mystery virus

Ok first off this mystery virus is infecting 3 different machines of mine. 1 has XP Pro and is patched up to date. 1 has xp home full retail again patched upt to date. 1 has xp home oem, and i have 1 drive patched up to date, and 1 drive i installed specificially to find out more about this virus that is at sp2.

At the time my systems were first infected they were only at sp level 2 and all of them had XP Corp edition. (yes very bad, having hacked pirated oses… so what not everyone has an extra $150-300 at the time they buy a computer to allocate to an os, and yes computers are getting cheaper every day all of these systems are at least 3 years old) at the time they were infected they had file sharing enabled on all three machines and only 2 machines ran “AVG” free antivirus the 3rd had no av software at all.

currently 2 (xp home full and XP pro) machines run mcaffee suite and the other one (xp home oem) runs comodo av (well its not even on the net anymore as i do not have internet at my appartment but w/e)

at the time of original infection the primary firewall was a linksys wireless router, with zone alarm installed on all 3 machines. under the current config all three machines run comodo ver 2 firewall.

the only anti spyware we used before was lavasoft’s free product, currently they all have bo clean.

now for the symptoms. first off. when windows is installed even on fully low level formatted drive a chkdsk error (under ntfs) comes that does not go away. it is as follows (although sometimes they find other problems especially if you havent chkdsk in a while) “Chkdsk Discovered Free Space marked as allocated in the volume bitmap”

Secondly Auto run is disabled magically with no user input whatsoever.

thirdly when a low level format and reinstall has been done the USB driver goes offline and the system ‘hangs’ for about 1 minute thereafter the associated chkdsk error pops up. (prior the the usb going offline the chkdsk returns no error) this all happens within a minute of installing windows if i wasnt a gamer i probally wouldnt have gotten chkdsk to run before the event of the virus taking control of the hd.

fourth when formatting to fat 32 none of the above symptoms occur, instead this lone error occurs “The size of \Windows\system32\config\software.log entry is not valid.” when runing chkdsk on reboot no error is found so nothing is fixed.

i am 100% sure that the virus is specific to the ntfs file system and depends on it to run and load the bot that allows hackers remote control of the infected pcs. (there has been logged attempts with comodo firewall which i suspect are the virus/hackers attepting to figure out why the virus cant do it’s dirty internet deeds)

i have used brand new sealed HDs and the virus still loaded when windows was installed with ntfs formatting. i believe the virus infects firmwares of the optical drives or else the sound or printer driver, and that the virus spreads through known exploits, and the full level of infection is done by hackers AFTER the initial virus gets in there, and the firmware/ntfs version replaces the ‘origninal’ virus exploit that infected the systems.

so far the only thing that stops this virus is installing with fat 32. nothing detects it and i suspect the original exploit was removed to make the virus ‘transparent’ (i saved one of the systems hds and scanned it with 3 av programs for exploits and it found none, but that system by then already had the chkdsk symptoms)

microsoft chalks the chkdsk errors up as a bug, however i am confident that the ntfs partition is infected to allow the virus to load and run in completely invisible ‘memory’ on the hd. if the virus is in the ntfs then only a non windows scanner even has the ability to check for it. fortunately fat32 supports 80 gig partitions and none of my hds really need any larger partition sizes, but i would rather know the exact virus that i have and how to properly remove it. it doesnt infect exes or zip files, if it infects anything theyre obscure drivers or firmwares, i havent yet backed up any of the firmwares to look for file size/check sum errors vs ‘known good’ firmwares… but i have at least isolated a weakness in the virus since it Depends on ntfs to run. i would have backed up and looked at the .log files (that occurs on the fat 32) but windows protects these files and they cannot be opened, or backed up, while windows is running, and the problem disappears on reboot (perhaps the virus removes any trace of itself in the log files on system shutdown.)

well hopefully someone where will know what to call this virus… it is Very real, and very scary that it can serially reinfect systems across low level formats and hides its files from everything exept chkdsk.

fwiw i believe the hackers that implanted the virus are the ones running the Battle.net botnet. since those were the only hackers i had any form of communication with other than on slashdot.org and there is no telling who might have done this if it was a slashdot hacker.

sigh besides i actually said to a hacker on battle. net “it’s been 5 years since i had a computer virus”
well it had been. i also remember a tag name that i found in my registry looking for exploits, but i deleted it, and dont remeber the full name, and have since confused it with many breakfast cereal names. yes. my registry (on the machine with xp home oem) actually was TAGGED by hackers. for real, with their net handle, just to say they’d been there. i also saved an image file they put of a black helicoptor when i mentioned a jpg image name on battle net. it had been a random image from yahoo images, but then they replaced it with a black helicoptor pic. That image i actually achived.

i mean it is kinda cool in a scarey way that 30 seconds after you mention it they can upload a new pic to your pc… i saved ‘before’ and ‘after’ pics of that event. that btw was while i used zone alarm and was the primary reason for me dropping zone alarm from my list of trusted firewall programs.

oops i almost forgot. i had to ‘decommission’ my linksys wireless router because after i was hacked it did a wierd thing, all the lights would blink on, on start up, prior to the virus thing it never blinked its lights on start up and i suspect it was ‘compromized’ so i stopped using it entirely and actually bought a new one. it was an old one only did wireless.b access anyways. (note the new one is currently with wireless disabled, but when my parents move we might enable it with the highest level of security possible on it) they have both pcs in one room here but are moving and may want the other pc in a diffferent room.

Hi kesuki, thank you for sharing this experience on this Forum.

I had an experience similar to yours too, and trying to make a web search on this type of virus, I did not find anything.

Only in a forum I found that some users have similarly described this type of attack-malware (you should read the whole thread):

http://help.lockergnome.com/windows/HELP-Terminal-Service-Trojan-ftopict386055.html

The most subtle and disconcerting is that only if you are fairly attentive and advanced knowledge in information technology can discover a strange behavior of the hit machine.

I hope that soon this kind of wounds that attack to the security and privacy of users due to light.

I’m coming in on this a little late, so this may not be very helpful.

What you’re describing about NTFS is a facility called “alternative data stream”. There is a description of ADS in the NTFS entry NTFS - Wikipedia

You’ve apparently tried to reformat, and not been successful in that the whatever stays and infects the machine again. Two things to note:

First, most reformat tools don’t zero the disk, so the original bits are still present but within a newly regenerated filesystem structure. If you really want to zero the disk, reformat, and reinstall, I’ll strongly suggest using a disk-vendor tool (Seagate “Seatools” for example), or a standalone wipe utility like “dban” (Darik’s Boot-and-Nuke, an open source package).

Second, any kind of backups are probably a question as to whether they’re infected. You’ll have to presume they are. The standard tactic is to reinstall Windows from clean media, get everything patched up to date, and then stay away from Administrator privileges as much as possible while scanning and recovering the backups. Anti-virus programs are good at their job, but are not a 100% effective technique.

Whatever this was, probably got onto one machine, and then propagated across the LAN using the MS Networking ports. That your USB drives are showing problems implies the virus family that moves across shares and detachable devices.

