View Full Version : Virtumonde & Command Service
grilledcheese
2008-08-01, 21:27
Hi, I just recently came across the the Trojan "Virtumonde" while scanning, and malware "Command Service", I currently running SB-S&D as i write this, but i need advice on getting rid of these if SP-S&D does not. Thanks for any help in advance. So here's the log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:14:06 PM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\kkw_run.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\New Music Folder\Movie Making Crap\DVD Flick\dvdflick.exe
C:\New Music Folder\Movie Making Crap\DVD Flick\bin\ffmpeg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {FFD6B976-50EA-5E6A-9912-0CE52F1C12C5} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\SYSTEM32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kkw_run.exe] kkw_run.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [9c9471bb] rundll32.exe "C:\WINDOWS\system32\gxrnlkyv.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O20 - AppInit_DLLs: rwgrwk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QQ\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
--
End of file - 8713 bytes
Hi
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
grilledcheese
2008-08-06, 18:34
Hello and Thank You Blade for you time and help
Here's The ComboFix Log:
ComboFix 08-08-04.09 - A 2008-08-06 11:03:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.802 [GMT -4:00]
Running from: C:\Documents and Settings\A\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\A\Application Data\inst.exe
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\#SharedObjects\HD73GT4M\interclick.com
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\#SharedObjects\HD73GT4M\interclick.com\ud.sol
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\A\Application Data\SKS~1
C:\Documents and Settings\A\Application Data\TSKS~1
C:\Documents and Settings\A\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\Documents and Settings\A\Local Settings\Temporary Internet Files\ijjistarter2FxB.exe
C:\Program Files\Common Files\{3C947~1
C:\Program Files\Common Files\{9C947~1
C:\Program Files\oin search
C:\Program Files\oin search\OINSearch.dll
C:\Program Files\oin search\Uninstall.exe
C:\Program Files\outlook
C:\Program Files\winupdates
C:\WINDOWS\QQ\
C:\WINDOWS\QQ\\kk.vbs
C:\WINDOWS\system32\byXOhIBS.dll
C:\WINDOWS\system32\cnnlre.dll
C:\WINDOWS\system32\crnkpxna.ini
C:\WINDOWS\system32\dyapgu.dll
C:\WINDOWS\system32\fmqrgqgw.dll
C:\WINDOWS\system32\gwlxfvwn.ini
C:\WINDOWS\system32\hecqirkf.ini
C:\WINDOWS\system32\hgGwUoMf.dll
C:\WINDOWS\SYSTEM32\ilhsknxy.ini
C:\WINDOWS\system32\Kjlnpqru.ini
C:\WINDOWS\SYSTEM32\Kjlnpqru.ini2
C:\WINDOWS\system32\lmkgktuy.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\mggktnhu.dll
C:\WINDOWS\system32\mjsswnqi.dll
C:\WINDOWS\system32\nguhdwcd.dll
C:\WINDOWS\SYSTEM32\nmkfibad.ini
C:\WINDOWS\system32\nuogzu.dll
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\SYSTEM32\tmfhkvnf.ini
C:\WINDOWS\system32\tuvVLdaa.dll
C:\WINDOWS\system32\vjofkj.dll
C:\WINDOWS\system32\vyklnrxg.ini
C:\WINDOWS\system32\wnsintsv.exe
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\wnsxs~1\W?nSxS\
C:\WINDOWS\system32\xekqzw.dll
C:\WINDOWS\system32\xxyYoOif.dll
C:\WINDOWS\system32\yayvWqpP.dll
C:\WINDOWS\system32\yayXQGVn.dll
C:\WINDOWS\system32\ywpgueor.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_COM+_MESSAGES
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.
2008-08-06 10:22 . 2008-08-06 10:22 99,712 --a--c--- C:\WINDOWS\SYSTEM32\yxnkshli.dll
2008-08-05 14:31 . 2008-08-05 14:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-03 17:49 . 2008-08-03 17:49 <DIR> d----c--- C:\Documents and Settings\A\Application Data\vlc
2008-08-03 11:31 . 2008-08-05 17:43 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-08-03 10:09 . 2008-08-03 10:09 130,432 --a--c--- C:\WINDOWS\SYSTEM32\nfwtgdcs.dll
2008-08-03 10:09 . 2008-08-03 10:09 130,432 --a------ C:\WINDOWS\SYSTEM32\ltinqe.dll
2008-08-02 15:36 . 2008-08-02 15:36 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2008-08-02 10:10 . 2008-08-02 10:10 130,432 --a------ C:\WINDOWS\SYSTEM32\zmiizg.dll
2008-08-02 10:10 . 2008-08-02 10:10 130,432 --a--c--- C:\WINDOWS\SYSTEM32\nncowaip.dll
2008-08-02 10:07 . 2008-08-02 10:07 98,688 --a--c--- C:\WINDOWS\SYSTEM32\anxpknrc.dll
2008-08-01 18:27 . 2008-08-01 18:27 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-08-01 18:27 . 2008-08-01 18:27 <DIR> d----c--- C:\Documents and Settings\A\Application Data\AVS4YOU
2008-08-01 18:22 . 2008-08-02 12:04 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-08-01 18:17 . 2008-08-01 18:17 <DIR> d----c--- C:\Documents and Settings\A\Application Data\ImgBurn
2008-08-01 16:22 . 2008-08-01 16:22 3,072 --ahsc--- C:\Thumbs.db
2008-08-01 13:19 . 2004-03-09 00:00 662,288 --a------ C:\WINDOWS\SYSTEM32\mscomct2.ocx
2008-08-01 13:19 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\SYSTEM32\richtx32.ocx
2008-08-01 13:19 . 2000-05-19 17:56 81,920 --a------ C:\WINDOWS\SYSTEM32\mbmouse.ocx
2008-08-01 13:19 . 2007-08-31 18:36 36,864 --a------ C:\WINDOWS\SYSTEM32\trayicon_handler.ocx
2008-07-31 15:32 . 2008-08-01 12:24 <DIR> d----c--- C:\Documents and Settings\A\Application Data\Vso
2008-07-31 15:32 . 2008-07-31 15:32 47,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pcouffin.sys
2008-07-31 15:32 . 2008-08-01 12:24 47,360 --a--c--- C:\Documents and Settings\A\Application Data\pcouffin.sys
2008-07-31 10:06 . 2008-07-31 10:06 294 --ahs---- C:\WINDOWS\SYSTEM32\kltyxlyt.ini
2008-07-30 04:00 . 2008-07-30 04:00 323,584 --a------ C:\WINDOWS\SYSTEM32\urqpnljK.dll
2008-07-30 03:51 . 2008-07-30 03:51 65,536 ---hsc--- C:\Documents and Settings\A\MediaTubeCodec_ver1.1463.0.exe
2008-07-20 00:35 . 2008-07-20 00:35 <DIR> d-------- C:\Program Files\Sun
2008-07-16 18:06 . 2008-07-16 18:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 15:15 7,304 ----a-w C:\WINDOWS\TMP0001.TMP
2008-08-06 14:48 --------- dc----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-08-06 10:25 --------- dc----w C:\Documents and Settings\A\Application Data\BitTorrent
2008-08-05 14:16 --------- d-----w C:\Program Files\McAfee
2008-08-04 17:21 --------- d-----w C:\Program Files\Lx_cats
2008-08-01 20:23 --------- d-----w C:\Program Files\Tortun
2008-08-01 15:34 --------- d-----w C:\Program Files\Sony
2008-08-01 15:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-31 21:34 --------- d-----w C:\Program Files\Google
2008-07-31 20:57 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-31 20:30 --------- dc-h--w C:\Documents and Settings\A\Application Data\ijjigame
2008-07-31 20:27 --------- d-----w C:\Program Files\DriftCity
2008-07-31 20:02 --------- d-----w C:\Program Files\Yahoo!
