PDA

View Full Version : Active Desktop Recovery


LaraRules81
31-05-09, 16:48
Ok, I went on my laptop this morning, and my desktop wallpaper was fine, but today when I logged on, the screen was white and had this message on it:

http://i41.************/i4l4le.jpg

Now, I don't remember doig any of those, apart from turning it off using the power button. Could that be the problem? I've tried restating it twice and still no luck :o Thanks :)

EDIT: And also, when I double click on theMy Documents icon it says that this is a potential security risk :confused:

spikejones
01-06-09, 04:28
well.. to restore your active desktop (which I highly advise against doing as it is a security risk in itself as far as I'm concerned) follow the steps mentioned under each of those - until it returns ;)

if you think you have a virus - run a virus scan for free at www.kaspersky.com , (clean any infections it finds) and then provide a report of ardiag.exe (http://www.tombraiderhub.com/download/ardiag.exe)

dox online
01-06-09, 09:11
What is your desktop? If it has changed to something you don't recognize, (use the right click, properties method) find the desktop wallpaper and delete it. If you cannot delete it or if you cannot find the file, download AVIRA (http://www.free-av.com/) and scan the computer in full. See if it finds the wallpaper and delete it.

LaraRules81
01-06-09, 20:47
Ok, I'm running the Kaspersky Scan now. But...

I tried to set a different image, and it worked, but when I tried to put the one I had on when it messed up it came up again, and it did with another :confused: Maybe its the images themselves?

Thanks for your help too :)

dox online
02-06-09, 14:29
Can you upload the wallpaper to a image hosting website?

EscondeR
03-06-09, 06:48
I tried to set a different image, and it worked, but when I tried to put the one I had on when it messed up it came up again, and it did with another :confused: Maybe its the images themselves?


You're trojan infected.

1. Run Kaspersky Online Scanner.

2. Run ARDiag.exe (http://www.tombraiderhub.com/download/ardiag.exe) and post the report.

3. You'd better never use Active Desktop feature as many trojans exploit this vulnerability setting custom pages (malware sites) as desktops.

LaraRules81
03-06-09, 22:55
Copy the following text and paste it to your report AS IS!!!

---------------------------------------------------------------
AutoRuns Diagnostics for TRF v 0.5 Developed by EscondeR
---------------------------------------------------------------



Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
AGWinService
Program path & name:
c:\program files\agi\common\win32\pythonservice.exe"
Enabled: [V]


Program:
"Provides the interface to Apple mobile devices."
Publisher:
"(Verified) Apple Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Apple Mobile Device
Program path & name:
"c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe"
Enabled: [V]


Program:
"Bonjour allows applications like iTunes and Safari to advertise and discover services on the local network. Having Bonjour running enables you to connect to hardware devices like Apple TV and software services like iTunes sharing and AirTunes. If you disable Bonjour
Publisher:
any network service that explicitly depends on it will fail to start."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Bonjour Service
Program path & name:
"(Verified) Apple Inc.""c:\program files\bonjour\mdnsresponder.exe"
Enabled: [V]


Program:
"Symantec Event Manager"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
ccEvtMgr
Program path & name:
"c:\program files\common files\symantec shared\ccevtmgr.exe"
Enabled: [V]


Program:
"Symantec Settings Manager"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
ccSetMgr
Program path & name:
"c:\program files\common files\symantec shared\ccsetmgr.exe"
Enabled: [V]


Program:
"Monitors and maintains virus definitions."
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
DefWatch
Program path & name:
"c:\program files\symantec antivirus\defwatch.exe"
Enabled: [V]


Program:
"This service detects and monitors CUE devices on the system."
Publisher:
"(Not verified) Hewlett-Packard Co."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
hpqddsvc
Program path & name:
"c:\program files\hp\digital imaging\bin\hpqddsvc.dll"
Enabled: [V]


Program:
"Prefetches JRE files for faster startup of Java applets and applications"
Publisher:
"(Verified) Sun Microsystems Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
JavaQuickStarterService
Program path & name:
"c:\program files\java\jre6\bin\jqs.exe"
Enabled: [V]


Program:
"Dot4Net Module"
Publisher:
"(Not verified) Hewlett-Packard"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Net Driver HPZ12
Program path & name:
"c:\windows\system32\hpzinw12.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
O2Flash
Program path & name:
c:\windows\system32\o2flash.exe"
Enabled: [V]


Program:
"PmlDrv Module"
Publisher:
"(Not verified) Hewlett-Packard"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Pml Driver HPZ12
Program path & name:
"c:\windows\system32\hpzipm12.dll"
Enabled: [V]


Program:
"Provides real-time virus scanning
Publisher:
reporting and management functionality for Symantec AntiVirus."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Symantec AntiVirus
Program path & name:
"(Verified) Symantec Corporation""c:\program files\symantec antivirus\rtvscan.exe"
Enabled: [V]