Cleanup of virus infections like this is not as straightforward as deleting a file or a registry setting. You have to get rid of the entire virus “package” at one time, else it will re-seed itself.

Typical analysis starts with a HiJackThis scan, that can usually identify the startup points that a virus uses to get going when you boot the machine. If you’re still having a problem, I’ll ask that you post a HiJackThis scan, and we’ll start there. HiJackThis is at version 2.0.2, and is available for download at http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

i did some more testing, there is a more descriptive set of chkdsk errors before the one that repeats forever, i missed it the first time but caught it the second time around.

“\Windows\Prefetch\chkdsk.exe-2cc4c59.pf first allocation unit is not valid. the entry will be truncated.” and “\Windows\Prefetch\cmd.exe-087b4001.pf first allocation unit is not valid. the entry will be truncated.”
secondly when retesting the ‘autoplay’ becoming disabled did not happen (i attached a usb hd that had been connected as well to my 3 main machines, i was using an old scrap hd from a long dead system) but the chkdsk errors were still occuring on all machines reguardless of exposure to infected data. i later realized that machine had been networked with the other 2 when i product activated/patched that hd. and that was when autoplay became disabled (if the chkdsk thing is not some wierd sp2 bug that ms is keeping a lid on then its not the ‘full’ virus that disables autoplay and caused alerts on comodo firewall)

on a side note 3 games which did not work with the patched/autoplay disabled machine work fine on the system where autoplay is not disabled, but still has chkdsk errors.

as for formatting to be specific of what i did i used a old freebsd 2.2.2 cd set to ‘erase’ the hd, since it replaces the mbr with bootez (a freebsd bootloader) but i do not know if their format util was truly erasing the hds. but remember, i put in a factory sealed drive and had the chkdsk problems. (one drive i bought ~2 years ago failed under warrenty, so they sent out a rmaed drive.) so i dont know that using seagate/maxtor tools to wipe the drive will return any better results. besides the 2 drives that i was using to test were from long ago pcs i used 5-7 years ago or more. kept in a spare parts box… if the chkdsk/cmd programs are being modified on load (the error seems to indicate they had to be truncated) then its either something wrong with windows itself (causing the chkdsk problem) or else the virus is living in some other piece of hardware.

but im pretty sure the virus that is causing games to crash etc was transmitted via the network now. i kept tabs and on the surface all the cmd.exe and chkdsk.exes looked and appeared to be the same, but if the virus is in the filesystem it doesnt need to replace cmd.exe or chkdsk.exe. and i cant figure out why chkdsk would always find that the .pf files for cmd.exe and chkdsk.exe needed to be truncated EVERY time windows was installed.

The \Windows\Prefetch\ directory contents can be deleted. It’s used as a high-speed lookup so as to reduce paging when loading programs. It creates re-created and re-ordered when you run anything. Your machine will run a little more slowly until that lookup cache gets repopulated.

FreeBSD 2.2.2 is kind of old. The machines here run FreeBSD 6.2 now. But, even FreeBSD doesn’t zero out a disk unless you tell it to do so, with a “dd if=/dev/zero of=/dev/whatever” command (which takes a long long time - hours to days, depending on the disk size, which is why nobody really does it by default).

A brand new disk is most likely not formatted with anything, and so chkdsk has no idea what to do with it. On a new disk, you first have to run “fdisk” to create the partitions, then “format” each of those partitions. Then you can run “chkdsk” on those formatted partitions to see if the files make sense in the context of the filesystem. Your description makes it sound like you skipped a step, and so chkdsk is complaining. The vendor tools presume the disk is zero blank, and do all the steps to make sure the disk is working.

I would suggest using the manufacturer’s hard drive erasing utility to “0”(Low-level format) the hard drive. Or use my favorite “DBAN boot and nuke” although it can cause problems but I have never had any (Use at own risk).

A real low level format writes “0” or random data to EVERY sector of a hard drive, meaning NOTHING is left

Basically it wipes EVERYTHING, then install windows from a LEGIT windows install cd.

If you still have problems, it may be stored in the BIOS. Which I doubt. But if this is the case, a BIOS flash may be the only way (This is a LAST RESORT).

hijackthis log from one of the systems where autoplay was disabled… note I am using vmware for browsing some sites… i feel safer that way. as i said comodo firewall had some allerts in its log i felt might be caused by this virus that is disabling autorun.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:27 PM, on 12/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\VMware\VMware Player\vmplayer.exe
C:\Program Files\VMware\VMware Player\bin\vmware-vmx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKLM..\Run: [VMware hqtray] “C:\Program Files\VMware\VMware Player\hqtray.exe”
O4 - HKLM..\Run: [NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM..\Run: [VSOCheckTask] “C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe” /checktask
O4 - HKLM..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM..\Run: [IntelliPoint] “c:\Program Files\Microsoft IntelliPoint\ipoint.exe”
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-1409082233-2052111302-682003330-1003..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘Dena or Roy’)
O4 - HKUS\S-1-5-21-1409082233-2052111302-682003330-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User ‘Dena or Roy’)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190412329203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip..{7299ED8F-7AED-4932-9EE8-BBE715383490}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip..{95A2B2F1-79A7-4950-86BA-0A760182C2F4}: NameServer = 66.82.4.8
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

–
End of file - 7402 bytes

So far as I can tell, your HJT log looks clean. There are some additional scan that can find things that HJT misses, but before going into those, I’ll ask what you’re experiencing besides the autoplay issue.

Reason being, is that having autoplay turned off can be considered a “security feature”, as it prevents removable media, like USB drives, from infecting a machine simply by being plugged into the machine.
It could be that McAfee settings have disabled autoplay. If that is the case, the setting to re-enable the autoplay is probably buried down in the McAfee configuration details.

If McAfee isn’t the problem, then we’ll go on to the next scan, with Deckard’s System Scanner, which is downloaded from http://www.techsupportforum.com/sectools/Deckard/dss.exe

well here’s the thing, mcaffee is only installed on 2 of the 3 systems with the no autoplay issue.

i did install comodo av on the 3rd but removed it when it was playing havock with my screen ‘power managment’ settings due to a ‘bug’ in the ati graphic drivers on that system. that system has no internet and on this system deckards crashes at the very end of running. i will burn dss to a cd (with firmwares, for the optical drive and the system bios) i am leaving nothing to chance. i used maxblast ver 5 from a burned cd (couldnt find a retail cd with maxblast on it, and i disconnected the floppy and am not sure if my old floppy versions of maxblast even work anymore) i noticed that when maxblast formatted the hd it left some wierd ‘net boot’ thing it left the following error message…

Intel undi, pxe-2.0 (build 082) for reltek rtl8139(x)/8130/810x pci fast ethernet controller 2.14 media test failure, (040209) check cable pxe-mof: exiting Pxe-E61: pxe rom.

wierd, maxblast configures a formatted drive to netboot a pxe?

just for fun i formatted a fresh (ntfs) system with 2 accounts 1 admin 1 ‘limited’ user and here are the data from the chkdsk: 2,131,220 kb in 6979 files. 1,824 kb in 647 indexes. 31,338 kb by the system. 23,104 occupied by the log file. 4096 bytes per allocation.

also the chkdsk error that keeps coming back (every reboot check for problems) is

Chkdsk discovered freespace marked as allocated in the volume bitmap.

no matter how you run chkdsk this error occurs on Every computer on every hd with every version of winxp ive tried except a pre sp2 version of xp corp. ive tried the ‘xp pro replacement cd’ (for people who found they had xp corp etc) a full version of xp home and an oem copy of xp home.

the error is different if the filesystem is fat32 which i noted in this thread already. and yes maxblast let me write 0s and 1s to the hd before formatting it (i let maxblast format it then did it again and let windows format it) always the same chkdsk problem but auto run disabling is only on computers networked to 1 with the no autorun problem.

