View Full Version : Virtumonde infected Win XP !!HELP!!
This is my first post.
Virtumonde infected my Win XP. I keep getting popups to a site called reditty.com.
Kasperstky Online scan was completed, however,the text is too long. Please advise how to submit it. Thank you.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:50 PM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\OO Software\CleverCache\OOCCSVC.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\RemotelyAnywhere\RaMaint.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\Slave.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RemotelyAnywhere\RAGui.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Promise\Promise Disk Controller Manager\UtMsgAgt.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Noël Danjou\DynSite\DynSite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Assistant\Nassi.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\FOLDER~1\BETA1~1\bxExpHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NetConeal\Anonymity Shield\ProxyNew.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {379E2B31-3561-4E41-8850-E657A1A5C215} - C:\WINDOWS\system32\pmnmjGYO.dll (file missing)
O2 - BHO: (no name) - {51126754-66B8-4BDC-A197-17426524CDC9} - C:\WINDOWS\system32\qoMcaxYp.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SubClass Explorer - {5E15C29A-B33F-45A3-A540-A6E66832FC3B} - C:\PROGRA~1\FOLDER~1\BETA1~1\SUBCLA~1.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {79E9BB14-A5F2-46E0-B996-FB3D571DD3E1} - C:\WINDOWS\system32\ssqRIyAP.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: VideoRaptorIePlugin Class - {90C8E8F8-A7C9-41E4-92E4-C679AE6FB78D} - C:\Program Files\RapidSolution\Videoraptor\VideoRaptorIePlugin.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: {a2e6ce6f-8cea-1bba-d3f4-e828cff6d81b} - {b18d6ffc-828e-4f3d-abb1-aec8f6ec6e2a} - C:\WINDOWS\system32\gpcklbws.dll
O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {DAA3F754-1FFF-4CEF-8F9D-F0F3500E0689} - C:\WINDOWS\system32\qoMdExVo.dll
O2 - BHO: (no name) - {E69A3062-B248-4277-BA12-2A9394F34C7F} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: Systran40premi.IEPlugIn - {D3919E1A-D6A5-11D6-AC3E-00B0D094B576} - C:\Program Files\Systran\4_0\Premium\IEPlugIn.dll
O3 - Toolbar: &Liquid Surf - {B9F633F6-EA44-45F4-91EB-FABFC65A0634} - C:\Program Files\LiquidSurf\sybil.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~2\TAForIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Get Anonymous - {8892C699-6978-4DD9-8EB2-951C93DB4F62} - C:\Program Files\GetAnonymous 2.1 Professional\IEToolBar.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RemotelyAnywhere GUI] "C:\Program Files\RemotelyAnywhere\RAGui.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [40b9f88d] rundll32.exe "C:\WINDOWS\system32\nqfvxlvp.dll",b
O4 - HKLM\..\Run: [BM438acb11] Rundll32.exe "C:\WINDOWS\system32\kkiwqina.dll",s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DynSite] "C:\Program Files\Noël Danjou\DynSite\DynSite.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Network Assistant] "C:\Program Files\Network Assistant\Nassi.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add this link to WebWhacker... - C:\Program Files\Blue Squirrel\WebWhacker 5.0\Art\wwieextlink.html
O8 - Extra context menu item: Add this page to WebWhacker... - C:\Program Files\Blue Squirrel\WebWhacker 5.0\Art\wwieext.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with ImTOO YouTube to iPod Converter - C:\Program Files\ImTOO\Youtube to iPod Converter\upod_link.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Print Using ClickBook - {180E1E16-F536-4B51-9723-6025D98AA375} - C:\Program Files\Blue Squirrel\ClickBook\macros\ieprint.htm
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: WebWhacker - {E5336D32-0CBE-4E1F-A2C7-38DCAA8B07EF} - C:\Program Files\Blue Squirrel\WebWhacker 5.0\Art\wwietb.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: LinkStash - {4874F370-402D-4d09-A73E-FAB439934E56} - C:\Program Files\LinkStash\lsshow.exe (HKCU)
O9 - Extra 'Tools' menuitem: LinkStash - {4874F370-402D-4d09-A73E-FAB439934E56} - C:\Program Files\LinkStash\lsshow.exe (HKCU)