2008-07-31 20:01 --------- dc-h--r C:\Documents and Settings\A\Application Data\yahoo!
2008-07-31 19:58 --------- d-----w C:\Program Files\Java
2008-07-30 18:41 --------- dc----w C:\Documents and Settings\A\Application Data\Atari
2008-07-30 08:03 --------- d-----w C:\Program Files\BitTorrent
2008-07-29 12:02 74,040 -c--a-w C:\Documents and Settings\A\Application Data\GDIPFONTCACHEV1.DAT
2008-07-16 22:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-16 02:29 --------- d-----w C:\Program Files\World of Warcraft
2008-07-06 11:40 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-16 10:32 --------- dc----w C:\Documents and Settings\A\Application Data\Ventrilo
2008-06-15 01:31 --------- d-----w C:\Program Files\Octoshape Streaming Services
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-08-17 11:54 110 -c--a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
2007-05-21 04:14 78,791 -c--a-w C:\Program Files\KBot.iss
2007-05-08 08:43 188,511 -c--a-w C:\Documents and Settings\A\test.exe
2007-05-08 08:42 946,176 -c--a-w C:\Documents and Settings\A\XUnleashedGUI.dll
2007-05-08 08:42 946,176 -c--a-w C:\Documents and Settings\A\rrnfu.dll
2007-05-08 08:42 450,560 -c--a-w C:\Documents and Settings\A\DX9Test.exe
2007-05-08 08:42 327,168 -c--a-w C:\Documents and Settings\A\XUnleashed.exe
2007-05-08 08:42 326,656 -c--a-w C:\Documents and Settings\A\XUnleashedControls.dll
2007-05-08 08:42 322,560 -c--a-w C:\Documents and Settings\A\XUnleashedTest.exe
2007-05-08 08:42 322,560 -c--a-w C:\Documents and Settings\A\kipih.dll
2007-05-08 08:42 258,048 -c--a-w C:\Documents and Settings\A\XUStealthDriver.dll
2007-05-08 08:42 258,048 -c--a-w C:\Documents and Settings\A\DX8Test.exe
2007-05-08 08:42 172,032 -c--a-w C:\Documents and Settings\A\XUnleashed.dll
2007-05-08 08:42 172,032 -c--a-w C:\Documents and Settings\A\ubgoe.dll
2006-12-11 21:07 3,320 -c--a-w C:\Documents and Settings\A\Application Data\wklnhst.dat
2005-12-13 15:02 4,184 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.
------- Sigcheck -------
2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\SYSTEM32\WS2_32.DLL
2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SYSTEM32\WINLOGON.EXE
2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SYSTEM32\DLLCACHE\ndis.sys
2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SYSTEM32\DRIVERS\NDIS.SYS
2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SYSTEM32\DRIVERS\IP6FW.SYS
2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\SYSTEM32\SERVICES.EXE
2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\SYSTEM32\LSASS.EXE
2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\CTFMON.EXE
2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 07:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 19:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\SYSTEM32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27FE8B44-94FE-4E26-8C24-DC560DD1B835}]
2008-07-30 04:00 323584 --a------ C:\WINDOWS\system32\urqpnljK.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" [2008-05-22 09:59 156944]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 22:17 69705]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 02:07 200704]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 13:48 73728]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-03 13:55 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-09 02:57 185896]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"9c9471bb"="C:\WINDOWS\system32\yxnkshli.dll" [2008-08-06 10:22 99712]
"kkw_run.exe"="kkw_run.exe" [2005-12-15 16:00 106496 C:\WINDOWS\SYSTEM32\kkw_run.exe]
"kmw_run.exe"="kmw_run.exe" [2005-09-01 10:43 118784 C:\WINDOWS\SYSTEM32\kmw_run.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=rwgrwk.dll zmiizg.dll ltinqe.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\World of Warcraft\\WoW.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\World of Warcraft\\Launcher.exe"=
"C:\\Program Files\\Sony\\EverQuest\\EverQuest.exe"=
"C:\\Program Files\\Sony\\EverQuest II\\EQ2.exe"=
"C:\\Program Files\\GalaNet\\Flyff\\Flyff.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Filetopia3\\Filetopia.exe"=
"C:\\Documents and Settings\\A\\Desktop\\Chromosome v1.1.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\keyclone\\keyclone.exe"=
"C:\\Program Files\\Kensington\\KeyboardWorks\\k_update.exe"=
"C:\\Program Files\\Tortun\\gui.exe"=
"C:\\Program Files\\Octoshape Streaming Services\\A\\OctoshapeClient.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:blizzard downloader
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 KKW_HID;Kensington HIDClass Filter Driver;C:\WINDOWS\system32\DRIVERS\KKW_HID.sys [2005-12-01 14:17]
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys [2005-09-01 10:41]
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys [2005-09-01 10:41]
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys [2005-09-01 10:41]
.