I just did a real quick google on “check cable pxe-mof”, and the results I got back suggest that this is an indication of a pending disk failure.

The only two ways I know of to verify that are: Get a replacement disk drive. Or run the dban wipe utility at the full “DoD 7 pass security wipe” twice, and if the disk passes without errors, then the disk is probably okay. Disk drive can have reserved areas for controller microcode, and if those reserved areas start to fail, then things can get really weird. This is beginning to qualify as weird.

Simultaneous failures of drives are not unknown, particularly if they’re all the same vendor and make/model. It’s something in the manufacturing process of the batch of the drives that makes them fall over about the same time. Speaking from experience, it can make for a busy time in the office.

my ‘test’ hd is over 12 years old so it failing would not surprize me. it was the leftovers from a early amd 333 mhz system… sitting in a parts box for 8 or 9 years. i do have a 15 gig drive that sat in my freebsd server for ~18 months (i decommissioned that machine when small affordable routers came on the market) that i could start using instead of that drive.

the bad news, my mobo (in my machine) only supports ‘live update’ of bios a full windows install must be connected to the net for me to install a new bios. i can do that tommorrow maybe.

im finding nothing abut disabling or enabling autorun/ autoplay in mcaffe’s options or help files… i doubt the mcaffee software was disabling autorun. i am making a couple cds with utils so i can test further ill try to run deckards on the autoplay disabled drive i have at home and if it crashes on that system too then ill be very suspicious. ill then see if it runs on the scratch drives i’ve been using in the interim.

plus one to the wierdness factor dban’s site wont load the dl link in internet explorer.

i get a “Internet Explorer cannot display the webpage” page. suspicious.

i had to load vmware to dl the iso. so i know its not my isp.

problems like these are why i’m glad i switched my mp3 playing system to linux for good. i used to keep my mp3s on my freebsd server and crontab them to wake me in the morning, but now my cell phone is my main alarm system, so it just plays music all day and night and i turn on the stereo when i want music. the mouse (a trackball) is set up on the skip forward button because i dont keep a keyboard attached for commands to the player.

i’m considering giving my parents a trial run on linux (on a backup hd) to see if they’d rather use ubuntu.

first off i figured out what happend with maxblast. it must have put an ‘empty’ dos config or something of the like, which windows xp called an ‘unknown operating system’ when the hd failed to boot the motherboard went in default boot order, and attempted to boot over the integrated lan controller. still wierd that maxblast would bother writing os files to a formatted drive that dont actually boot to an os… but w/e.

secondly to answer about the hds… well here’s a small list of the hds ive tried. ‘scratch drive’ maxtor 90432d2; ‘main hd’ maxtor diamondmax 10 6l200s0 made 11, nov, 2005;‘15 gig, it is rip’ maxtor 531dx made 09 apr 2001; ‘fat 32 drive’ maxtor DiamondMax vl40 5400 rpm made 28, mar, 2001; ‘mom’s computer’ new segate rma’ed drive; ‘dads computer’ unknown wd or maxtor drive from around 4-5 years ago. as you can see not an identical hd in the lot. so having the exact same error on every hd is not a very likely thing to happen.

used my ‘scratch drive’ with dban ‘auto’ mode. took 30 minutes (as long as a windows install, sheesh) on a scrappy drive that is actually 10 or 20 gigs, but due to ‘modern bios limitations’ the ‘ugly kludge’ that allowed early computers to use a 20 gig hd when most were designed to hold 4 gigs at MAX doesn’t work on modern motherboards. so it fallsback to the ‘then’ bios limitation of 4gb. formats in 3 minutes flat though i think i should have used a non auto format mode to wipe it with 1s or 0s instead of ‘random’ merisene primes. dban is Definitely cool.
I did chkdsk with only 1 account, after I copied deckard system scan exe + firmware v 1.07 for my dvd±rw drive
i had installed the firmware, then ran Dss, then ran chkdsk.

auto run was still working on the ‘scratch’ drive. but i noticed 2 wierd things.

wtf. i was trying to do something and i noticed … dum dum dum… the EXTENTION OF A TEXT FILE ON A NEAR VIRGIN WINDOWS INSTALL. only thing i had installed was deckards, a firmare upgrade and my favorite dvd burning software InfraRecorder. when i was copying dvd files and making fake vob files (to see if infrarecorder had region settings) which was the point where i realized WINDOWS WASNT HIDING THE 'TXT’S) does deckards do this? because none of the other software does this…

okay not that i was going to use it, but windows CD burning errored on double clicking a blank cd disk from windows explorer. By default this is supposed to open the ‘add files to my blank cd preview window’ not error. i had already installed ‘InfraRecorder’ and was planning to use that, but windows cd recording erroring was something i’d thought i would mention.

Begin chkdsk;

C:\Documents and Settings\fd>chkdsk
The type of the file system is FAT32.
Volume Serial Number is 200C-75FE
Windows is verifying files and folders…
Windows found errors on the disk, but will not fix them
because disk checking was run without the /F (fix) parameter.
The size of the \WINDOWS\system32\config\software.LOG entry is not valid.
File and folder verification is complete.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.
4,200,772 KB total disk space.
1,389,780 KB in 328 hidden files.
2,376 KB in 556 folders.
785,116 KB in 6,702 files.
2,023,496 KB are available.

    4,096 bytes in each allocation unit.
1,050,193 total allocation units on disk.
  505,874 allocation units available on disk.

C:\Documents and Settings\fd>

note, i was disabling everything asap as windows installed that i could think of, remote assitance, system restore, error reporting… i even tried removing all network protocols(during install), but tcp/ip cant be removed from windows xp.
begin main.txt;
Deckard’s System Scanner v20071014.68
Run by fd on 2007-12-08 22:02:47
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable…success.

– Last 1 Restore Point(s) –
1: 2007-12-09 06:02:53 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

– HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-08 22:03:30
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\fd\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

–
End of file - 912 bytes

– File Associations -----------------------------------------------------------

All associations okay.