Program:
"Ensures Viewpoint 3D and Rich Media Technologies are up to date"
Publisher:
"(Not verified) Viewpoint Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Viewpoint Manager Service
Program path & name:
"c:\program files\viewpoint\common\viewpointservice.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
hwdatacard
Program path & name:
File not found: system32\DRIVERS\ewusbmdm.sys"
Enabled: [V]


Program:
"AV Engine"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
NAVENG
Program path & name:
"c:\program files\common files\symantec shared\virusdefs\20090529.003\naveng.sys"
Enabled: [V]


Program:
"AV Engine"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
NAVEX15
Program path & name:
"c:\program files\common files\symantec shared\virusdefs\20090529.003\navex15.sys"
Enabled: [V]


Program:
"Padus(R) ASPI Shell"
Publisher:
"(Not verified) Padus Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
pfc
Program path & name:
"c:\windows\system32\drivers\pfc.sys"
Enabled: [V]


Program:
"Px Engine Device Driver for Windows 2000/XP"
Publisher:
"(Verified) Sonic Solutions"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
PxHelp20
Program path & name:
"c:\windows\system32\drivers\pxhelp20.sys"
Enabled: [V]


Program:
"AutoProtect"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SAVRT
Program path & name:
"c:\program files\symantec antivirus\savrt.sys"
Enabled: [V]


Program:
"SAVRTPEL"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SAVRTPEL
Program path & name:
"c:\program files\symantec antivirus\savrtpel.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
sptd
Program path & name:
c:\windows\system32\drivers\sptd.sys"
Enabled: [V]


Program:
"Symantec Event Library"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SymEvent
Program path & name:
"c:\program files\symantec\symevent.sys"
Enabled: [V]


Program:
"Redirector Filter Driver"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SYMREDRV
Program path & name:
"c:\windows\system32\drivers\symredrv.sys"
Enabled: [V]


Program:
"Network Dispatch Driver"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SYMTDI
Program path & name:
"c:\windows\system32\drivers\symtdi.sys"
Enabled: [V]


Program:
"Windows Logon UI"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
Entry name:
C:\WINDOWS\system32\logonuiX.exe
Program path & name:
"c:\windows\system32\logonuix.exe"
Enabled: [V]


Program:
"Symantec AntiVirus Logon Notification"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Entry name:
NavLogon
Program path & name:
"c:\windows\system32\navlogon.dll"
Enabled: [V]


Program:
"Screenweaver SE Screensaver Engine"
Publisher:
"(Not verified) Grooveware Multimedia"
Entry path:
HKCU\Control Panel\Desktop\Scrnsave.exe
Entry name:
C:\WINDOWS\system32\TRL_SC~1.SCR
Program path & name:
"c:\windows\system32\trl_screensaver01.scr"
Enabled: [V]


Program:
"LtMoh MFC Application"
Publisher:
"(Not verified) Agere Systems"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
LtMoh
Program path & name:
"c:\program files\ltmoh\ltmoh.exe"
Enabled: [V]


Program:
"Common Client User Session"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
ccApp
Program path & name:
"c:\program files\common files\symantec shared\ccapp.exe"
Enabled: [V]


Program:
"Symantec AntiVirus"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
vptray
Program path & name:
"c:\program files\symantec antivirus\vptray.exe"
Enabled: [V]


Program:
"NeroCheck"
Publisher:
"(Verified) Nero AG"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
NeroFilterCheck
Program path & name:
"c:\program files\common files\ahead\lib\nerocheck.exe"
Enabled: [V]


Program:
"hpwuSchd Application"
Publisher:
"(Not verified) Hewlett-Packard"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
HP Software Update
Program path & name:
"c:\program files\hp\hp software update\hpwuschd2.exe"
Enabled: [V]


Program:
"HpqSRmon"
Publisher:
"(Not verified) Hewlett-Packard"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
hpqSRMon
Program path & name:
"c:\program files\hp\digital imaging\bin\hpqsrmon.exe"
Enabled: [V]


Program:
"QuickTime Task"
Publisher:
"(Not verified) Apple Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
QuickTime Task
Program path & name:
"c:\program files\quicktime\qttask.exe"
Enabled: [V]


Program:
"iTunesHelper Module"
Publisher:
"(Verified) Apple Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
iTunesHelper
Program path & name:
"c:\program files\itunes\ituneshelper.exe"
Enabled: [V]


Program:
"Java(TM) Platform SE binary"
Publisher:
"(Verified) Sun Microsystems Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
SunJavaUpdateSched
Program path & name:
"c:\program files\java\jre6\bin\jusched.exe"
Enabled: [V]


