Msserver?[INACTIVE]

[Acidic]

Alright, there was an additional entry added to my startup via registry;

MSServer
rundll32.exe C:\Users\Dylan\AppData\Local\Temp\byxwu.dll,#1

Also, I cannot remove this file from temp..

MSServer 
c:\users\dylan\appdata\local\temp\byxwu.dll

Whenever I attempt to remove or disable the registry key it returns, and it will not let me delete the file in my temp folder.

Any suggestions

Acidic

[sarahw]

Hi,

Welcome to the site

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.

You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.

Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.

These instuctions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat.

[sarahw]

Hi,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
  
• Double-click on dss.exe and follow the prompts.
  
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
  

[nick_uk_911]

Hi, i have had the same issue, i logged into my pc and realised it was running slower than normal, ad aware found an MSServer entry with a TA rating of 10!!! I deleted it but its no use, i tried to manually delete the entry in regedit but it re appears as soon as it is deleted, hmmm

[nick_uk_911]

Ok here are my notepad results, thanks guys.

Deckard's System Scanner v20071014.68

Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6000)

Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 2.80GHz

Percentage of Memory in Use: 67%

Physical Memory (total/avail): 893.88 MiB / 286.46 MiB

Pagefile Memory (total/avail): 2045.85 MiB / 1047.34 MiB

Virtual Memory (total/avail): 2047.88 MiB / 1913.84 MiB

C: is Fixed (NTFS) - 113.2 GiB total, 75.81 GiB free.

D: is Fixed (NTFS) - 112.85 GiB total, 82.49 GiB free.

E: is CDROM (No Media)

F: is Removable (No Media)

G: is Removable (No Media)

H: is Removable (No Media)

I: is Removable (No Media)

J: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3250824AS ATA Device - 232.88 GiB - 3 partitions

\PARTITION0 - Unknown - 6.83 GiB

\PARTITION1 (bootable) - MS-DOS V4 Huge - 113.2 GiB - C:

\PARTITION2 - Installable File System - 112.85 GiB - D:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.

Windows Internal Firewall is disabled.

FW: ZoneAlarm Firewall v7.1.078.000 (Check Point, LTD.)

AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData

APPDATA=C:\Users\Lizzard\AppData\Roaming

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=LIZZARD-PC

ComSpec=C:\Windows\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Users\Lizzard

LOCALAPPDATA=C:\Users\Lizzard\AppData\Local

LOGONSERVER=\\LIZZARD-PC

NUMBER_OF_PROCESSORS=2

OS=Windows_NT

Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 4, GenuineIntel

PROCESSOR_LEVEL=15

PROCESSOR_REVISION=0604

ProgramData=C:\ProgramData

ProgramFiles=C:\Program Files

PROMPT=$P$G

PUBLIC=C:\Users\Public

SystemDrive=C:

SystemRoot=C:\Windows

TEMP=C:\Users\Lizzard\AppData\Local\Temp

TMP=C:\Users\Lizzard\AppData\Local\Temp

tvdumpflags=8

USERDOMAIN=Lizzard-PC

USERNAME=Lizzard

USERPROFILE=C:\Users\Lizzard

windir=C:\Windows

-- User Profiles ---------------------------------------------------------------

Lizzard

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER

Acer eDataSecurity Management --> C:\Acer\Empowering Technology\eDataSecurity\eDSnstHelper.exe -Operation UNINSTALL

Acer Empowering Technology --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6097D9-D722-4987-BD9E-A076E2848EE2}\setup.exe" -l0x9 -removeonly

Acer ePerformance Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D462BF9E-0C35-4705-BF9B-3DF9F3816643}\setup.exe" -l0x9 -removeonly

Acer Picture Slide DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{41581EF5-45A7-11DA-9D78-000129760D75}\Setup.exe" -uninstall

Acer Plug and Record --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F6EFFB76-4A07-11DA-9D78-000129760D75}\Setup.exe" -uninstall

Acer ScreenSaver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}\setup.exe" -l0x9 -removeonly