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

– Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_1002&DEV_5954&SUBSYS_71411462&REV_00\4&1CF2FBB4&0&2808
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_1002&DEV_5954&SUBSYS_71411462&REV_00\4&1CF2FBB4&0&2808
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_71451462&REV_11\3&267A616A&0&A0
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_71451462&REV_11\3&267A616A&0&A0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_1002&DEV_4370&SUBSYS_B0121462&REV_02\3&267A616A&0&A5
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_1002&DEV_4370&SUBSYS_B0121462&REV_02\3&267A616A&0&A5
Service:

– Files created between 2007-11-08 and 2007-12-08 -----------------------------

2007-12-08 22:03:00 0 d–hs---- C:\Recycled
2007-12-08 21:54:25 0 d-------- C:\Documents and Settings\fd\Application Data\Identities
2007-12-08 21:54:05 0 d–h----- C:\Documents and Settings\fd\Templates
2007-12-08 21:54:05 0 dr------- C:\Documents and Settings\fd\Start Menu
2007-12-08 21:54:05 0 dr-h----- C:\Documents and Settings\fd\SendTo
2007-12-08 21:54:05 0 dr-h----- C:\Documents and Settings\fd\Recent
2007-12-08 21:54:05 0 d–h----- C:\Documents and Settings\fd\PrintHood
2007-12-08 21:54:05 0 d–h----- C:\Documents and Settings\fd\NetHood
2007-12-08 21:54:05 0 dr------- C:\Documents and Settings\fd\My Documents
2007-12-08 21:54:05 0 dr------- C:\Documents and Settings\fd\Favorites
2007-12-08 21:54:05 0 d-------- C:\Documents and Settings\fd\Desktop
2007-12-08 21:54:05 0 d—s---- C:\Documents and Settings\fd\Cookies
2007-12-08 21:54:05 0 dr-h----- C:\Documents and Settings\fd\Application Data
2007-12-08 21:54:04 524288 --ah----- C:\Documents and Settings\fd\NTUSER.DAT
2007-12-08 21:54:04 0 d–h----- C:\Documents and Settings\fd\Local Settings
2007-12-08 21:53:16 0 d-------- C:\WINDOWS\SoftwareDistribution
2007-12-08 21:53:16 0 d–hs---- C:\System Volume Information
2007-12-08 21:53:14 0 d—s---- C:\WINDOWS\system32\Microsoft
2007-12-08 21:53:14 0 d-------- C:\WINDOWS\Prefetch
2007-12-08 21:53:13 0 d—s---- C:\Documents and Settings\LocalService\Cookies
2007-12-08 21:53:13 0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-12-08 21:53:13 0 d—s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-12-08 21:53:12 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2007-12-08 21:53:12 0 d–h----- C:\Documents and Settings\LocalService\Local Settings
2007-12-08 21:52:53 262144 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-12-08 21:52:53 0 d–h----- C:\Documents and Settings\NetworkService\Local Settings
2007-12-08 21:52:53 0 d—s---- C:\Documents and Settings\NetworkService\Cookies
2007-12-08 21:52:53 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-12-08 21:52:53 0 d—s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-12-08 21:51:09 0 d-------- C:\WINDOWS\system32\xircom
2007-12-08 21:51:09 0 d-------- C:\Program Files\microsoft frontpage
2007-12-08 21:51:06 225280 —h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-12-08 21:50:57 0 d–h----- C:\WINDOWS$hf_mig$
2007-12-08 21:50:41 0 -rahs---- C:\MSDOS.SYS
2007-12-08 21:50:41 0 -rahs---- C:\IO.SYS
2007-12-08 21:50:41 0 --a------ C:\CONFIG.SYS
2007-12-08 21:50:41 0 --a------ C:\AUTOEXEC.BAT
2007-12-08 21:49:31 0 d–hs---- C:\Documents and Settings\All Users\DRM
2007-12-08 21:49:16 0 dr------- C:\WINDOWS\Offline Web Pages
2007-12-08 21:49:16 0 d—s---- C:\WINDOWS\Downloaded Program Files
2007-12-08 21:49:02 0 d–h----- C:\Program Files\WindowsUpdate
2007-12-08 21:48:39 0 d-------- C:\WINDOWS\system32\DirectX
2007-12-08 21:48:09 0 d—s---- C:\WINDOWS\Tasks
2007-12-08 21:48:08 0 d-------- C:\Program Files\Common Files\MSSoap
2007-12-08 21:48:03 0 d-------- C:\WINDOWS\srchasst
2007-12-08 21:48:02 0 d-------- C:\WINDOWS\system32\Macromed
2007-12-08 21:47:53 0 d-------- C:\Program Files\Movie Maker
2007-12-08 21:47:45 0 d-------- C:\WINDOWS\system32\Restore
2007-12-08 21:47:23 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-12-08 21:46:53 0 d-------- C:\WINDOWS\Registration
2007-12-08 21:46:22 0 d-------- C:\Program Files\Online Services
2007-12-08 21:46:15 0 d-------- C:\Program Files\Messenger
2007-12-08 21:46:11 0 d-------- C:\Program Files\MSN Gaming Zone
2007-12-08 21:45:31 0 d-------- C:\Program Files\Windows NT
2007-12-08 21:45:28 0 d-------- C:\WINDOWS\system32\MsDtc
2007-12-08 21:45:26 0 d-------- C:\WINDOWS\system32\Com
2007-12-08 21:39:19 0 d–hs---- C:\WINDOWS\Installer
2007-12-08 21:39:18 0 d-------- C:\Program Files\Common Files\ODBC
2007-12-08 21:39:13 0 dr------- C:\Program Files
2007-12-08 21:39:13 0 d-------- C:\Program Files\Common Files
2007-12-08 21:39:13 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-12-08 21:38:44 0 d–h----- C:\Documents and Settings\Default User\Templates
2007-12-08 21:38:44 0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-12-08 21:38:44 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-12-08 21:38:44 0 d–h----- C:\Documents and Settings\Default User\Recent
2007-12-08 21:38:44 0 d–h----- C:\Documents and Settings\Default User\PrintHood
2007-12-08 21:38:44 0 d–h----- C:\Documents and Settings\Default User\NetHood
2007-12-08 21:38:44 0 d-------- C:\Documents and Settings\Default User\My Documents
2007-12-08 21:38:44 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2007-12-08 21:38:44 0 d-------- C:\Documents and Settings\Default User\Favorites
2007-12-08 21:38:44 0 d-------- C:\Documents and Settings\Default User\Desktop
2007-12-08 21:38:44 0 d—s---- C:\Documents and Settings\Default User\Cookies
2007-12-08 21:38:44 0 d–h----- C:\Documents and Settings\All Users\Templates
2007-12-08 21:38:44 0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-12-08 21:38:44 0 d-------- C:\Documents and Settings\All Users\Favorites
2007-12-08 21:38:44 0 dr------- C:\Documents and Settings\All Users\Documents
2007-12-08 21:38:44 0 d-------- C:\Documents and Settings\All Users\Desktop
2007-12-08 21:35:38 0 d-------- C:\WINDOWS\system32\CatRoot2
2007-12-08 21:35:38 0 d-------- C:\WINDOWS\system32\CatRoot
2007-12-08 21:35:33 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-12-08 21:35:33 0 d—s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-12-08 21:35:32 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-12-08 21:35:32 0 d—s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-12-08 21:35:04 0 d-------- C:\Documents and Settings
2007-12-08 21:27:09 0 d-------- C:\WINDOWS
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\WinSxS
2007-12-08 21:27:09 0 dr------- C:\WINDOWS\Web
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\twain_32
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\wins
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\wbem
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\usmt
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\spool
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\ShellExt
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\Setup
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\ras
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\oobe
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\npp
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\mui
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\inetsrv
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\IME
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\icsxml
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\ias
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\export
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\drivers
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\drivers\etc
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-12-08 21:27:09 0 dr-hs---- C:\WINDOWS\system32\dllcache
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\dhcp
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\config
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\3com_dmi
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\3076
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\2052
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\1054
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\1042
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\1041
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\1037
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\1033
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\1031
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\1028
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system32\1025
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\system
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\security
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\Resources
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\repair
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\Provisioning
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\PeerNet
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\pchealth
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\mui
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\msapps
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\msagent
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\Media
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\java
2007-12-08 21:27:09 0 d–h----- C:\WINDOWS\inf
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\ime
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\Help
2007-12-08 21:27:09 0 dr–s---- C:\WINDOWS\Fonts
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\Driver Cache
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\Debug
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\Cursors
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\Connection Wizard
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\Config
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\AppPatch
2007-12-08 21:27:09 0 d-------- C:\WINDOWS\addins