Program:
"Adobe Acrobat SpeedLauncher"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
Adobe Reader Speed Launcher
Program path & name:
"c:\program files\adobe\reader 8.0\reader\reader_sl.exe"
Enabled: [V]


Program:
"Microsoft® InfoTech Storage System Library"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
ms-itss
Program path & name:
"c:\program files\common files\microsoft shared\information retrieval\msitss.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
Entry name:
0
Program path & name:
File not found: About:Home"
Enabled: [V]


Program:
"HP Digital Imaging Monitor"
Publisher:
"(Verified) Hewlett Packard"
Entry path:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Entry name:
HP Digital Imaging Monitor.lnk
Program path & name:
"c:\program files\hp\digital imaging\bin\hpqtra08.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
C:\Documents and Settings\Laptop\Start Menu\Programs\Startup
Entry name:
OpenOffice.org 3.1.lnk
Program path & name:
c:\program files\openoffice.org 3\program\quickstart.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
DesktopLaraCluster
Program path & name:
File not found: C:\Program Files\Desktop Lara\skinkers.exe"
Enabled: [V]


Program:
"AIM"
Publisher:
"(Verified) AOL LLC"
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
Aim6
Program path & name:
"c:\program files\aim6\aim6.exe"
Enabled: [V]


Program:
"Shockwave Helper"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once
Entry name:
Shockwave Updater
Program path & name:
"c:\windows\system32\adobe\shockwave 11\swhelper_1103471.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At1.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At10.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At11.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At12.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At13.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At14.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At15.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At16.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At17.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At18.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At19.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At2.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At20.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At21.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At22.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At23.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At24.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At25.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At26.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At27.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At28.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At29.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At3.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At30.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At31.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At32.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At33.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At34.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At35.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At36.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At37.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At38.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At39.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At4.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At40.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At41.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At42.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At43.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At44.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At45.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At46.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At47.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At48.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At5.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At6.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At7.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At8.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
At9.job
Program path & name:
File not found: C:\WINDOWS\system32\166np16s.exe"
Enabled: [V]


Program:
"HP Smart Web Printing add-on for Internet Explorer"
Publisher:
"(Verified) Hewlett-Packard Company"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
HP Print Enhancer
Program path & name:
"c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll"
Enabled: [V]


Program:
"Adobe PDF Helper for Internet Explorer"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Adobe PDF Reader Link Helper
Program path & name:
"c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll"
Enabled: [V]


Program:
"Conduit Toolbar"
Publisher:
"(Verified) Conduit Ltd."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Softonic English Toolbar
Program path & name:
"c:\program files\softonic_english\tbsoft.dll"
Enabled: [V]


Program:
N/A
Publisher:
"(Verified) Google Inc"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Google Toolbar Helper
Program path & name:
"c:\program files\google\google toolbar\googletoolbar.dll"
Enabled: [V]


Program:
"GoogleToolbarNotifier"
Publisher:
"(Verified) Google Inc"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Google Toolbar Notifier BHO
Program path & name:
"c:\program files\google\googletoolbarnotifier\5.0.926.3450\sw g.dll"
Enabled: [V]


Program:
"FreeCause Toolbar"
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Freecause Toolbar BHO
Program path & name:
c:\program files\websentials - email weather news and radio\toolbar.dll"
Enabled: [V]


Program:
"Fast Search"
Publisher:
"(Verified) Google Inc"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Google Dictionary Compression sdch
Program path & name:
"c:\program files\google\google toolbar\component\fastsearch_219b3e1547538286.dll"
Enabled: [V]


Program:
"Java(TM) Platform SE binary"
Publisher:
"(Not verified) Sun Microsystems Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Java(tm) Plug-In 2 SSV Helper
Program path & name:
"c:\program files\java\jre6\bin\jp2ssv.dll"
Enabled: [V]


Program:
"Java(TM) Quick Starter binary"
Publisher:
"(Not verified) Sun Microsystems Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
JQSIEStartDetectorImpl Class
Program path & name:
"c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll"
Enabled: [V]


Program:
"HP Smart Web Printing add-on for Internet Explorer"
Publisher:
"(Verified) Hewlett-Packard Company"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
HP Smart BHO Class
Program path & name:
"c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Display Panning CPL Extension
Program path & name:
File not found: deskpan.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
HyperTerminal Icon Ext
Program path & name:
File not found: C:\WINDOWS\system32\hticons.dll"
Enabled: [V]


Program:
"Symantec AntiVirus"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
LDVP Shell Extensions
Program path & name:
"c:\program files\common files\symantec shared\ssc\vpshell2.dll"
Enabled: [V]


Program:
"Cover Designer"
Publisher:
"(Verified) Nero AG"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
NeroCoverEd Live Icons
Program path & name:
"c:\program files\nero\nero 7\nero coverdesigner\coveredextension.dll"
Enabled: [V]