Acer Zone MagicDirector --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F79A208D-D929-11D9-9D77-000129760D75}\Setup.exe" -uninstall

Acer Zone Main Page --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}\Setup.exe" -uninstall

Acer Zone MakeDisk --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B145EC69-66F5-11D8-9D75-000129760D75}\Setup.exe" -uninstall

Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}

Adobe Flash Player 9 ActiveX --> C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete

Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}

ATI Catalyst Control Center Ex --> MsiExec.exe /I{94F5A370-E9E0-E543-E33D-BB80C25967B9}

Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe

bet365 Poker --> C:\MICROG~1\Poker\BET365~1\bet365\UNWISE.EXE C:\MICROG~1\Poker\BET365~1\bet365\INSTALL.LOG

bet365poker --> "C:\Poker\bet365poker\_SetupPoker.exe" /uninstall

City Club Casino --> "C:\Casino\City Club Casino\_SetupCasino.exe" /uninstall

CyberTweak Version 1.3 Final --> "C:\Program Files\CyberTweak\unins000.exe"

Dan Elwell's Broadband Speed Test --> "C:\Program Files\Dan Elwell's Broadband Speed Test\unins000.exe"

Digimax50 Duo --> C:\Windows\twain_32\DGMAX50D\UNWISE.EXE C:\Windows\twain_32\DGMAX50D\INSTALL.LOG

DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC

DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER

DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER

DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER

DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN

Gears of War --> C:\Program Files\InstallShield Installation Information\{1170D24F-42B7-40CF-AA1B-6395CE562354}\setup.exe -runfromtemp -l0x0409

Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}

Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"

Java 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}

Java 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}

LimeWire PRO 4.12.11 --> "C:\Program Files\LimeWire\uninstall.exe"

Microsoft Games for Windows - LIVE Redistributable --> MsiExec.exe /X{20DEB77C-21D6-4D22-BB47-233E47613D57}

Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}

Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}

MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}

MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}

MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}

NTI Backup NOW! 4.7 --> "C:\Program Files\InstallShield Installation Information\{67ADE9AF-5CD9-4089-8825-55DE4B366799}\setup.exe" -removeonly

NTI CD & DVD-Maker --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7

Quintessential Player --> "C:\Program Files\Quintessential Player\uninst.exe"

Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly

resident evil 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\110\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DFFCDB41-C2DA-47D6-96FF-03C05C0BEA22}\install.exe" -l0x9 -removeonly

SAGEM F@st 800-840 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}\setup.exe" -l0x9

Samsung e-maxManager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2106CE00-FA53-11D3-98CC-0050BAC15A84}\SETUP.EXE" -uninst

screensaverPS3 --> C:\Windows\system32\screensaverPS3.scr /u

SopCast 2.0.4 --> C:\Program Files\SopCast\uninst.exe

Trivial Pursuit Online Party (remove only) --> "C:\Program Files\iWin.com\Trivial Pursuit Online Party\Uninstall.exe"

VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe

Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}

Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}

WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe

WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}

ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type13912 / Error

Event Submitted/Written: 12/28/2007 02:57:15 AM

Event ID/Source: 1000 / Application Error

Event Description:

Faulting application iexplore.exe, version 7.0.6000.16575, time stamp 0x470c3339, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0xfbd0858b,

process id 0xf90, application start time 0xiexplore.exe0.

Event Record #/Type13906 / Success

Event Submitted/Written: 12/28/2007 02:19:56 AM

Event ID/Source: 12001 / usnjsvc

Event Description:

The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type13902 / Success

Event Submitted/Written: 12/28/2007 02:18:29 AM

Event ID/Source: 5617 / WinMgmt

Event Description:

Event Record #/Type13900 / Success

Event Submitted/Written: 12/28/2007 02:18:28 AM

Event ID/Source: 5615 / WinMgmt

Event Description:

Event Record #/Type13894 / Success

Event Submitted/Written: 12/28/2007 02:18:11 AM

Event ID/Source: 902 / Software Licensing Service

Event Description:

The Software Licensing service has started.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type45185 / Error

Event Submitted/Written: 12/28/2007 02:17:42 AM

Event ID/Source: 6 / ACPI

Event Description:

IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 6, function 0.