O9 - Extra button: Add URLs - {957DCFA2-39F7-4443-9677-1B14E83A2F87} - C:\Program Files\LinkStash\lsgrab.exe (HKCU)
O9 - Extra 'Tools' menuitem: LinkStash Add URLs - {957DCFA2-39F7-4443-9677-1B14E83A2F87} - C:\Program Files\LinkStash\lsgrab.exe (HKCU)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {5FB1CBF5-750C-45F0-BE0A-5EF88B23B469} (CUEUpdate Control) - http://www.myottomate.com/cabfiles/ottoupdate.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O16 - DPF: {F9546CC6-0791-43EC-90B4-2759F17837AA} (OttoUpdate Control) - http://www.myottomate.com/myOtto/cabs/myottoupdate.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://slc-main:2000/activex/RACtrl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: OPNotifier - C:\WINDOWS\SYSTEM32\OPWinLogon.dll
O20 - Winlogon Notify: ssqRIyAP - C:\WINDOWS\SYSTEM32\ssqRIyAP.dll
O21 - SSODL: Urlodfav - {4A8CE92D-C832-4E79-9096-FC5531C4760B} - C:\WINDOWS\system32\movelavi.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec pcAnywhere Gateway Service (AWGateway) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere Gateway\AWGateway.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: gusvc - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBService - Unknown owner - C:\Program Files\Invisible Browsing\servers\IBService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: O&O CleverCache Pro (OOCleverCache) - O&O Software GmbH - C:\Program Files\OO Software\CleverCache\OOCCSVC.exe
O23 - Service: WebCCTV Storage Service (OPStorage) - Quadrox NV - C:\Program Files\Quadrox\WebCCTV\Bin\OPStorage.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - LogMeIn, Inc. - C:\Program Files\RemotelyAnywhere\RaMaint.exe
O23 - Service: RemotelyAnywhere - LogMeIn, Inc. - C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: RoxLiveShare - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: RA Server (Slave) - TWD Industries SAS - C:\WINDOWS\Slave.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: UtMsgAgt (UtMsgSvc) - Promise Technology Inc. - C:\Program Files\Promise\Promise Disk Controller Manager\UtMsgAgt.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O24 - Desktop Component 0: (no name) - http://www.adobe.com/images/nav/us_mainMainNav.gif
O24 - Desktop Component 1: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2
--
End of file - 31111 bytes
Thank you.
Stephen
Hi
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Here is the ComboFix log.
Please note that I had to run ComboFix several times because during the first run we had a 6 hour power failure when it was about half finished. Then after the system rebooted I could not run ComboFix until I realized that the clock had been changed to 2001. After reseting the clock I restarted ComboFix and it completed fine. I hope this does not affect the repair.
Please that I forgot to turn off Norton Antivirus when I ran Combofix.
Another curious thing has changed since being infected with Vurtumonde - the Language Bar cannot be removed. I have tried changing the settings by "unchecking" the "display language bar" box, clicking "Apply", but it still continues to display it. Do you have any suggestions on how to fix this?
ComboFix 08-04-20.5 - STEPHEN 2008-04-21 23:06:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.712 [GMT -5:00]
Running from: C:\Documents and Settings\STEPHEN\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\internet explorer\keygen.exe
C:\WINDOWS\Downloaded Program Files\setup.dll
C:\WINDOWS\install.exe
C:\WINDOWS\pp.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\fLkjRXyb.ini
C:\WINDOWS\system32\fLkjRXyb.ini2
C:\WINDOWS\system32\gpcklbws.dll
C:\WINDOWS\system32\kkiwqina.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nqfvxlvp.dll
C:\WINDOWS\system32\oVxEdMoq.ini
C:\WINDOWS\system32\oVxEdMoq.ini2
C:\WINDOWS\system32\OYGjmnmp.ini
C:\WINDOWS\system32\OYGjmnmp.ini2
C:\WINDOWS\system32\pvlxvfqn.ini
C:\WINDOWS\system32\pYxacMoq.ini
C:\WINDOWS\system32\pYxacMoq.ini2
C:\WINDOWS\system32\qoMdExVo.dll
C:\WINDOWS\system32\ssqRIyAP.dll
C:\WINDOWS\system32\Tuxadfii.ini
C:\WINDOWS\system32\Tuxadfii.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.