Contents of the 'Scheduled Tasks' folder
2008-07-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2005-08-15 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{FFD6B976-50EA-5E6A-9912-0CE52F1C12C5} - (no file)
HKCU-Run-Vidalia - C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-MSWheel - (no file)
HKU-Default-Run-swg - C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\A\Application Data\Mozilla\Firefox\Profiles\gu7b4wtp.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www6.comcast.net/a/
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 11:16:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\ilhsknxy.ini 1382137 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\kmw_show.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\lxcgcoms.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2008-08-06 11:24:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-06 15:24:08
Pre-Run: 6,427,938,816 bytes free
Post-Run: 7,466,651,648 bytes free
295 --- E O F --- 2008-07-09 00:02:14
Here's HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:49 AM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\kkw_run.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\New Music Folder\FIX\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\SYSTEM32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kkw_run.exe] kkw_run.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [9c9471bb] rundll32.exe "C:\WINDOWS\system32\yxnkshli.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O20 - AppInit_DLLs: rwgrwk.dll zmiizg.dll ltinqe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
--
End of file - 8002 bytes
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
BitTorrent
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Delete these folders afterwards:
C:\Documents and Settings\A\Application Data\BitTorrent
C:\Program Files\BitTorrent
Empty Recycle Bin.
After that:
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
grilledcheese
2008-08-07, 18:51
Hello again, and many thanks for help
Note: I also removed Frostwire, as you had not metioned but i went ahead and got rid of it.
Deckard's System Scanner v20071014.68
Run by A on 2008-08-07 11:44:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
15: 2008-08-07 15:44:21 UTC - RP703 - Deckard's System Scanner Restore Point
14: 2008-08-06 15:31:28 UTC - RP702 - Last known good configuration
13: 2008-08-06 15:31:19 UTC - RP701 - ComboFix created restore point
12: 2008-08-06 15:31:19 UTC - RP700 - System Checkpoint
11: 2008-08-06 15:31:19 UTC - RP699 - Removed Vanguard: Saga of Heroes
-- First Restore Point --
1: 2008-08-06 15:31:18 UTC - RP689 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
System Drive C: has 8.15 GiB (less than 15%) free.
-- HijackThis (run as A.exe) ---------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:43 AM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\kkw_run.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\A\Desktop\dss.exe
C:\NEWMUS~1\FIX\TRENDM~1\HIJACK~1\A.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: {8fbfef32-ba28-2fba-9244-a136ee42f124} - {421f24ee-631a-4429-abf2-82ab23fefbf8} - C:\WINDOWS\system32\tlhdip.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {720926B8-1158-4B0E-BDFC-206655835EF6} - C:\WINDOWS\system32\urqpnljK.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\SYSTEM32\TwcToolbarBho.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\SYSTEM32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kkw_run.exe] kkw_run.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [9c9471bb] rundll32.exe "C:\WINDOWS\system32\evjcwagk.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O20 - AppInit_DLLs: rwgrwk.dll zmiizg.dll ltinqe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
--
End of file - 8455 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 cbidf - c:\windows\system32\drivers\cbidf2k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R0 dac2w2k - c:\windows\system32\drivers\dac2w2k.sys <Not Verified; Mylex Corporation; Mylex Disk Array Controller Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface>
R3 ATI Remote Wonder II - c:\windows\system32\drivers\atirwvd.sys <Not Verified; Jungo; WinDriver Device Driver>
R3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 KKW_HID (Kensington HIDClass Filter Driver) - c:\windows\system32\drivers\kkw_hid.sys <Not Verified; Kensington Technology Group; KKW>
R3 MODEMCSA (Unimodem Streaming Filter Device) - c:\windows\system32\drivers\modemcsa.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 MR97310_USB_DUAL_CAMERA (MR97310 CIF Dual Mode Camera) - c:\windows\system32\drivers\mr97310c.sys <Not Verified; Mars Semiconductor Corp.; USB Dual-Mode Camera>
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 QCDonner (Logitech QuickCam Express) - c:\windows\system32\drivers\ovcd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
R3 lxcg_device - c:\windows\system32\lxcgcoms.exe -service <Not Verified; ; Printer Communication System>
S3 usprserv (User Privilege Service) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 x10nets (X10 Device Network Service) - c:\progra~1\atimul~1\remctrl\x10nets.exe (file missing)
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-08-01 01:00:00 334 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-07-15 01:20:00 342 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2005-08-15 09:01:14 356 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
-- Files created between 2008-07-07 and 2008-08-07 -----------------------------
2008-08-07 11:32:37 99200 --a----c- C:\WINDOWS\system32\evjcwagk.dll
2008-08-07 11:32:32 120448 --a------ C:\WINDOWS\system32\tlhdip.dll
2008-08-07 11:32:32 120448 --a----c- C:\WINDOWS\system32\mcsofvbm.dll
2008-08-06 11:32:05 99712 -------c- C:\WINDOWS\system32\bsxtxqgy.dll
2008-08-06 11:32:01 121472 --a------ C:\WINDOWS\system32\mjjugj.dll
2008-08-06 11:32:00 121472 --a----c- C:\WINDOWS\system32\vcbyyubu.dll
2008-08-06 11:31:07 528156 --ahs---- C:\WINDOWS\system32\Kjlnpqru.ini2
2008-08-06 11:00:22 68096 --a------ C:\WINDOWS\zip.exe
2008-08-06 11:00:22 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-06 11:00:22 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-06 11:00:22 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-06 11:00:22 98816 --a------ C:\WINDOWS\sed.exe
2008-08-06 11:00:22 80412 --a------ C:\WINDOWS\grep.exe
2008-08-06 11:00:22 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-06 11:00:21 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-05 14:31:48 0 d-------- C:\Program Files\Microsoft Silverlight
2008-08-03 17:49:54 0 d------c- C:\Documents and Settings\A\Application Data\vlc
