Deckard's System Scanner v20071014.68
Run by user on 2008-05-27 18:52:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x00000001


Backed up registry hives.
Performed disk cleanup.

[color=red]Total Physical Memory: 256 MiB (512 MiB recommended).[/color]


-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:54:36, on 27.05.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Punto Switcher\ps.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\ \Deckard's System Scanner\dss.exe
C:\DOCUME~1\user\0016~1\HIJACK~1\user.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.ru/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Punto Switcher] C:\Program Files\Punto Switcher\ps.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &  Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: @Mail.Ru - res://C:\PROGRA~1\Mail.Ru\Sputnik\MAILRU~1.DLL/SEARCH.HTM
O8 - Extra context menu item: @Mail.Ru - res://C:\PROGRA~1\Mail.Ru\Sputnik\MAILRU~1.DLL/TRANSLATE.HTM
O9 - Extra button:   - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6339A81-6274-4AC1-A513-BB9A5D4A1BC1}: NameServer = 211.218.149.85
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service:   (Eventlog) -   - C:\WINDOWS\system32\services.exe
O23 - Service:  COM  - IMAPI (ImapiService) -   - C:\WINDOWS\system32\imapi.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) -   - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) -   - C:\WINDOWS\system32\services.exe
O23 - Service:        (RDSessMgr) -   - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: - (SCardSvr) -   - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service:     (SysmonLog) -   - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service:    (VSS) -   - C:\WINDOWS\System32\vssvc.exe
O23 - Service:   WMI (WmiApSrv) -   - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 4636 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R2 hardlock - c:\windows\system32\drivers\hardlock.sys <Not Verified; Aladdin Knowledge Systems; Hardlock Device Driver for Windows NT>
R2 Haspnt - c:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
R3 SNPSTD3 (USB PC Camera (SNPSTD3)) - c:\windows\system32\drivers\snpstd3.sys <Not Verified; ; PC Camera driver>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S3 cmuda (C-Media WDM Audio Interface) - c:\windows\system32\drivers\cmuda.sys (file missing)
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-27 and 2008-05-27 -----------------------------

2008-05-27 15:30:29         0 d-------- C:\Documents and Settings\user\DoctorWeb
2008-05-27 15:19:04         0 d-------- C:\Documents and Settings\user\Application Data\Mra
2008-05-27 15:19:03         0 d--hs---- C:\Documents and Settings\NetworkService\Application Data\wsnpoem
2008-05-27 15:19:03         0 d--hs---- C:\Documents and Settings\LocalService\Application Data\wsnpoem
2008-05-27 11:33:50  44813172 --a------ C:\HKEY_LOCAL_MACHINE_copy2.reg
2008-05-27 11:31:46  44813172 --a------ C:\HKEY_LOCAL_MACHINE_copy.reg
2008-05-26 18:22:32     50688 --a------ C:\Documents and Settings\user\svchosts.exe
2008-05-26 14:19:12        34 --ah----- C:\WINDOWS\system32\VideoConverter_sysquict.dat
2008-05-26 14:09:50         0 d-------- C:\Documents and Settings\user\Application Data\Apple Computer
2008-05-26 14:02:38      1759 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2008-05-18 17:12:16         0 d-------- C:\Program Files\DevalVR
2008-04-30 11:22:23         0 d-------- C:\
2008-04-30 11:21:34         0 d-------- C:\Documents and Settings\user\Application Data\U3
2008-04-28 10:24:56         0 d-------- C:\Documents and Settings\user\Application Data\Canon


-- Find3M Report ---------------------------------------------------------------

2008-04-19 18:29:37        10 --a------ C:\WINDOWS\popcinfo.dat
2008-03-30 10:08:42    349224 --a------ C:\WINDOWS\system32\perfh019.dat
2008-03-30 10:08:42     50206 --a------ C:\WINDOWS\system32\perfc019.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [02.11.2004 20:24]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [25.09.2005 19:11]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [11.10.2007 11:11]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [17.08.2006 16:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [02.03.2006 16:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [25.09.2005 19:11]
"Punto Switcher"="C:\Program Files\Punto Switcher\ps.exe" [13.11.2007 11:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d87d2a3-fee1-11dc-99f5-00e04cc7ffcf}]
AutoRun\command- F:\xn1i9x.com
explore\Command- F:\xn1i9x.com
open\Command- F:\xn1i9x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba6e0273-2afd-11dc-9856-00e04cc7ffcf}]
AutoRun\command- F:\xn1i9x.com
explore\Command- F:\xn1i9x.com
open\Command- F:\xn1i9x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cfc00558-f669-11dc-99e4-00e04cc7ffcf}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Boot.exe e
Open\command- Boot.exe e




-- End of Deckard's System Scanner: finished at 2008-05-27 18:55:40 ------------