– Find3M Report ---------------------------------------------------------------

2007-12-08 21:38:46 62 --ahs---- C:\Documents and Settings\fd\Application Data\desktop.ini

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{2bf2b5a3-a5d3-11dc-b694-806d6172696f}]
AutoRun\command- D:\setup.exe

– End of Deckard’s System Scanner: finished at 2007-12-08 22:04:16 ------------

begin extra.txt;
Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

– System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3000+
Percentage of Memory in Use: 18%
Physical Memory (total/avail): 895.36 MiB / 726.06 MiB
Pagefile Memory (total/avail): 2169.19 MiB / 2066.26 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.17 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 4.01 GiB total, 1.94 GiB free.
D: is CDROM (CDFS)

\.\PHYSICALDRIVE0 - Maxtor 90432D2 - 4.02 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 4.01 GiB - C:

– Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”

– Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\fd\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=Z-36AD971BBEE84
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\fd
LOGONSERVER=\Z-36AD971BBEE84
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2c02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\fd\LOCALS~1\Temp
TMP=C:\DOCUME~1\fd\LOCALS~1\Temp
USERDOMAIN=Z-36AD971BBEE84
USERNAME=fd
USERPROFILE=C:\Documents and Settings\fd
windir=C:\WINDOWS

– User Profiles ---------------------------------------------------------------

fd I[/I]

– Add/Remove Programs ---------------------------------------------------------

→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

– Application Event Log -------------------------------------------------------

Event Record #/Type24 / Warning
Event Submitted/Written: 12/08/2007 09:54:08 PM
Event ID/Source: 1005 / Windows Product Activation
Event Description:
Your Windows product has not been activated with Microsoft yet. Please use the Product Activation Wizard within 30 days.

Event Record #/Type11 / Warning
Event Submitted/Written: 12/08/2007 09:46:36 PM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

– System Event Log ------------------------------------------------------------

Event Record #/Type54 / Error
Event Submitted/Written: 12/08/2007 10:02:05 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The IPSEC Services service terminated with the following error:
%%1747

Event Record #/Type37 / Error
Event Submitted/Written: 12/08/2007 09:59:11 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The IPSEC Services service terminated with the following error:
%%1747

Event Record #/Type14 / Error
Event Submitted/Written: 12/08/2007 09:53:29 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The IPSEC Services service terminated with the following error:
%%1747

– End of Deckard’s System Scanner: finished at 2007-12-08 22:04:16 ------------

Your DSS log seems to be clean, and it also looks to be a fresh machine install (not activated yet). This is actually one of the cleanest logs I’ve seen in a while.

The chkdsk is obviously tripping over something. Running dban in the default mode will do a fast zero wipe, but not really work the disk. Select the 5200.1 wipe, and make the most of the options, like verify after each pass, and run all 7 passes. It’ll take considerably longer than 30 minutes. The DoD 5200.1 wipe sequence is the most intensive disk exerciser I’ve encountered. If there’s a problem, this will trip over it.

The more I’m thinking about it, the more it seems to be some kind of hardware problem. There is a site I’ve seen referenced a lot at http://www.pcpitstop.com/ that runs a hardware diagnostic check. It’s a free registration, and may give some insight as to what’s going on, if it’s something more than a disk drive problem (e.g. flaky controller, or a motherboard problem).

Regarding seeing file extensions, that can vary all over the place, depending on what folder you’re in, and how overall system options are set. If you go into Windows Explorer, the top line toolbar, click Tools, and select Folder Options, you can mix and match as you choose. I have my systems show all extensions, just in case something tries to hide a “thisfile.txt.exe” somewhere.

well, since then i did find 2 things that concern me…

2 of the ‘cd-r’ files i have now contain more sessions than i burned to them. one disc i burned 2 sessions to and it now contains a ‘mysterious third session’ the actual cd-r with my ‘drivers’ which was supposed to contain 1 session now contains ‘4 sessions’ so i did run dss again on that computer… (actually i noticed all this when autorun disabled right after i had patched the machine at my parents, after cafefully removing their systems from the network etc) autorun actually worked for a few hours before it stopped working for no reason. the second dss scan did find malware, but it had a uninstaller in the windows menu… not trusting malware uninstallers i simply nuked the disk and activated windows over the telephone…

autorun should not be disabling for no apparent reason. ie shouldnt not load pages for various software removal tools. the chkdsk error could be an obscure windows bug… the only common denominator is that all my machines are AMD processors… does chkdsk not work with amd cpus right since sp2? it always worked in sp1…

btw deckards crashes on my parents computers, which are ‘always’ on the net, and numerous malicious software removal tool sites refuse to load in ie. since i cant run any sophisticated malware scanners its hard to tell what all might be on my parents systems… probabbly the only options would be to run some sort of scanner from say a bart’s pe disk…

im not even sure what programs i would put on a barts pe to detect, possibly clean, and what to load to protect them from getting software that prevents ie from loading sites and causes removal and scanning tools to crash.

i can download and burn from vmware, which seems to bypass whatever is causing trouble on my parents machine. hijackthis does run so here is a hjt log from my mom’s pc.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:15 AM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\VMware\VMware Player\vmplayer.exe
C:\Program Files\VMware\VMware Player\bin\vmware-vmx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKLM..\Run: [VMware hqtray] “C:\Program Files\VMware\VMware Player\hqtray.exe”
O4 - HKLM..\Run: [NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM..\Run: [VSOCheckTask] “C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe” /checktask
O4 - HKLM..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM..\Run: [IntelliPoint] “c:\Program Files\Microsoft IntelliPoint\ipoint.exe”
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-1409082233-2052111302-682003330-1003..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘Dena or Roy’)
O4 - HKUS\S-1-5-21-1409082233-2052111302-682003330-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User ‘Dena or Roy’)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190412329203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip..{7299ED8F-7AED-4932-9EE8-BBE715383490}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip..{95A2B2F1-79A7-4950-86BA-0A760182C2F4}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip..{FB54918E-B24B-47A1-811D-AF6E6FA3F22D}: NameServer = 66.115.71.53,24.196.64.53
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

–
End of file - 7475 bytes

And that log looks clean, so far as I can tell. Time to start suspecting there is a rootkit running around in the background, making things look nice.