2008-08-03 11:31:09 0 d-------- C:\Program Files\PeerGuardian2
2008-08-03 10:09:53 130432 --a----c- C:\WINDOWS\system32\nfwtgdcs.dll
2008-08-03 10:09:53 130432 --a------ C:\WINDOWS\system32\ltinqe.dll
2008-08-02 15:36:26 0 d-------- C:\Program Files\WinAVI Video Converter
2008-08-02 10:10:48 130432 --a------ C:\WINDOWS\system32\zmiizg.dll
2008-08-02 10:10:47 130432 --a----c- C:\WINDOWS\system32\nncowaip.dll
2008-08-02 10:07:49 98688 --a----c- C:\WINDOWS\system32\anxpknrc.dll
2008-08-01 18:27:42 0 d------c- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-08-01 18:22:10 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-08-01 18:17:23 0 d------c- C:\Documents and Settings\A\Application Data\ImgBurn
2008-07-31 15:32:40 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-07-31 15:32:40 0 d------c- C:\Documents and Settings\A\Application Data\Vso
2008-07-31 15:32:40 47360 --a----c- C:\Documents and Settings\A\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-07-30 04:00:29 323584 --a------ C:\WINDOWS\system32\urqpnljK.dll
2008-07-20 00:35:23 0 d-------- C:\Program Files\Sun
2008-07-16 18:06:06 0 d-------- C:\WINDOWS\system32\Adobe
-- Find3M Report ---------------------------------------------------------------
2008-08-06 11:09:31 0 d-------- C:\Program Files\Common Files
2008-08-05 10:16:38 0 d-------- C:\Program Files\McAfee
2008-08-04 13:21:31 0 d-------- C:\Program Files\Lx_cats
2008-08-01 16:23:58 0 d-------- C:\Program Files\Tortun
2008-08-01 12:24:24 33 --a----c- C:\Documents and Settings\A\Application Data\pcouffin.log
2008-08-01 12:24:22 1144 --a----c- C:\Documents and Settings\A\Application Data\pcouffin.inf
2008-08-01 12:24:22 7887 --a----c- C:\Documents and Settings\A\Application Data\pcouffin.cat
2008-08-01 12:22:58 668 --a----c- C:\Documents and Settings\A\Application Data\vso_ts_preview.xml
2008-08-01 11:34:27 0 d-------- C:\Program Files\Sony
2008-08-01 11:30:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-31 17:34:55 0 d-------- C:\Program Files\Google
2008-07-31 16:57:39 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-31 16:30:39 0 d--h---c- C:\Documents and Settings\A\Application Data\ijjigame
2008-07-31 16:27:25 0 d-------- C:\Program Files\DriftCity
2008-07-31 16:02:19 0 d-------- C:\Program Files\Yahoo!
2008-07-31 16:01:10 0 dr-h---c- C:\Documents and Settings\A\Application Data\yahoo!
2008-07-31 15:58:19 0 d-------- C:\Program Files\Java
2008-07-30 14:41:51 0 d------c- C:\Documents and Settings\A\Application Data\Atari
2008-07-29 08:02:45 74040 --a----c- C:\Documents and Settings\A\Application Data\GDIPFONTCACHEV1.DAT
2008-07-16 18:06:06 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-15 22:29:06 0 d-------- C:\Program Files\World of Warcraft
2008-07-06 07:40:49 0 d-------- C:\Program Files\Common Files\McAfee
2008-06-16 06:32:38 0 d------c- C:\Documents and Settings\A\Application Data\Ventrilo
2008-06-14 21:31:31 0 d------c- C:\Documents and Settings\A\Application Data\Mozilla
2008-06-14 21:31:23 0 d-------- C:\Program Files\Octoshape Streaming Services
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{421f24ee-631a-4429-abf2-82ab23fefbf8}]
08/07/2008 11:32 AM 120448 --a------ C:\WINDOWS\system32\tlhdip.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{720926B8-1158-4B0E-BDFC-206655835EF6}]
07/30/2008 04:00 AM 323584 --a------ C:\WINDOWS\system32\urqpnljK.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [06/15/2004 10:17 PM]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [07/21/2005 02:07 AM]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [07/20/2005 01:48 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/03/2007 01:55 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/09/2007 02:57 AM]
"kkw_run.exe"="kkw_run.exe" [12/15/2005 04:00 PM C:\WINDOWS\SYSTEM32\kkw_run.exe]
"kmw_run.exe"="kmw_run.exe" [09/01/2005 10:43 AM C:\WINDOWS\SYSTEM32\kmw_run.exe]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"9c9471bb"="C:\WINDOWS\system32\evjcwagk.dll" [08/07/2008 11:32 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" [05/22/2008 09:59 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
C:\Documents and Settings\A\Start Menu\Programs\Startup\
DESKTOP.INI [8/10/2004 3:04:12 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
DESKTOP.INI [8/10/2004 3:04:12 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=rwgrwk.dll zmiizg.dll ltinqe.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\urqpnljK
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
-- End of Deckard's System Scanner: finished at 2008-08-07 11:46:49 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) 4 CPU 2.80GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 2.80GHz
Percentage of Memory in Use: 31%
Physical Memory (total/avail): 1534.07 MiB / 1052.42 MiB
Pagefile Memory (total/avail): 2153.94 MiB / 1780.32 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.78 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 70.9 GiB total, 8.15 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - ST380013AS - 74.5 GiB - 3 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 70.9 GiB - C:
\PARTITION2 - Unknown - 3.55 GiB
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
FirstRunDisabled is set.
FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1125697262\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1125697262\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\World of Warcraft\\WoW.exe"="C:\\Program Files\\World of Warcraft\\WoW.exe:*:Enabled:World of Warcraft"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\World of Warcraft\\Launcher.exe"="C:\\Program Files\\World of Warcraft\\Launcher.exe:*:Enabled:World of Warcraft"
"C:\\Program Files\\Sony\\EverQuest\\EverQuest.exe"="C:\\Program Files\\Sony\\EverQuest\\EverQuest.exe:*:Enabled:EverQuest"
"C:\\Program Files\\Sony\\EverQuest II\\EQ2.exe"="C:\\Program Files\\Sony\\EverQuest II\\EQ2.exe:*:Enabled:EverQuest II"
"C:\\Program Files\\GalaNet\\Flyff\\Flyff.exe"="C:\\Program Files\\GalaNet\\Flyff\\Flyff.exe:*:Enabled:Flyff"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Filetopia3\\Filetopia.exe"="C:\\Program Files\\Filetopia3\\Filetopia.exe:*:Enabled:Filetopia"
"C:\\Documents and Settings\\A\\Desktop\\Chromosome v1.1.exe"="C:\\Documents and Settings\\A\\Desktop\\Chromosome v1.1.exe:*:Enabled:Chromosome No.47, by Faldo"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"="C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\keyclone\\keyclone.exe"="C:\\Program Files\\keyclone\\keyclone.exe:*:Enabled:keyclone"
"C:\\Program Files\\Kensington\\KeyboardWorks\\k_update.exe"="C:\\Program Files\\Kensington\\KeyboardWorks\\k_update.exe:*:Enabled:Kensington Digital Update of installed software via the Web."
