 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivXÂ®>
2008-02-21 12:04:04 682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivXÂ®>
2008-02-21 12:03:24 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2008-02-14 13:28:56 29 --a------ C:\Program Files\version.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98159628-D979-45A1-A568-C148B40ECAF8}]
C:\Windows\system32\wvwvw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d9271805-381e-4694-ab60-98aa38b8d0a6}]
05/04/2008 08:19 AM 90176 --a------ C:\Windows\system32\sggdmjhs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [18/01/2008 10:38 PM]
"RtHDVCpl"="RtHDVCpl.exe" [19/09/2007 04:50 PM C:\Windows\RtHDVCpl.exe]
"JMB36X IDE Setup"="C:\Windows\RaidTool\xInsIDE.exe" [20/03/2007 01:36 PM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10/11/2006 10:35 AM]
"RemoteControl"="C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe" [12/01/2005 02:01 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 03:25 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 09:16 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [08/12/2006 10:25 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [06/08/2007 07:29 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [19/10/2007 07:16 PM]
"96dc0077"="C:\Windows\system32\cofktlif.dll" [06/04/2008 08:32 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [18/01/2008 10:33 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [18/01/2008 10:33 PM]
"PowerArchiver Tray"="C:\Program Files\PowerArchiver\PASTARTER.EXE" [23/02/2007 09:37 AM]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [21/03/2008 09:17 PM]
"Windows Media Center"="C:\Windows\ehome\ehuihlp.dll,BootMediaCenter" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [18/01/2008 10:33 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"GEST"="C:\Program Files\GIGABYTE\GEST\run.exe"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WG311v3 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311v3\WG311v3.exe [8/31/2005 9:46:50 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cupluadx]
cupluadx.dll 04/04/2008 07:40 PM 32320 C:\Windows\System32\cupluadx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ysntnefw]
ysntnefw.dll 03/04/2008 06:05 PM 32320 C:\Windows\System32\ysntnefw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e61a0ef-f72b-11dc-8675-001b2f2ce128}]
AutoRun\command- setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47fee477-fcae-11dc-a19d-001d7daf31dc}]
AutoRun\command- G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64f9c3cd-022e-11dd-afd1-001d7daf31dc}]
Auto\command- G:\auto.exe
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\auto.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

-- End of Deckard's System Scanner: finished at 2008-04-06 08:47:58 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

MicrosoftÂ® Windows Vistaâ„¢ Ultimate (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Core(tm)2 Quad CPU Q6600 @ 2.40GHz
Percentage of Memory in Use: 34%
Physical Memory (total/avail): 2045.77 MiB / 1334.97 MiB
Pagefile Memory (total/avail): 4330.56 MiB / 3376.9 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1885.55 MiB

C: is Fixed (NTFS) - 39.06 GiB total, 21.72 GiB free.
D: is Fixed (NTFS) - 259.03 GiB total, 121 GiB free.
E: is Fixed (NTFS) - 298.09 GiB total, 282.05 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - WDC WD3200AAJS-00RYA0 ATA Device - 298.09 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 298.09 GiB - E:

\\.\PHYSICALDRIVE0 - WDC WD3200AAKS-00VYA0 ATA Device - 298.09 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 39.06 GiB - C:
\PARTITION1 - Installable File System - 259.03 GiB - D:

-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

AV: Symantec AntiVirus v10.2.0.322 (Symantec Corporation)
AS: Symantec AntiVirus v10.2.0.322 (Symantec Corporation)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Media Centre\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MEDIACENTRE-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Media Centre
LOCALAPPDATA=C:\Users\Media Centre\AppData\Local
LOGONSERVER=\\MEDIACENTRE-PC
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\MEDIAC~1\AppData\Local\Temp
TMP=C:\Users\MEDIAC~1\AppData\Local\Temp
USERDOMAIN=MediaCentre-PC
USERNAME=Media Centre
USERPROFILE=C:\Users\Media Centre
windir=C:\Windows

-- User Profiles ---------------------------------------------------------------

Media Centre (admin)