Two things to try, if there is a rootkit. One is to rename the scanning programs to something else. Like having HiJackThis.exe be called this.exe, and dss.exe as that.exe. If you have the earlier results, and compare to the scan done by a renamed program, if there is any difference that you can’t otherwise explain, then there is very very likely a rootkit.

The other, is to run at least one rootkit detector. There’s one at sysinternals.com. Another is F-Secure Blacklight, available at http://www.f-secure.com/security_center/ Another is GMER, at GMER - Rootkit Detector and Remover Each of these looks for slightly different things, so just running more than one would probably be a good idea. Download, then rename, and run.

Being unable to reach security sites, or download programs, is a typical defense tactic that malware uses. Check you machines “host” file. On my machine that is c:\windows\system32\drivers\etc\host
Also, your DNS cache could be “preloaded”, or the nameserver lookups being diverted. A way to test that, is compare the results of a name lookup done by a known clean machine, and what your machine(s) are giving as an answer.

An alternative to BartPE, is to physically pull the disk drive out of your machine, and install it as a slave drive in another machine. Then you run any and every scanner you can on that slave drive. If need be, you could zero wipe the drive as a slave drive, and then physically reinstall into your machine, and then do a reinstall.

If you’re seeing extra sessions on your cd-r’s would seem to imply that those cd-r’s are somehow infected. If that is the case, then any cd backups that you have may simply be re-seeding your machines.

And, I run AMD processor systems also. Not a problem, and none reported that I know of. Anything that would be a problem would be reported loudly and quickly, by Intel if nobody else.

renaming ‘deckards’ allowed it to run, however i didn’t re dl it (the file had been sitting there all this time) so im going to to post what it’s results are and then try to re dl deckards and rename it and run it again.

Main.txt
Deckard’s System Scanner v20071014.68
Run by Ryan on 2007-12-13 18:13:14
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

Successfully created a Deckard’s System Scanner Restore Point.

– Last 5 Restore Point(s) –
13: 2007-12-14 00:13:22 UTC - RP13 - Deckard’s System Scanner Restore Point
12: 2007-12-13 13:15:41 UTC - RP12 - System Checkpoint
11: 2007-12-12 09:00:16 UTC - RP11 - Software Distribution Service 3.0
10: 2007-12-12 04:06:20 UTC - RP10 - System Checkpoint
9: 2007-12-11 03:26:19 UTC - RP9 - System Checkpoint

– First Restore Point –
1: 2007-12-04 00:16:19 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 88% (more than 75%).

– HijackThis (run as Ryan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:20 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\VMware\VMware Player\vmplayer.exe
C:\Program Files\VMware\VMware Player\bin\vmware-vmx.exe
C:\Documents and Settings\Ryan\Desktop\that.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKLM..\Run: [VMware hqtray] “C:\Program Files\VMware\VMware Player\hqtray.exe”
O4 - HKLM..\Run: [NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM..\Run: [VSOCheckTask] “C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe” /checktask
O4 - HKLM..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM..\Run: [IntelliPoint] “c:\Program Files\Microsoft IntelliPoint\ipoint.exe”
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-1409082233-2052111302-682003330-1003..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘Dena or Roy’)
O4 - HKUS\S-1-5-21-1409082233-2052111302-682003330-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User ‘Dena or Roy’)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190412329203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip..{7299ED8F-7AED-4932-9EE8-BBE715383490}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip..{95A2B2F1-79A7-4950-86BA-0A760182C2F4}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip..{FB54918E-B24B-47A1-811D-AF6E6FA3F22D}: NameServer = 66.115.71.53,24.196.64.53
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

–
End of file - 7556 bytes

– File Associations -----------------------------------------------------------

All associations okay.

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

– Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1095&DEV_3112&SUBSYS_61121095&REV_02\4&3B1D9AB8&0&5840
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1095&DEV_3112&SUBSYS_61121095&REV_02\4&3B1D9AB8&0&5840
Service:

– Scheduled Tasks -------------------------------------------------------------

2007-09-29 15:26:23 288 --ah----- C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job

– Files created between 2007-11-13 and 2007-12-13 -----------------------------

2007-12-06 16:28:55 0 d-------- C:\Program Files\Trend Micro
2007-12-03 17:08:43 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-25 20:39:48 0 d-------- C:\Program Files\Ubisoft
2007-11-25 18:07:41 0 d-------- C:\Program Files\3DO
2007-11-23 09:49:23 229 --a------ C:\WINDOWS\PowerReg.dat
2007-11-22 13:49:03 0 d-------- C:\Program Files\Hasbro Interactive
2007-11-22 13:48:57 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-11-22 13:48:55 0 d-------- C:\Documents and Settings\Ryan\WINDOWS
2007-11-15 11:40:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-11-13 05:24:11 0 d-------- C:\Documents and Settings\Dena or Roy\Application Data\Google

– Find3M Report ---------------------------------------------------------------

2007-12-13 18:09:29 0 d-------- C:\Documents and Settings\Ryan\Application Data\VMware
2007-12-03 18:06:09 0 d-------- C:\Program Files\Winamp
2007-12-03 17:55:43 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-12-03 17:53:28 0 d-------- C:\Program Files\Google
2007-11-25 20:39:47 0 d–h----- C:\Program Files\InstallShield Installation Information
2007-11-22 10:19:09 0 d-------- C:\Documents and Settings\Ryan\Application Data\Google
2007-11-08 18:38:34 0 d-------- C:\Program Files\Java
2007-10-23 17:27:07 0 d-------- C:\Documents and Settings\Ryan\Application Data\Macromedia
2007-10-16 10:49:14 0 d-------- C:\Program Files\InfraRecorder
2007-10-16 10:36:47 0 d-------- C:\Documents and Settings\Ryan\Application Data\InfraRecorder
2007-10-16 09:06:03 0 d-------- C:\Documents and Settings\Ryan\Application Data\DMCache
2007-09-23 11:06:53 106525 --a------ C:\WINDOWS\War3Unin.dat
2007-09-23 10:46:53 2829 --a------ C:\WINDOWS\War3Unin.pif
2007-09-23 10:46:53 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2007-09-23 09:20:15 21643294 --a------ C:\sdat5125.exe <Not Verified; McAfee, Inc.; McAfee Core Components>
2007-09-21 11:48:14 0 -rahs---- C:\MSDOS.SYS
2007-09-21 11:48:14 0 -rahs---- C:\IO.SYS
2007-09-21 11:48:14 0 --a------ C:\CONFIG.SYS
2007-09-21 11:48:14 0 --a------ C:\AUTOEXEC.BAT
2007-09-21 11:45:04 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-09-21 06:36:34 62 --ahs---- C:\Documents and Settings\Ryan\Application Data\desktop.ini