"C:\\Program Files\\Tortun\\gui.exe"="C:\\Program Files\\Tortun\\gui.exe:*:Enabled:gui"
"C:\\Program Files\\Octoshape Streaming Services\\A\\OctoshapeClient.exe"="C:\\Program Files\\Octoshape Streaming Services\\A\\OctoshapeClient.exe:*:Enabled:Main program for Octoshape client"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\A\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D27CPF61
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\A
LOGONSERVER=\\D27CPF61
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\PROGRA~1\COMMON~1\SONICS~1;C:\Program Files\ATI Technologies\ATI.ACE
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\A\LOCALS~1\Temp
TMP=C:\DOCUME~1\A\LOCALS~1\Temp
USERDOMAIN=D27CPF61
USERNAME=A
USERPROFILE=C:\Documents and Settings\A
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
A (admin)
Administrator (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Program\Ctzapxx.EXE" /X /U /S
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> MsiExec /X{82D8304F-73D7-4EE6-8472-D0684BAA2865}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> MsiExec.exe /X{69495273-FCDC-4A86-BCB7-49B504D3FB0E}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC Tool --> C:\PROGRA~1\ACTOOL~1\UNWISE.EXE C:\PROGRA~1\ACTOOL~1\INSTALL.LOG
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~2\Install.log
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
AGEIA PhysX v7.05.06 --> MsiExec.exe /X{82D8304F-73D7-4EE6-8472-D0684BAA2865}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AMUST Registry Cleaner --> "C:\Program Files\AMUST\Registry Cleaner\unins000.exe"
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AOL Toolbar 2.0 --> "C:\Program Files\AOL\AOL Toolbar 2.0\uninstall.exe"
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{7B76034B-B3ED-46D5-8C66-DEB102CB830A}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Decoder --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EDE28287-D32C-415E-9C97-2BF9F9260150} /l1033
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{083F79E4-6FE9-46FB-A6C6-4F8862742947}\setup.exe"
ATI Multimedia Center 9.01 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{8988F5D0-C83F-41F4-B41B-86031F9B37F5} /l1033
ATI Remote Wonder 2.5 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{8F36E44A-E6E7-41B7-B6F6-4637BF84EFA5} /l1033
AutoIt v3.2.4.9 --> C:\Program Files\AutoIt3\Uninstall.exe
Browser MOUSE --> C:\Program Files\Browser MOUSE\uninst00.exe
Camera Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D1B3874F-3057-11D6-B2EA-0050BA18806B}\Setup.exe"
Cheat Engine 5.2 --> "C:\Program Files\Cheat Engine5.2\unins000.exe"
Cheat Engine 5.3 --> "C:\Program Files\Cheat Engine\unins001.exe"
CodeStuff Starter --> "C:\Program Files\CodeStuff\Starter\unStarter.exe"
Comcast High-Speed Internet Install Wizard --> C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Command On Demand for Command Software --> rundll32 advpack.dll,LaunchINFSection C:\csscod\uninst.inf,DefaultUninstall
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Cosmo Player 2.1.1 (41451) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\CosmoSoftware\CosmoPlayer\CosmoPlayer211.isu"
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\setup.exe" -l0x9 /remove
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Support 5.0.0 (630) --> rundll32 C:\PROGRA~1\DELLSU~1\AUInst.dll,ExUninstall
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EQ2MAP Updater 1.0.6 --> C:\Program Files\Sony\EverQuest II\Eq2maps\EQ2MAP Updater\uninst.exe
EverQuest II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EE39B32-BA05-433C-BC0D-35797518A3A5}\ISInst.exe" -l0x9
EverQuest Platinum --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A007D3BA-1C94-4286-A0F7-507417495DF7}\setup.exe" -l0x9
Filetopia Client v3.04d --> C:\PROGRA~1\FILETO~1\UNWISE.EXE C:\PROGRA~1\FILETO~1\INSTALL.LOG
Freedom Security & Privacy --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{6CF0D732-8F97-489D-A704-2211D7ACC5D9}
Generations® Beginner's Edition 8 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A4BBC64-1207-11D4-93E4-00105A27284D}\setup.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
ijji Auto Installer --> "C:\Program Files\InstallShield Installation Information\{1DCC7418-2089-4BDD-B321-3771956160FC}\setup.exe" -runfromtemp -l0x0009 -removeonly
ijji FireFox Launcher 1.0 --> C:\Documents and Settings\All Users\Application Data\IJJIGame\uninst.exe
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
Intel(R) PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
ISXVG 20070425.0004 --> C:\Program Files\InnerSpace\Uninstall-ISXVG.exe
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java(TM) 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kensington Keyboard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B5E17D7-C0CF-4CC3-8870-0181D622B93C}\setup.exe" -l0x9 -u
Kensington MouseWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C78937F-0C8E-11D9-A3EB-0001025FA304}\setup.exe" -l0x9 -u
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lexmark 2300 Series --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxcgUNST.EXE -NOLICENSE
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Encarta Encyclopedia Standard 2004 --> MsiExec.exe /I{04410044-9149-45C6-A806-F2BF9CFCE762}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Script Debugger --> RunDll32 advpack.dll,LaunchINFSection C:\Program Files\Microsoft Script Debugger\ScrptDbg.inf, Uninstall.NT
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpfull.inf,WebPostUninstall
Microsoft Works 2004 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2004\Setup\Launcher.exe D:\
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
Octoshape Streaming Services --> C:\Program Files\Octoshape Streaming Services\A\uninst.exe
OIN Search --> C:\Program Files\OIN Search\Uninstall.exe
OpenOffice.org Installer 1.0 --> MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
OTOY --> RunDll32 C:\WINDOWS\DOWNLO~1\OTOYAX.dll,_RemoveGroove@16
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
Personal Ancestral File 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D94A8E22-DF2B-4107-9E51-608A60A7671D}\Setup.exe"
Personal Ancestral File Companion 5.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{91AFACB3-CA46-4C1E-AF2D-F72EE0B112E4}\setup.exe" -l0x9 -uninst -removeonly
PowerDVD 5.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Real Alternative 1.45 --> "C:\Program Files\Real Alternative\unins000.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sound Blaster Live! 24-bit --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB481CC-F57C-4397-81A0-DADD22257047}\setup.exe" -l0x9
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
System Requirements Lab --> C:\Program Files\Common Files\SystemRequirementsLab\Uninstall.exe
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
The Weather Channel Toolbar --> C:\PROGRA~1\THEWEA~2\UNWISE.EXE C:\PROGRA~1\THEWEA~2\twcINSTALL.LOG
Tortun 0.76 --> "C:\Program Files\Tortun\unins000.exe"
USB-IDE Bridge Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5EAEF66-8B0A-11D4-829A-0050BA025CC8}\Setup.exe"
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Ventrilo Server --> MsiExec.exe /I{1D46A3A0-B37D-423A-91C2-101A49E2FF80}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Westwood Shared Internet Components --> C:\Westwood\Internet\UnstllAP.EXE
WinAVI Video Converter --> "C:\Program Files\WinAVI Video Converter\unins000.exe"
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
WowAceUpdater --> rundll32.exe dfshim.dll,ShArpMaintain WowAceUpdater.application, Culture=neutral, PublicKeyToken=4d89fb8d52541cc9, processorArchitecture=msil
-- Application Event Log -------------------------------------------------------
Event Record #/Type7647 / Error
Event Submitted/Written: 08/07/2008 01:54:44 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application realplay.exe, version 6.0.12.1509, faulting module rjbdll.dll, version 1.0.4.2521, fault address 0x00075c26.