-- Add/Remove Programs ---------------------------------------------------------

@BIOS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B2DC3F08-2EB2-49A5-AA24-15DFC8B1CB83}\setup.exe" -l0x9 -removeonly
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Premiere Pro 1.5 --> RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{A14F7508-B784-40B8-B11A-E0E2EEB7229F}\setup.exe" -l0x0009
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Ashampoo Burning Studio 2008 --> "C:\Program Files\Ashampoo\Ashampoo Burning Studio 2008\unins000.exe"
ASUS EZVCR --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{01051276-3213-4A6A-8FEF-CFFF0BE26633}
ASUS My Cinema-U3000 Mini --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8D2A1A00-F630-49ED-8E6C-C199544DD3AB}\Setup.exe" -l0x9
ASUS TSSI --> MsiExec.exe /I{76A2DC7C-D385-498E-9C6B-CF9626F8BE1E}
ASUSDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
ATI AVIVO Codecs --> MsiExec.exe /I{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}
ÂµTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
avi.NET 2.5.8.0 --> C:\Program Files\avi.NET\Uninstall.exe
Avidemux 2.4 --> C:\Program Files\Avidemux 2.4\uninstall.exe
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
DVDFab HD Decrypter 4.1.2.0 --> "C:\Program Files\DVDFab HD Decrypter 4\unins000.exe"
Dynamic Energy Saver B7.1214.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5869CE1E-BC0B-4648-B1AE-6EF4A985590C}\setup.exe" -l0x9 -removeonly
Haali Media Splitter --> "C:\Program Files\Haali\MatroskaSplitter\uninstall.exe"
Handbrake 0.9.2 --> C:\Program Files\Handbrake\uninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java(tm) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
JMB36X Raid Configurer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\setup.exe" -l0x9 -removeonly
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MeGUI modern media encoder (remove only) --> "C:\Program Files\megui\megui-uninstall.exe"
Microsoft .NET Framework 3.5 --> C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5 --> MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NETGEAR WG311v3 PCI Adapter --> C:\Program Files\InstallShield Installation Information\{70014586-7BBA-4A92-A610-CDC896C48F8F}\setup.exe -runfromtemp -l0x0409
PerfectDisk 2008 Professional --> MsiExec.exe /I{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}
PowerArchiver 2007 --> MsiExec.exe /I{4D1CF286-EBD1-4B08-9B71-A439712D1150}
QuickTime --> MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista --> C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\SETUP.EXE -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Sansa Media Converter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2A0F8F4-CE50-4857-A21C-3061682B2E87}\Setup.exe" -l0x9
SpeedFan (remove only) --> "C:\Program Files\SpeedFan\uninstall.exe"
Symantec AntiVirus --> MsiExec.exe /I{7C9E6E52-EB11-44DB-A761-82D5D873A8D9}
TMPGEnc 4.0 XPress --> MsiExec.exe /I{34E89C10-3E14-4396-A58C-72047CD458AD}
TMPGEnc MPEG Editor 2.0 --> MsiExec.exe /I{06607A48-98DC-48F9-922F-40FD2D7FF6D1}
VideoReDo/Plus Version 2.5.4.507 --> "C:\Program Files\VideoReDoPlus\unins000.exe"
VobSub v2.23 (Remove Only) --> "C:\Program Files\Gabest\VobSub\uninstall.exe"
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type5514 / Success
Event Submitted/Written: 04/06/2008 08:42:51 AM
Event ID/Source: 5617 / WinMgmt
Event Description:

Event Record #/Type5511 / Success
Event Submitted/Written: 04/06/2008 08:42:50 AM
Event ID/Source: 5615 / WinMgmt
Event Description:

Event Record #/Type5507 / Success
Event Submitted/Written: 04/06/2008 08:42:47 AM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type5497 / Success
Event Submitted/Written: 04/06/2008 08:41:38 AM
Event ID/Source: 903 / Software Licensing Service
Event Description:
The Software Licensing service has stopped.