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [09/25/2007 01:11 AM]
“COMODO Firewall Pro”=“C:\Program Files\Comodo\Firewall\CPF.exe” [09/21/2007 04:22 PM]
“VMware hqtray”=“C:\Program Files\VMware\VMware Player\hqtray.exe” [08/21/2007 06:56 PM]
“NVMixerTray”=“C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe” [06/03/2004 07:51 PM]
“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [05/14/2007 04:22 PM]
“MCAgentExe”=“c:\PROGRA~1\mcafee.com\agent\mcagent.exe” [09/22/2005 05:29 PM]
“MCUpdateExe”=“C:\PROGRA~1\mcafee.com\agent\McUpdate.exe” [01/11/2006 11:05 AM]
“VSOCheckTask”=“C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe” [07/08/2005 05:18 PM]
“VirusScan Online”=“C:\Program Files\McAfee.com\VSO\mcvsshld.exe” [08/10/2005 11:49 AM]
“OASClnt”=“C:\Program Files\McAfee.com\VSO\oasclnt.exe” [08/11/2005 09:02 PM]
“IntelliPoint”=“c:\Program Files\Microsoft IntelliPoint\ipoint.exe” [11/21/2006 04:09 PM]
“NeroCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [07/09/2001 04:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [02/28/2006 06:00 AM]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [11/15/2007 05:31 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 2:15:54 AM]

– End of Deckard’s System Scanner: finished at 2007-12-13 18:15:47 ------------

Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

– System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2600+
Percentage of Memory in Use: 85%
Physical Memory (total/avail): 511.49 MiB / 71.88 MiB
Pagefile Memory (total/avail): 1248.76 MiB / 804.95 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.84 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 93.15 GiB total, 32.46 GiB free.
D: is CDROM (Unformatted)

\.\PHYSICALDRIVE0 - ST3100011A - 93.16 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 93.15 GiB - C:

– Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: COMODO Firewall Pro v2.3.035 (COMODO)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000”

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\Cerberus\Cerberus.exe”="C:\Program Files\Cerberus\Cerberus.exe::Enabled:Cerberus FTP Server”
“%windir%\Network Diagnostic\xpnetdiag.exe”=“%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000”

– Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ryan\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NONE-D2B0CC9969
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ryan
LOGONSERVER=\NONE-D2B0CC9969
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\GTK\2.0\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Ryan\LOCALS~1\Temp
TMP=C:\DOCUME~1\Ryan\LOCALS~1\Temp
USERDOMAIN=NONE-D2B0CC9969
USERNAME=Ryan
USERPROFILE=C:\Documents and Settings\Ryan
windir=C:\WINDOWS

– User Profiles ---------------------------------------------------------------

Dena or Roy I[/I]
Ryan I[/I]
Administrator (new local, admin)

– Add/Remove Programs ---------------------------------------------------------

→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 → C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX → C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
ATI - Software Uninstall Utility → C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver → rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Axis & Allies Iron Blitz → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hasbro Interactive\Axis & Allies Iron Blitz\Uninst.isu"
CDBurnerXP Pro 3 → MsiExec.exe /I{896D642C-7125-44F0-AC49-A23ABF82209C}
Cerberus FTP Server → MsiExec.exe /I{889BE503-D5B7-4670-9DA8-19720CA1DCAD}
COMODO Firewall Pro → C:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
eMusic - 50 Free MP3 offer → “C:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe”
Google Toolbar for Internet Explorer → MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer → regsvr32 /u /s “c:\program files\google\googletoolbar2.dll”
GTK+ 2.10.13 runtime environment → “C:\Program Files\Common Files\GTK\2.0\setup\unins000.exe”
Heroes of Might and Magic V - Tribes of the East → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{66FF4C48-0083-4E60-8556-B883AB200092}\setup.exe” -l0x9
Heroes of Might and Magic® III → C:\WINDOWS\IsUninst.exe -f"C:\Program Files\3DO\Heroes3\Uninst.isu" -c"C:\Program Files\3DO\Heroes3\uninst.dll
HijackThis 2.0.2 → “C:\Program Files\Trend Micro\HijackThis\HijackThis.exe” /uninstall
InfraRecorder → C:\Program Files\InfraRecorder\uninstall.exe
Java™ 6 Update 2 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 → MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
McAfee SecurityCenter → c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=msc /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm
McAfee VirusScan → c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=vso /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\vsoremui.dll::uninstall.htm
Microsoft Office 2000 SR-1 Professional → MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Nero - Burning Rom → MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
NVIDIA Drivers → C:\WINDOWS\system32\NVUNINST.EXE UninstallGUI
NvMixer → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{D7A6C517-11F2-419F-B5BB-27772B939698}\Setup.exe” -uninstall
Panda ActiveScan → C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
The Game Of Life → C:\WINDOWS\uninst.exe -f"C:\Program Files\Hasbro Interactive\The Game Of Life\DeIsL1.isu" -c"C:\Program Files\Hasbro Interactive\The Game Of Life_ISREG32.DLL"
The GIMP 2.2.17 → “C:\Program Files\GIMP-2.0\unins000.exe”
VMware Player → MsiExec.exe /I{A53A11EA-0095-493F-86FA-A15E8A86A405}
Warcraft III: All Products → C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
Winamp (remove only) → “C:\Program Files\Winamp\UninstWA.exe”

– Application Event Log -------------------------------------------------------

Event Record #/Type404 / Error
Event Submitted/Written: 12/13/2007 06:09:25 PM
Event ID/Source: 100 / vmauthd
Event Description:
Cannot connect to VMX: C:\Documents and Settings\Ryan\My Documents\vmware-debian-etch-40r0\DebianEtch\DebianEtch.vmx

Event Record #/Type396 / Error
Event Submitted/Written: 12/11/2007 11:38:56 AM
Event ID/Source: 100 / vmauthd
Event Description:
Cannot connect to VMX: C:\Documents and Settings\Ryan\My Documents\vmware-debian-etch-40r0\DebianEtch\DebianEtch.vmx

Event Record #/Type395 / Error
Event Submitted/Written: 12/11/2007 10:49:43 AM
Event ID/Source: 100 / vmauthd
Event Description:
Cannot connect to VMX: C:\Documents and Settings\Ryan\My Documents\vmware-debian-etch-40r0\DebianEtch\DebianEtch.vmx

Event Record #/Type394 / Error
Event Submitted/Written: 12/10/2007 10:16:16 AM
Event ID/Source: 100 / vmauthd
Event Description:
Cannot connect to VMX: C:\Documents and Settings\Ryan\My Documents\vmware-debian-etch-40r0\DebianEtch\DebianEtch.vmx