Processing media-specific event for [realplay.exe!ws!]
Event Record #/Type7633 / Warning
Event Submitted/Written: 08/06/2008 06:35:14 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Event Record #/Type7630 / Error
Event Submitted/Written: 08/06/2008 04:56:33 PM
Event ID/Source: 11706 / MsiInstaller
Event Description:
Product: Microsoft Office XP Professional with FrontPage -- Error 1706. Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see C:\Program Files\Microsoft Office\Office10\1033\SETUP.HLP.
Event Record #/Type7629 / Warning
Event Submitted/Written: 08/06/2008 04:55:52 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{90280409-6000-11D3-8CFE-0050048383C9}', feature 'WORDFiles' failed during request for component '{8E46FEFA-D973-6294-B305-E968CEDFFCB9}'
Event Record #/Type7628 / Warning
Event Submitted/Written: 08/06/2008 04:55:52 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{90280409-6000-11D3-8CFE-0050048383C9}', feature 'WORDFiles', component '{9C1249C6-4DDB-4A48-BC9F-4AF8D1291AE1}' failed. The resource 'C:\Program Files\Microsoft ActiveSync\RICHINK.DLL' does not exist.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type9746 / Warning
Event Submitted/Written: 08/07/2008 09:39:47 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Event Record #/Type9745 / Warning
Event Submitted/Written: 08/07/2008 08:35:20 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Event Record #/Type9744 / Warning
Event Submitted/Written: 08/07/2008 08:29:35 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
Event Record #/Type9743 / Error
Event Submitted/Written: 08/07/2008 08:00:51 AM
Event ID/Source: 10001 / DCOM
Event Description:
Unable to start a DCOM Server: {0C0A3666-30C9-11D0-8F20-00805F2CD064} as /.
The error:
"%%2"
Happened while starting this command:
C:\WINDOWS\system32\mdm.exe -Embedding
Event Record #/Type9742 / Error
Event Submitted/Written: 08/07/2008 08:00:48 AM
Event ID/Source: 10001 / DCOM
Event Description:
Unable to start a DCOM Server: {0C0A3666-30C9-11D0-8F20-00805F2CD064} as /.
The error:
"%%2"
Happened while starting this command:
C:\WINDOWS\system32\mdm.exe -Embedding
-- End of Deckard's System Scanner: finished at 2008-08-07 11:46:49 ------------
Hi
Start hjt, do a system scan, check:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
Close browsers and other windows. Click fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\evjcwagk.dll
C:\WINDOWS\system32\tlhdip.dll
C:\WINDOWS\system32\mcsofvbm.dll
C:\WINDOWS\system32\bsxtxqgy.dll
C:\WINDOWS\system32\mjjugj.dll
C:\WINDOWS\system32\vcbyyubu.dll
C:\WINDOWS\system32\Kjlnpqru.ini2
C:\WINDOWS\system32\nfwtgdcs.dll
C:\WINDOWS\system32\ltinqe.dll
C:\WINDOWS\system32\zmiizg.dll
C:\WINDOWS\system32\nncowaip.dll
C:\WINDOWS\system32\anxpknrc.dll
C:\WINDOWS\system32\urqpnljK.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{421f24ee-631a-4429-abf2-82ab23fefbf8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{720926B8-1158-4B0E-BDFC-206655835EF6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"9c9471bb"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=""
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.nl/scanforvirus-en/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log (without forgetting above meantioned ComboFix resultant log) too.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.
If having a problme doing the above
Make sure that your Internet security settings are set to default values.
To set default security settings for Internet Explorer:
* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
grilledcheese
2008-08-08, 17:25
Hello.
Note: When I started HJT it asked if it could update, so i allowed it and clicked Yes, I dont know if that had an effect on the outcome of the log, but I thought I let you know.
Also the Kaspersky Online Scanner kept saying this -
"Please wait to update the virus definitions...
Kaspersky Online Scanner license has expired!"
and will not go any further. So I don't know what to do about that.
And my brother installed all these "Anti-Malware" programs over night with my me knowing, but he did not do any fixes, because they are "free versions" and want money to upgrade to fix them.
Sorry if I made things harder on your part. Many aplogizes on my part.
But here's the HJT Log.
------------------------------------------------------------------------
ComboFix 08-08-08.01 - A 2008-08-08 9:27:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1016 [GMT -4:00]
Running from: C:\Documents and Settings\A\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\A\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\anxpknrc.dll
C:\WINDOWS\system32\bsxtxqgy.dll
C:\WINDOWS\system32\evjcwagk.dll
C:\WINDOWS\system32\Kjlnpqru.ini2
C:\WINDOWS\system32\ltinqe.dll
C:\WINDOWS\system32\mcsofvbm.dll
C:\WINDOWS\system32\mjjugj.dll
C:\WINDOWS\system32\nfwtgdcs.dll
C:\WINDOWS\system32\nncowaip.dll
C:\WINDOWS\system32\tlhdip.dll
C:\WINDOWS\system32\urqpnljK.dll
C:\WINDOWS\system32\vcbyyubu.dll
C:\WINDOWS\system32\zmiizg.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\#SharedObjects\HD73GT4M\interclick.com
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\#SharedObjects\HD73GT4M\interclick.com\ud.sol
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\A\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\anxpknrc.dll
C:\WINDOWS\system32\evjcwagk.dll
C:\WINDOWS\SYSTEM32\ilhsknxy.ini
C:\WINDOWS\SYSTEM32\kgawcjve.ini
C:\WINDOWS\SYSTEM32\Kjlnpqru.ini
C:\WINDOWS\system32\Kjlnpqru.ini2
C:\WINDOWS\system32\ltinqe.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mcsofvbm.dll
C:\WINDOWS\system32\mjjugj.dll
C:\WINDOWS\system32\nfwtgdcs.dll
C:\WINDOWS\system32\nncowaip.dll
C:\WINDOWS\system32\tlhdip.dll
C:\WINDOWS\system32\urqpnljK.dll
C:\WINDOWS\system32\vcbyyubu.dll
C:\WINDOWS\system32\ygqxtxsb.ini
C:\WINDOWS\system32\zmiizg.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_COM+_MESSAGES
-------\Legacy_NETWORK_MONITOR
((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.