Please contact your system vendor for technical assistance.

Event Record #/Type45168 / Error

Event Submitted/Written: 12/28/2007 01:59:48 AM

Event ID/Source: 6 / ACPI

Event Description:

IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 6, function 0.

Please contact your system vendor for technical assistance.

Event Record #/Type45150 / Error

Event Submitted/Written: 12/28/2007 01:46:06 AM

Event ID/Source: 6 / ACPI

Event Description:

IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 6, function 0.

Please contact your system vendor for technical assistance.

Event Record #/Type45128 / Warning

Event Submitted/Written: 12/28/2007 01:41:51 AM

Event ID/Source: 4386 / Microsoft-Windows-Servicing

Event Description:

Windows Servicing required reboot to complete the process of changing update 929547-1_RTM_LDR from package KB929547(Hotfix) into Install Requested(Install Requested) state

Event Record #/Type45127 / Warning

Event Submitted/Written: 12/28/2007 01:41:51 AM

Event ID/Source: 4376 / Microsoft-Windows-Servicing

Event Description:

Servicing has required reboot to complete the operation of setting package KB929547(Hotfix) into Install Requested(Install Requested) state

-- End of Deckard's System Scanner: finished at 2007-12-28 03:05:07 ------------

Deckard's System Scanner v20071014.68

Run by Lizzard on 2007-12-28 02:58:52

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --

8: 2007-12-28 01:39:36 UTC - RP227 - Windows Update

7: 2007-12-28 01:39:18 UTC - RP226 - Device Driver Package Install: Zone Labs, a Check Point company Network Service

6: 2007-12-25 16:13:49 UTC - RP225 - Scheduled Checkpoint

5: 2007-12-24 15:45:38 UTC - RP224 - Scheduled Checkpoint

4: 2007-12-23 04:18:21 UTC - RP223 - Scheduled Checkpoint

-- First Restore Point --

1: 2007-12-19 04:25:44 UTC - RP220 - Windows Update

Backed up registry hives.

Performed disk cleanup.

Total Physical Memory: 894 MiB (1024 MiB recommended).

-- HijackThis (run as Lizzard.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:02:07 AM, on 12/28/2007

Platform: Windows Vista (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16575)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Windows\RtHDVCpl.exe

C:\Windows\System32\SysMonitor.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Windows\autoclk.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader .exe

C:\Windows\ehome\ehmsas.exe

C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE

C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE

C:\Windows\System32\mobsync.exe

C:\Windows\regedit.exe

C:\Program Files\Internet Explorer\IEUser.exe

C:\Windows\system32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Users\Lizzard\Desktop\dss.exe

C:\Windows\system32\conime.exe

C:\Windows\system32\SearchFilterHost.exe

C:\PROGRA~1\TRENDM~1\HIJACK~1\Lizzard.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

F3 - REG:win.ini: load=C:\Users\Lizzard\AppData\Local\Temp\hggeb.exe

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Windows\system32\SysMonitor.exe

O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto

O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

O4 - HKLM\..\Run: [autoclk] autoclk.exe

O4 - HKLM\..\Run: [adiras] adiras.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Lizzard\AppData\Local\Temp\hggeb.dll,c

O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Lizzard\AppData\Local\Temp\yabyy.dll,#1

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O4 - Global Startup: Empowering Technology Launcher.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Microgaming\Poker\bet365MPP\MPPoker.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing)

O13 - Gopher Prefix:

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{98353276-E5C6-41A6-B0BD-B52BABC8C4D0}: NameServer = 212.139.132.58,212.139.132.59

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe

O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--

End of file - 7348 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 AtiPcie (ATI PCI Express (3GIO) Filter) - c:\windows\system32\drivers\atipcie.sys <Not Verified; ATI Technologies Inc.; ATI PCIE Driver>