Event Record #/Type393 / Error
Event Submitted/Written: 12/10/2007 10:16:08 AM
Event ID/Source: 100 / vmauthd
Event Description:
Cannot connect to VMX: C:\Documents and Settings\Ryan\My Documents\vmware-debian-etch-40r0\DebianEtch\DebianEtch.vmx

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

– System Event Log ------------------------------------------------------------

Event Record #/Type2013 / Warning
Event Submitted/Written: 12/13/2007 05:46:21 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type1924 / Warning
Event Submitted/Written: 12/11/2007 01:36:27 PM
Event ID/Source: 1 / VMnetDHCP
Event Description:
dispatch: Timeout waiting for input data

Event Record #/Type1920 / Warning
Event Submitted/Written: 12/11/2007 10:55:20 AM
Event ID/Source: 1 / VMnetDHCP
Event Description:
dispatch: Timeout waiting for input data

Event Record #/Type1912 / Warning
Event Submitted/Written: 12/10/2007 10:19:53 AM
Event ID/Source: 1 / VMnetDHCP
Event Description:
dispatch: Timeout waiting for input data

Event Record #/Type1886 / Warning
Event Submitted/Written: 12/09/2007 03:54:18 PM / 12/09/2007 03:54:19 PM
Event ID/Source: 1 / VMnetDHCP
Event Description:
dispatch: Timeout waiting for input data

– End of Deckard’s System Scanner: finished at 2007-12-13 18:15:47 ------------

wierd. the deckard’s log is a different size every time i run it. here is the ‘second’ run.

Deckard’s System Scanner v20071014.68
Run by Ryan on 2007-12-13 18:33:30
Computer is in Normal Mode.

Percentage of Memory in Use: 84% (more than 75%).

– HijackThis (run as Ryan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:34 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\VMware\VMware Player\vmplayer.exe
C:\Program Files\VMware\VMware Player\bin\vmware-vmx.exe
C:\Documents and Settings\Ryan\Desktop\nyet.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKLM..\Run: [VMware hqtray] “C:\Program Files\VMware\VMware Player\hqtray.exe”
O4 - HKLM..\Run: [NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM..\Run: [VSOCheckTask] “C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe” /checktask
O4 - HKLM..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM..\Run: [IntelliPoint] “c:\Program Files\Microsoft IntelliPoint\ipoint.exe”
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-1409082233-2052111302-682003330-1003..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘Dena or Roy’)
O4 - HKUS\S-1-5-21-1409082233-2052111302-682003330-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User ‘Dena or Roy’)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190412329203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip..{7299ED8F-7AED-4932-9EE8-BBE715383490}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip..{95A2B2F1-79A7-4950-86BA-0A760182C2F4}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip..{FB54918E-B24B-47A1-811D-AF6E6FA3F22D}: NameServer = 66.115.71.53,24.196.64.53
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

–
End of file - 7556 bytes

– Files created between 2007-11-13 and 2007-12-13 -----------------------------

2007-12-06 16:28:55 0 d-------- C:\Program Files\Trend Micro
2007-12-03 17:08:43 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-25 20:39:48 0 d-------- C:\Program Files\Ubisoft
2007-11-25 18:07:41 0 d-------- C:\Program Files\3DO
2007-11-23 09:49:23 229 --a------ C:\WINDOWS\PowerReg.dat
2007-11-22 13:49:03 0 d-------- C:\Program Files\Hasbro Interactive
2007-11-22 13:48:57 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-11-22 13:48:55 0 d-------- C:\Documents and Settings\Ryan\WINDOWS
2007-11-15 11:40:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-11-13 05:24:11 0 d-------- C:\Documents and Settings\Dena or Roy\Application Data\Google

– Find3M Report ---------------------------------------------------------------

2007-12-13 18:09:29 0 d-------- C:\Documents and Settings\Ryan\Application Data\VMware
2007-12-03 18:06:09 0 d-------- C:\Program Files\Winamp
2007-12-03 17:55:43 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-12-03 17:53:28 0 d-------- C:\Program Files\Google
2007-11-25 20:39:47 0 d–h----- C:\Program Files\InstallShield Installation Information
2007-11-22 10:19:09 0 d-------- C:\Documents and Settings\Ryan\Application Data\Google
2007-11-08 18:38:34 0 d-------- C:\Program Files\Java
2007-10-23 17:27:07 0 d-------- C:\Documents and Settings\Ryan\Application Data\Macromedia
2007-10-16 10:49:14 0 d-------- C:\Program Files\InfraRecorder
2007-10-16 10:36:47 0 d-------- C:\Documents and Settings\Ryan\Application Data\InfraRecorder
2007-10-16 09:06:03 0 d-------- C:\Documents and Settings\Ryan\Application Data\DMCache
2007-09-23 11:06:53 106525 --a------ C:\WINDOWS\War3Unin.dat
2007-09-23 10:46:53 2829 --a------ C:\WINDOWS\War3Unin.pif
2007-09-23 10:46:53 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2007-09-23 09:20:15 21643294 --a------ C:\sdat5125.exe <Not Verified; McAfee, Inc.; McAfee Core Components>
2007-09-21 11:48:14 0 -rahs---- C:\MSDOS.SYS
2007-09-21 11:48:14 0 -rahs---- C:\IO.SYS
2007-09-21 11:48:14 0 --a------ C:\CONFIG.SYS
2007-09-21 11:48:14 0 --a------ C:\AUTOEXEC.BAT
2007-09-21 11:45:04 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-09-21 06:36:34 62 --ahs---- C:\Documents and Settings\Ryan\Application Data\desktop.ini

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [09/25/2007 01:11 AM]
“COMODO Firewall Pro”=“C:\Program Files\Comodo\Firewall\CPF.exe” [09/21/2007 04:22 PM]
“VMware hqtray”=“C:\Program Files\VMware\VMware Player\hqtray.exe” [08/21/2007 06:56 PM]
“NVMixerTray”=“C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe” [06/03/2004 07:51 PM]
“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [05/14/2007 04:22 PM]
“MCAgentExe”=“c:\PROGRA~1\mcafee.com\agent\mcagent.exe” [09/22/2005 05:29 PM]
“MCUpdateExe”=“C:\PROGRA~1\mcafee.com\agent\McUpdate.exe” [01/11/2006 11:05 AM]
“VSOCheckTask”=“C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe” [07/08/2005 05:18 PM]
“VirusScan Online”=“C:\Program Files\McAfee.com\VSO\mcvsshld.exe” [08/10/2005 11:49 AM]
“OASClnt”=“C:\Program Files\McAfee.com\VSO\oasclnt.exe” [08/11/2005 09:02 PM]
“IntelliPoint”=“c:\Program Files\Microsoft IntelliPoint\ipoint.exe” [11/21/2006 04:09 PM]
“NeroCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [07/09/2001 04:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [02/28/2006 06:00 AM]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [11/15/2007 05:31 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 2:15:54 AM]

– End of Deckard’s System Scanner: finished at 2007-12-13 18:34:07 ------------