Event Record #/Type5493 / Warning
Event Submitted/Written: 04/06/2008 08:41:36 AM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-220370344-2337913255-810275737-1000:
Process 2732 (\Device\HarddiskVolume1\Program Files\Symantec AntiVirus\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-220370344-2337913255-810275737-1000\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\Custom Tasks\eddc1a46-a3a1-4403-927a-02202c2cc3dd

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type12509 / Error
Event Submitted/Written: 04/06/2008 08:42:46 AM
Event ID/Source: 15016 / HTTP
Event Description:
\Device\Http\ReqQueueKerberos

Event Record #/Type12492 / Warning
Event Submitted/Written: 04/06/2008 08:41:38 AM
Event ID/Source: 4001 / Microsoft-Windows-WLAN-AutoConfig
Event Description:

Event Record #/Type12383 / Error
Event Submitted/Written: 04/06/2008 08:36:39 AM
Event ID/Source: 15016 / HTTP
Event Description:
\Device\Http\ReqQueueKerberos

Event Record #/Type12366 / Warning
Event Submitted/Written: 04/06/2008 08:35:27 AM
Event ID/Source: 4001 / Microsoft-Windows-WLAN-AutoConfig
Event Description:

Event Record #/Type12301 / Error
Event Submitted/Written: 04/05/2008 08:22:34 AM
Event ID/Source: 10010 / DCOM
Event Description:
{0002DF01-0000-0000-C000-000000000046}

-- End of Deckard's System Scanner: finished at 2008-04-06 08:47:58 ------------

guestolo · « **Reply #7 on:** April 06, 2008, 12:25:15 AM »

Please download the [color=\"red\"]OTMoveIt2 by OldTimer[/color][/url].

Save it to your desktop.
Right-Click on OTMoveit2.exe on desktop and select Run As Administrator
Copy the file paths below to the clipboard in BLUE by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
==============================================================================
[color=\"#0000FF\"]C:\Windows\system32\cofktlif.dll
C:\Windows\system32\payskxgv.dll
C:\Windows\system32\sggdmjhs.dll
C:\Windows\system32\cupluadx.dll
C:\Windows\system32\ntgnkvrc.dll
C:\Windows\system32\hjsdmxfn.dll
C:\Windows\system32\ysntnefw.dll
C:\Windows\system32\iavnpvdy.dll
C:\Windows\system32\nnnml.dll
C:\Windows\system32\wvwvw.dll
C:\Windows\system32\wvwvw.ini2
C:\VundoFix Backups
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cupluadx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ysntnefw
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\96dc0077
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98159628-D979-45A1-A568-C148B40ECAF8}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d9271805-381e-4694-ab60-98aa38b8d0a6}[/color]

==============================================================================
Return to OTMoveIt2, right click in the "Paste List Of Files/Folders to Move" window (under the [color=\"yellow\"]yellow[/color] bar) and choose Paste.
Click the red [color=\"red\"]Moveit![/color] button.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

OTMoveIt would of created a log at this location
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Post that log please along with a fresh hijackthis log

HTPConvert · « **Reply #8 on:** April 07, 2008, 04:31:22 AM »