R0 UBHelper - c:\windows\system32\drivers\ubhelper.sys

R2 CDRPDACC (Quinnware CDDA Driver (by InfinaDyne)) - \??\c:\program files\quintessential player\cdrpdacc.sys

R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S2 MXBULK (Digimax50 Duo Still Mode) - c:\windows\system32\drivers\dgmax50b.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

S2 MXCap (Digimax50 Duo Video Mode) - c:\windows\system32\drivers\dgmax50v.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AcerMemUsageCheckService (ePerformance Service) - c:\acer\empowering technology\eperformance\memcheck.exe <Not Verified; ; MemCheck.Service>

R2 eRecoveryService (eRecovery Service) - c:\acer\empowering technology\erecovery\erecoveryservice.exe <Not Verified; Acer Inc.; eRecoveryService>

R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-12-27 18:28:18 422 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{7E8DC99A-CDC2-4C25-B484-09BB904E96D1}.job

-- Files created between 2007-11-28 and 2007-12-28 -----------------------------

2007-12-28 03:01:47 0 d-------- C:\Program Files\Trend Micro

2007-12-28 01:40:16 0 d-------- C:\Windows\system32\ZoneLabs

2007-12-28 01:40:14 0 d-------- C:\Users\All Users\CheckPoint

2007-12-28 01:38:25 0 d-------- C:\Windows\Internet Logs

2007-12-27 21:40:26 0 d-------- C:\Program Files\iWin.com

2007-12-27 21:30:37 0 d-------- C:\Users\All Users\iWin Games

2007-12-26 15:51:28 0 d-------- C:\Users\All Users\NtiDvdCopy

2007-12-23 22:05:23 0 d-------- C:\Users\Lizzard\Contacts

2007-12-20 19:18:46 0 d-------- C:\Program Files\LimeWire

2007-12-20 18:24:50 0 d-------- C:\Users\All Users\Azureus

2007-12-17 18:12:28 127456 --a------ C:\Windows\system32\ipdetect.exe <Not Verified; ; IPDETECT>

2007-12-17 18:12:26 114688 --a------ C:\Windows\system32\unaddrv.exe <Not Verified; Analog Devices.; UnADdrv>

2007-12-17 18:12:26 106496 --a------ C:\Windows\system32\coclassfast.dll

2007-12-17 18:12:26 46892 --a------ C:\Windows\system32\adadix16.dll

2007-12-17 18:12:24 143360 --a------ C:\Windows\autoclk.exe <Not Verified; ; autoclk Application>

2007-12-17 18:12:04 0 d-------- C:\Program Files\SAGEM

2007-12-17 14:36:10 0 d-------- C:\perflogs

2007-12-17 09:02:21 0 d-------- C:\Program Files\CAPCOM

2007-12-17 00:05:17 0 d-------- C:\Program Files\Common Files\Microsoft Games

2007-12-16 01:00:33 0 d-------- C:\Users\All Users\Lavasoft

2007-12-16 01:00:33 0 d-------- C:\Program Files\Lavasoft

2007-12-16 01:00:04 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-12-14 20:18:44 0 d-------- C:\Users\All Users\Avg7

2007-12-14 18:03:58 0 d-------- C:\Program Files\CyberTweak

2007-12-14 17:56:32 0 d-------- C:\Program Files\Dan Elwell's Broadband Speed Test