Program:
"Nero Digital Shell Extension"
Publisher:
"(Verified) Nero AG"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
NeroDigitalIconHandler
Program path & name:
"c:\program files\common files\ahead\lib\nerodigitalext.dll"
Enabled: [V]


Program:
"Nero Digital Shell Extension"
Publisher:
"(Verified) Nero AG"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
NeroDigitalPropSheetHandler
Program path & name:
"c:\program files\common files\ahead\lib\nerodigitalext.dll"
Enabled: [V]


Program:
"iTunes Mini Player DLL"
Publisher:
"(Verified) Apple Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
iTunes
Program path & name:
"c:\program files\itunes\itunesminiplayer.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
WinRAR shell extension
Program path & name:
c:\program files\winrar\rarext.dll"
Enabled: [V]


Program:
"VDMSound LaunchPad Shell Extension"
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
VDMSound LaunchPad
Program path & name:
c:\program files\vdmsound\launchpad.dll"
Enabled: [V]


Program:
N/A
Publisher:
"(Not verified) Sun Microsystems Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
OpenOffice.org Column Handler
Program path & name:
"c:\program files\openoffice.org 3\basis\program\shlxthdl\shlxthdl.dll"
Enabled: [V]


Program:
N/A
Publisher:
"(Not verified) Sun Microsystems Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
OpenOffice.org Infotip Handler
Program path & name:
"c:\program files\openoffice.org 3\basis\program\shlxthdl\shlxthdl.dll"
Enabled: [V]


Program:
N/A
Publisher:
"(Not verified) Sun Microsystems Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
OpenOffice.org Property Sheet Handler
Program path & name:
"c:\program files\openoffice.org 3\basis\program\shlxthdl\shlxthdl.dll"
Enabled: [V]


Program:
N/A
Publisher:
"(Not verified) Sun Microsystems Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
OpenOffice.org Thumbnail Viewer
Program path & name:
"c:\program files\openoffice.org 3\basis\program\shlxthdl\shlxthdl.dll"
Enabled: [V]


Program:
"Nero Digital Shell Extension"
Publisher:
"(Verified) Nero AG"
Entry path:
HKLM\Software\Classes\Folder\Shellex\ColumnHandler s
Entry name:
NeroDigitalColumnHandler Class
Program path & name:
"c:\program files\common files\ahead\lib\nerodigitalext.dll"
Enabled: [V]


Program:
N/A
Publisher:
"(Not verified) Sun Microsystems Inc."
Entry path:
HKLM\Software\Classes\Folder\Shellex\ColumnHandler s
Entry name:
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
Program path & name:
"c:\program files\openoffice.org 3\basis\program\shlxthdl\shlxthdl.dll"
Enabled: [V]


Program:
"PDF Shell Extension"
Publisher:
"(Not verified) Adobe Systems Inc."
Entry path:
HKLM\Software\Classes\Folder\Shellex\ColumnHandler s
Entry name:
PDF Shell Extension
Program path & name:
"c:\program files\common files\adobe\acrobat\activex\pdfshell.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
Entry name:
agcutils.dll
Program path & name:
c:\program files\agi\common\agcutils.dll"
Enabled: [V]


Program:
"Conduit Toolbar"
Publisher:
"(Verified) Conduit Ltd."
Entry path:
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
Entry name:
tbsoft.dll
Program path & name:
"c:\program files\softonic_english\tbsoft.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
Entry name:
helper.dll
Program path & name:
c:\program files\websentials - email weather news and radio\helper.dll"
Enabled: [V]


Program:
N/A
Publisher:
"(Verified) Google Inc"
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Toolbar
Entry name:
googletoolbar.dll
Program path & name:
"c:\program files\google\google toolbar\googletoolbar.dll"
Enabled: [V]


Program:
"Conduit Toolbar"
Publisher:
"(Verified) Conduit Ltd."
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Toolbar
Entry name:
Softonic_English Toolbar
Program path & name:
"c:\program files\softonic_english\tbsoft.dll"
Enabled: [V]


Program:
"FreeCause Toolbar"
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Toolbar
Entry name:
toolbar.dll
Program path & name:
c:\program files\websentials - email weather news and radio\toolbar.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Extensions
Entry name:
Windows Messenger
Program path & name:
File not found: C:\Program Files\Messenger\msmsgs.exe"
Enabled: [V]

EscondeR
04-06-09, 05:27
Most likely Confiker Worm.

1. Download Confiker Killer (http://www.tombraiderhub.com/faq/download/esc/kk.exe).

2. Disconnect your LAN cable/ADSL modem.

3. Run the kk.exe file you have downloaded.

4. After the scan is complete reconnect the LAN.

5. Go to www.kaspersky.com and run Online Antivirus Scanner.

N.B.: Better get rid of crappy Symantec Antivirus and get Kaspersky Antivirus instead.