2008-08-08 09:39 . 2008-08-08 09:39 344 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kgpfr2.cfg
2008-08-08 09:07 . 2008-08-08 09:07 63 --a------ C:\WINDOWS\av_affiliate.ini
2008-08-08 09:07 . 2008-08-08 09:07 43 --a------ C:\WINDOWS\as_affiliate.ini
2008-08-08 08:56 . 2008-08-08 09:38 201,320 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys.szcpf
2008-08-08 02:56 . 2008-08-08 02:59 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-08 02:56 . 2008-08-08 02:56 <DIR> d----c--- C:\Documents and Settings\A\Application Data\PC Tools
2008-08-08 02:56 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-08-08 02:56 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-08-08 02:56 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-08-08 02:56 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-08-08 02:51 . 2008-08-08 02:51 <DIR> d-------- C:\Program Files\CyberDefender
2008-08-07 19:15 . 2008-08-07 19:15 <DIR> d-------- C:\Program Files\Panicware
2008-08-07 18:24 . 2008-08-08 09:41 4,584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kgpcpy.cfg
2008-08-07 18:23 . 2008-08-08 08:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-08-07 18:21 . 2008-08-07 18:21 <DIR> d-------- C:\Program Files\STOPzilla!
2008-08-07 18:21 . 2008-08-07 18:21 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-08-07 18:21 . 2008-08-08 09:42 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-08-07 11:43 . 2008-08-07 11:43 <DIR> d----c--- C:\Deckard
2008-08-05 14:31 . 2008-08-05 14:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-03 17:49 . 2008-08-03 17:49 <DIR> d----c--- C:\Documents and Settings\A\Application Data\vlc
2008-08-03 11:31 . 2008-08-07 18:06 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-08-02 15:36 . 2008-08-02 15:36 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2008-08-01 18:27 . 2008-08-01 18:27 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-08-01 18:22 . 2008-08-02 12:04 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-08-01 18:17 . 2008-08-01 18:17 <DIR> d----c--- C:\Documents and Settings\A\Application Data\ImgBurn
2008-08-01 16:22 . 2008-08-01 16:22 3,072 --ahsc--- C:\Thumbs.db
2008-08-01 13:19 . 2004-03-09 00:00 662,288 --a------ C:\WINDOWS\SYSTEM32\mscomct2.ocx
2008-08-01 13:19 . 2004-03-09 00:00 212,240 --a------ C:\WINDOWS\SYSTEM32\richtx32.ocx
2008-08-01 13:19 . 2000-05-19 17:56 81,920 --a------ C:\WINDOWS\SYSTEM32\mbmouse.ocx
2008-08-01 13:19 . 2007-08-31 18:36 36,864 --a------ C:\WINDOWS\SYSTEM32\trayicon_handler.ocx
2008-07-31 15:32 . 2008-08-01 12:24 <DIR> d----c--- C:\Documents and Settings\A\Application Data\Vso
2008-07-31 15:32 . 2008-07-31 15:32 47,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pcouffin.sys
2008-07-31 15:32 . 2008-08-01 12:24 47,360 --a--c--- C:\Documents and Settings\A\Application Data\pcouffin.sys
2008-07-31 10:06 . 2008-07-31 10:06 294 --ahs---- C:\WINDOWS\SYSTEM32\kltyxlyt.ini
2008-07-30 03:51 . 2008-07-30 03:51 65,536 ---hsc--- C:\Documents and Settings\A\MediaTubeCodec_ver1.1463.0.exe
2008-07-20 00:35 . 2008-07-20 00:35 <DIR> d-------- C:\Program Files\Sun
2008-07-16 18:06 . 2008-07-16 18:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 13:38 7,304 ----a-w C:\WINDOWS\TMP0001.TMP
2008-08-08 13:07 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-06 14:48 --------- dc----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-08-05 14:16 --------- d-----w C:\Program Files\McAfee
2008-08-04 17:21 --------- d-----w C:\Program Files\Lx_cats
2008-08-01 20:23 --------- d-----w C:\Program Files\Tortun
2008-08-01 15:34 --------- d-----w C:\Program Files\Sony
2008-08-01 15:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-31 21:34 --------- d-----w C:\Program Files\Google
2008-07-31 20:57 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-31 20:30 --------- dc-h--w C:\Documents and Settings\A\Application Data\ijjigame
2008-07-31 20:27 --------- d-----w C:\Program Files\DriftCity
2008-07-31 20:02 --------- d-----w C:\Program Files\Yahoo!
2008-07-31 20:01 --------- dc-h--r C:\Documents and Settings\A\Application Data\yahoo!