2007-12-12 04:05:00 0 d-------- C:\Program Files\DAEMON Tools

2007-12-12 04:01:23 685816 --a------ C:\Windows\system32\drivers\sptd.sys

2007-11-30 23:06:30 0 d-------- C:\Casino

2007-11-29 16:50:20 4096 --a------ C:\Windows\system32\sysres.dll

2007-11-29 16:50:20 38567 --a------ C:\Windows\system32\pcpbios.exe

-- Find3M Report ---------------------------------------------------------------

2007-12-28 01:56:52 0 d-------- C:\Users\Lizzard\AppData\Roaming\Azureus

2007-12-27 21:46:16 0 d-------- C:\Users\Lizzard\AppData\Roaming\iWin

2007-12-27 21:30:56 0 d-------- C:\Users\Lizzard\AppData\Roaming\iWinArcade

2007-12-27 20:48:39 0 d-------- C:\Users\Lizzard\AppData\Roaming\LimeWire

2007-12-27 15:59:58 0 d-------- C:\Program Files\Azureus

2007-12-26 15:03:53 0 d-------- C:\Program Files\SopCast

2007-12-17 18:13:18 184 --a------ C:\setuplog.exe

2007-12-17 18:12:24 0 d--h----- C:\Program Files\InstallShield Installation Information

2007-12-17 00:38:12 0 d-------- C:\Users\Lizzard\AppData\Roaming\Microsoft Games

2007-12-17 00:05:17 0 d-------- C:\Program Files\Common Files

2007-12-16 22:43:43 0 d-------- C:\Program Files\Microsoft Games

2007-12-15 10:16:58 0 d-------- C:\Program Files\Acer Zone

2007-11-27 21:01:48 0 d-------- C:\Users\Lizzard\AppData\Roaming\vlc

2007-11-27 21:00:50 0 d-------- C:\Program Files\VideoLAN

2007-11-15 08:56:05 0 d-------- C:\Program Files\Windows Mail

2007-09-28 22:52:11 79832 --a------ C:\Windows\system32\adssite-remove.exe

2007-09-28 16:07:52 3596288 --a------ C:\Windows\system32\qt-dx331.dll

2007-09-28 16:05:50 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>

2007-09-28 16:05:50 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>

2007-09-28 16:05:40 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>

2007-09-28 16:05:40 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>

2007-09-28 16:05:40 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>

2007-09-28 16:05:40 739840 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>

2007-09-28 16:05:08 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [07/12/2006 01:12 AM]

"RtHDVCpl"="RtHDVCpl.exe" [11/09/2006 02:57 AM C:\Windows\RtHDVCpl.exe]

"Acer Empowering Technology Monitor"="C:\Windows\system32\SysMonitor.exe" [11/23/2006 11:24 PM]

"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [12/27/2007 09:03 PM]

"eRecoveryService"="" []

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]

"MSConfig"="C:\Windows\system32\msconfig.exe" [11/02/2006 09:45 AM]

"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [12/27/2007 09:03 PM]

"autoclk"="autoclk.exe" [01/30/2003 05:48 AM C:\Windows\autoclk.exe]

"adiras"="adiras.exe" []

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [06/04/2007 05:24 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [11/02/2006 12:35 PM]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 11:54 AM]

"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [08/11/2005 10:30 PM]

"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 12:35 PM]

"cmds"="C:\Users\Lizzard\AppData\Local\Temp\hggeb.dll,c" []

"MSServer"="C:\Users\Lizzard\AppData\Local\Temp\yabyy.dll,#1" []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [12/17/2007 6:12:26 PM]

Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe [12/12/2006 9:52:34 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]

@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]

@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]

@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup

backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\Windows\pss\Microsoft Office.lnk.CommonStartup

backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]

rundll32.exe C:\Users\Lizzard\AppData\Local\Temp\hggeb.dll,c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hid_start]

C:\Windows\System32\Rundll32.exe "C:\Windows\system32\gzmrotate.dll" DllVerify

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]

"C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]

rundll32.exe C:\Users\Lizzard\AppData\Local\Temp\yabyy.dll,#1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]

"C:\Program Files\Norton Internet Security\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

%ProgramFiles%\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\?????????]

??????????????e

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]

%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

-- End of Deckard's System Scanner: finished at 2007-12-28 03:05:07 ------------

[sarahw]

Hi nick.

This forum is for one on one Malware infection support. Please read the information threads at the top of this forum and Start your own thread.

Post a Hijack This log and somebody will help you.

Hi Acidic,

Please Post the DSS scan when ready.