LoadLibrary failed for C:\Windows\system32\cofktlif.dll
C:\Windows\system32\cofktlif.dll NOT unregistered.
C:\Windows\system32\cofktlif.dll moved successfully.
LoadLibrary failed for C:\Windows\system32\payskxgv.dll
C:\Windows\system32\payskxgv.dll NOT unregistered.
C:\Windows\system32\payskxgv.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\system32\sggdmjhs.dll
C:\Windows\system32\sggdmjhs.dll NOT unregistered.
C:\Windows\system32\sggdmjhs.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\system32\cupluadx.dll
C:\Windows\system32\cupluadx.dll NOT unregistered.
C:\Windows\system32\cupluadx.dll moved successfully.
LoadLibrary failed for C:\Windows\system32\ntgnkvrc.dll
C:\Windows\system32\ntgnkvrc.dll NOT unregistered.
C:\Windows\system32\ntgnkvrc.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\system32\hjsdmxfn.dll
C:\Windows\system32\hjsdmxfn.dll NOT unregistered.
C:\Windows\system32\hjsdmxfn.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\system32\ysntnefw.dll
C:\Windows\system32\ysntnefw.dll NOT unregistered.
C:\Windows\system32\ysntnefw.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\system32\iavnpvdy.dll
C:\Windows\system32\iavnpvdy.dll NOT unregistered.
C:\Windows\system32\iavnpvdy.dll moved successfully.
LoadLibrary failed for C:\Windows\system32\nnnml.dll
C:\Windows\system32\nnnml.dll NOT unregistered.
C:\Windows\system32\nnnml.dll moved successfully.
File/Folder C:\Windows\system32\wvwvw.dll not found.
C:\Windows\system32\wvwvw.ini2 moved successfully.
C:\VundoFix Backups moved successfully.
File/Folder HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cupluadx not found.
File/Folder HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ysntnefw not found.
File/Folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\96dc0077 not found.
File/Folder HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98159628-D979-45A1-A568-C148B40ECAF8} not found.
File/Folder HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d9271805-381e-4694-ab60-98aa38b8d0a6} not found.

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04072008_194741

I forgot to run as adimistrator - so did it again with this done:

File/Folder C:\Windows\system32\payskxgv.dll not found.
File/Folder C:\Windows\system32\sggdmjhs.dll not found.
File/Folder C:\Windows\system32\cupluadx.dll not found.
File/Folder C:\Windows\system32\ntgnkvrc.dll not found.
File/Folder C:\Windows\system32\hjsdmxfn.dll not found.
File/Folder C:\Windows\system32\ysntnefw.dll not found.
File/Folder C:\Windows\system32\iavnpvdy.dll not found.
File/Folder C:\Windows\system32\nnnml.dll not found.
File/Folder C:\Windows\system32\wvwvw.dll not found.
File/Folder C:\Windows\system32\wvwvw.ini2 not found.
File/Folder C:\VundoFix Backups not found.
File/Folder HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cupluadx not found.
File/Folder HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ysntnefw not found.
File/Folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\96dc0077 not found.
File/Folder HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98159628-D979-45A1-A568-C148B40ECAF8} not found.
File/Folder HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d9271805-381e-4694-ab60-98aa38b8d0a6} not found.

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04072008_194837

And the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:58 PM, on 7/04/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\ASUS\EZVCR\Agent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ASUS\EZVCR\ASUS_IRAppl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\ehome\EHShell.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {98159628-D979-45A1-A568-C148B40ECAF8} - C:\Windows\system32\wvwvw.dll (file missing)
O2 - BHO: {6a0d8b83-aa89-06ba-4964-e1835081729d} - {d9271805-381e-4694-ab60-98aa38b8d0a6} - C:\Windows\system32\sggdmjhs.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [96dc0077] rundll32.exe "C:\Windows\system32\cofktlif.dll",b
O4 - HKLM\..\RunOnce: [GEST] "C:\Program Files\GIGABYTE\GEST\run.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [Windows Media Center] RunDLL32.exe C:\Windows\ehome\ehuihlp.dll,BootMediaCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E7EEE6F-FA99-4CD3-8EEB-0199DEBFE605}: NameServer = 192.168.0.20
O20 - Winlogon Notify: cupluadx - cupluadx.dll (file missing)
O20 - Winlogon Notify: ysntnefw - ysntnefw.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EZSERVICE - Unknown owner - C:\Program Files\ASUS\EZVCR\EZSERVICE.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6853 bytes

Thanks for doing this my friend!!

guestolo · « **Reply #9 on:** April 08, 2008, 12:11:30 AM »

Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {98159628-D979-45A1-A568-C148B40ECAF8} - C:\Windows\system32\wvwvw.dll (file missing)
O2 - BHO: {6a0d8b83-aa89-06ba-4964-e1835081729d} - {d9271805-381e-4694-ab60-98aa38b8d0a6} - C:\Windows\system32\sggdmjhs.dll (file missing)
"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [96dc0077] rundll32.exe "C:\Windows\system32\cofktlif.dll",b
O
O20 - Winlogon Notify: cupluadx - cupluadx.dll (file missing)
O20 - Winlogon Notify: ysntnefw - ysntnefw.dll (file missing)