2008-07-31 19:58 --------- d-----w C:\Program Files\Java
2008-07-30 18:41 --------- dc----w C:\Documents and Settings\A\Application Data\Atari
2008-07-29 12:02 74,040 -c--a-w C:\Documents and Settings\A\Application Data\GDIPFONTCACHEV1.DAT
2008-07-16 22:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-16 02:29 --------- d-----w C:\Program Files\World of Warcraft
2008-07-06 11:40 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-16 10:32 --------- dc----w C:\Documents and Settings\A\Application Data\Ventrilo
2008-06-15 01:31 --------- d-----w C:\Program Files\Octoshape Streaming Services
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2007-08-17 11:54 110 -c--a-w C:\Documents and Settings\All Users\Application Data\MostFunGameId.bin
2007-05-21 04:14 78,791 -c--a-w C:\Program Files\KBot.iss
2007-05-08 08:43 188,511 -c--a-w C:\Documents and Settings\A\test.exe
2007-05-08 08:42 946,176 -c--a-w C:\Documents and Settings\A\XUnleashedGUI.dll
2007-05-08 08:42 946,176 -c--a-w C:\Documents and Settings\A\rrnfu.dll
2007-05-08 08:42 450,560 -c--a-w C:\Documents and Settings\A\DX9Test.exe
2007-05-08 08:42 327,168 -c--a-w C:\Documents and Settings\A\XUnleashed.exe
2007-05-08 08:42 326,656 -c--a-w C:\Documents and Settings\A\XUnleashedControls.dll
2007-05-08 08:42 322,560 -c--a-w C:\Documents and Settings\A\XUnleashedTest.exe
2007-05-08 08:42 322,560 -c--a-w C:\Documents and Settings\A\kipih.dll
2007-05-08 08:42 258,048 -c--a-w C:\Documents and Settings\A\XUStealthDriver.dll
2007-05-08 08:42 258,048 -c--a-w C:\Documents and Settings\A\DX8Test.exe
2007-05-08 08:42 172,032 -c--a-w C:\Documents and Settings\A\XUnleashed.dll
2007-05-08 08:42 172,032 -c--a-w C:\Documents and Settings\A\ubgoe.dll
2006-12-11 21:07 3,320 -c--a-w C:\Documents and Settings\A\Application Data\wklnhst.dat
2005-12-13 15:02 4,184 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.
------- Sigcheck -------
2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\SYSTEM32\WS2_32.DLL
2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SYSTEM32\WINLOGON.EXE
2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SYSTEM32\DLLCACHE\ndis.sys
2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SYSTEM32\DRIVERS\NDIS.SYS
2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\SYSTEM32\DRIVERS\IP6FW.SYS
2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\SYSTEM32\SERVICES.EXE
2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\SYSTEM32\LSASS.EXE
2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\CTFMON.EXE
2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 07:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2005-06-10 19:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\SYSTEM32\spoolsv.exe
.
((((((((((((((((((((((((((((( snapshot@2008-08-06_11.23.21.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-06 13:44:10 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2008-08-08 09:44:30 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2008-08-06 13:44:10 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-08 09:44:30 32,768 -c--a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-08 09:44:30 32,768 --sha-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-13 14:03:58 34,432 ----a-r C:\WINDOWS\SYSTEM32\DRIVERS\SZKG.sys
+ 2008-06-26 14:50:04 708,608 ----a-r C:\WINDOWS\SYSTEM32\IS3Base5.dll
+ 2008-06-26 14:56:46 364,544 ----a-r C:\WINDOWS\SYSTEM32\IS3DBA5.dll
+ 2008-06-26 14:55:36 61,440 ----a-r C:\WINDOWS\SYSTEM32\IS3Hks5.dll
+ 2008-06-26 14:56:58 126,976 ----a-r C:\WINDOWS\SYSTEM32\IS3HTUI5.dll
+ 2008-06-26 14:54:20 94,208 ----a-r C:\WINDOWS\SYSTEM32\IS3Inet5.dll
+ 2008-06-26 14:54:04 90,112 ----a-r C:\WINDOWS\SYSTEM32\IS3Svc5.dll
+ 2008-06-26 14:55:56 372,736 ----a-r C:\WINDOWS\SYSTEM32\IS3UI5.dll
+ 2008-06-26 14:54:50 196,608 ----a-r C:\WINDOWS\SYSTEM32\IS3Win325.dll
+ 2008-06-26 14:55:12 23,040 ----a-r C:\WINDOWS\SYSTEM32\IS3XDat5.dll
- 2008-07-31 22:17:22 64,200 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-08-08 06:59:05 64,200 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-07-31 22:17:22 407,670 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-08-08 06:59:05 407,670 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-07-03 19:41:10 258,048 ----a-r C:\WINDOWS\SYSTEM32\SZBase5.dll
+ 2008-07-03 19:40:46 401,408 ----a-r C:\WINDOWS\SYSTEM32\SZComp5.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\A\OctoshapeClient.exe" [2008-05-22 09:59 156944]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10 536576]
"CyberDefender Early Detection Center"="C:\Program Files\CyberDefender\AntiSpyware\cdasd2.exe" [2008-08-08 02:51 619848]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 22:17 69705]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 02:07 200704]
"LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 13:48 73728]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-03 13:55 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-09 02:57 185896]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"CyberDefender Early Detection Center"="C:\Program Files\CyberDefender\AntiSpyware\ISSIntro.exe" [2008-08-08 02:51 566600]
"kkw_run.exe"="kkw_run.exe" [2005-12-15 16:00 106496 C:\WINDOWS\SYSTEM32\kkw_run.exe]
"kmw_run.exe"="kmw_run.exe" [2005-09-01 10:43 118784 C:\WINDOWS\SYSTEM32\kmw_run.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\World of Warcraft\\WoW.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\World of Warcraft\\Launcher.exe"=
"C:\\Program Files\\Sony\\EverQuest\\EverQuest.exe"=
"C:\\Program Files\\Sony\\EverQuest II\\EQ2.exe"=
"C:\\Program Files\\GalaNet\\Flyff\\Flyff.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Filetopia3\\Filetopia.exe"=
"C:\\Documents and Settings\\A\\Desktop\\Chromosome v1.1.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\keyclone\\keyclone.exe"=
"C:\\Program Files\\Kensington\\KeyboardWorks\\k_update.exe"=
"C:\\Program Files\\Tortun\\gui.exe"=
"C:\\Program Files\\Octoshape Streaming Services\\A\\OctoshapeClient.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\CyberDefender\\AntiSpyware\\cdasd2.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:blizzard downloader
R0 szkg5;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys [2008-05-13 10:03]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 KKW_HID;Kensington HIDClass Filter Driver;C:\WINDOWS\system32\DRIVERS\KKW_HID.sys [2005-12-01 14:17]
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys [2005-09-01 10:41]
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys [2005-09-01 10:41]
S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys [2005-09-01 10:41]
.
Contents of the 'Scheduled Tasks' folder
2008-07-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2005-08-15 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-08 09:40:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SYSTEM32\kmw_show.exe
C:\WINDOWS\SYSTEM32\lxcgcoms.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
.
**************************************************************************
.
Completion time: 2008-08-08 9:53:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-08 13:52:27
ComboFix2.txt 2008-08-06 15:24:53
Pre-Run: 8,433,688,576 bytes free
Post-Run: 8,434,094,080 bytes free
289 --- E O F --- 2008-07-09 00:02:14