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Come back here and post a fresh hijackthis log
Keep me informed how things are running

HTPConvert · « **Reply #10 on:** April 08, 2008, 04:55:29 AM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:38 PM, on 8/04/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\GIGABYTE\GEST\gest.exe
C:\Program Files\ASUS\EZVCR\Agent.exe
C:\Program Files\ASUS\EZVCR\ASUS_IRAppl.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Windows\ehome\ehShell.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\RunOnce: [GEST] "C:\Program Files\GIGABYTE\GEST\run.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [Windows Media Center] RunDLL32.exe C:\Windows\ehome\ehuihlp.dll,BootMediaCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O13 - Gopher Prefix:
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EZSERVICE - Unknown owner - C:\Program Files\ASUS\EZVCR\EZSERVICE.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6178 bytes

So is that it? Is the virus off my system now? Thank you so much! you are a genius! I will be sure to send you a little something by way of paypal!!

Cheers

guestolo · « **Reply #11 on:** April 08, 2008, 06:07:33 PM »

I just want to double check one thing
I see this entry in your dss logs
G:\Autorun.exe

It may be related to a Flash drive infection
Can you do me a favor
If you have a USB Flash drive or similiar
whatever it is that represents your G: drive
Can you insert to your computer, but HOLD DOWN the SHIFT key on your keyboard when inserting so it Won't Autostart
Afterwards,
go to this link

http://www.virustotal.com/flash/index_en.html
Copy and paste the following bold line to the space next to 'Upload a File'

G:\Autorun.exe
Then use the SEND FILE button
Let it finish scanning
Could you post back the results this scan back here please

HTPConvert · « **Reply #12 on:** April 08, 2008, 06:42:19 PM »

I have just installed a new hard drive (yesterday - just before i posted the most recent HJT log) - so now my USB flash drive is drive H

Never the less I tried holding the shift key - but the USB ky always auto runs. Pasting G:\Autorun.exe and replacing g with h into that site gave this respose:

0 bytes size received / Se ha recibido un archivo vacio

So i'm not sure what to do now. :-(

guestolo · « **Reply #13 on:** April 08, 2008, 08:25:27 PM »

Don't worry about that entry
But can you do the following
Ensure that Norton's is right updated with latest virus definitions

Then run a complete scan of your system, including External drives or Thumbdrives

Come back and let me know if the scan is clean

HTPConvert · « **Reply #14 on:** April 09, 2008, 12:04:51 AM »

I just ran the scan and it is clean - nothing found at all! Hooray!!

Is there anything else i should run just to be sure?

guestolo · « **Reply #15 on:** April 10, 2008, 06:03:33 PM »

Sorry for the delay, it sounds as if everything is clear
I suggest that you add SpywareBlaster to your protection software

I suggest that you add SpywareBlaster to your protection software
SpywareBlaster by JavaCool

After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

Hope that helps

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

HTPConvert · « **Reply #16 on:** April 12, 2008, 08:19:46 PM »

Thank you very much for your help!! Everything seems very ahppy now

I will put that programme on as well :-)

I will let you know how it is going

Cheers

guestolo · « **Reply #17 on:** April 12, 2008, 11:00:45 PM »

[quote name=\'HTPConvert\' post=\'426444\' date=\'Apr 12 2008, 06:19 PM\']Thank you very much for your help!! Everything seems very ahppy now

I will put that programme on as well :-)

I will let you know how it is going

Cheers[/quote]

I hope everything is ok, I'll lock this topic in a couple days if I don't hear back from you

guestolo · « **Reply #18 on:** April 16, 2008, 10:34:50 PM »

Thanx for the donation
As your problems are resolved, this topic is now locked
Thanks again, and take care HTPConvert

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

News:

Author Topic: Spysheriff, vista, and a very sad man (Read 1148 times)