2008-04-20 06:34 . 2008-04-20 06:34 294 --ahs---- C:\WINDOWS\system32\pjndfuay.ini
2008-04-19 10:44 . 2008-04-19 14:44 998 --ahs---- C:\WINDOWS\system32\xddncmjc.ini
2008-04-19 10:42 . 2008-04-20 20:01 109,734 --a------ C:\WINDOWS\BM438acb11.xml
2008-04-18 15:40 . 2008-04-18 15:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-18 15:40 . 2008-04-18 15:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-18 06:42 . 2008-04-19 10:43 646 --ahs---- C:\WINDOWS\system32\lihlytjq.ini
2008-04-18 01:00 . 2008-04-18 01:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 22:47 . 2008-04-18 04:16 <DIR> d-------- C:\VundoFix Backups
2008-04-17 21:43 . 2008-04-18 06:52 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-17 17:07 . 2004-08-04 02:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-04-17 17:07 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-04-17 17:07 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-04-17 17:07 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-04-17 17:07 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-04-17 17:05 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-04-17 17:04 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-04-17 17:03 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-04-17 17:02 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-04-17 17:01 . 2001-08-17 12:50 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2008-04-17 17:00 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-04-17 16:59 . 2001-08-23 07:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-04-17 16:58 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-04-17 16:57 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-04-17 16:56 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-04-17 16:55 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-04-17 16:54 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-04-17 15:51 . 2008-04-18 04:25 1,282 --ahs---- C:\WINDOWS\system32\novfkfek.ini
2008-04-17 15:02 . 2008-04-17 15:02 94,208 --a------ C:\WINDOWS\system32\drivers\ezplay.sys
2008-04-17 15:02 . 2008-04-17 15:02 94,208 --a------ C:\Documents and Settings\STEPHEN\Application Data\ezplay.sys
2008-04-17 14:54 . 2008-04-17 14:57 <DIR> d-------- C:\Program Files\WinSnap
2008-04-17 03:08 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-04-17 03:08 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-04-17 03:08 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-04-17 03:08 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-04-17 00:25 . 2008-04-17 00:27 <DIR> d-------- C:\Documents and Settings\STEPHEN\Application Data\ooVoo Details
2008-04-17 00:24 . 2008-04-17 00:24 <DIR> d-------- C:\Program Files\ooVoo
2008-04-16 23:24 . 2008-04-16 23:24 12,288 --a------ C:\WINDOWS\system32\aplib.dll
2008-04-16 22:51 . 2008-04-16 22:53 <DIR> d-------- C:\Documents and Settings\STEPHEN\Application Data\Hide IP NG
2008-04-16 22:50 . 2008-04-17 00:02 <DIR> d-------- C:\Program Files\Hide IP NG
2008-04-16 22:43 . 2008-04-16 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\1Click DVDTOIPOD
2008-04-16 22:10 . 2008-04-16 22:10 <DIR> d-------- C:\Program Files\SharpC
2008-04-16 21:52 . 2008-04-16 21:52 <DIR> d-------- C:\Program Files\AL-Software
2008-04-15 00:35 . 2008-04-15 14:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 00:35 . 2008-04-15 00:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-15 00:33 . 2008-04-15 00:33 <DIR> d-------- C:\Program Files\iTunes
2008-04-14 10:34 . 2008-04-14 10:34 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-23 10:09 . 2008-03-23 10:09 1,025 --a------ C:\WINDOWS\system32\clauth2.dll
2008-03-23 10:09 . 2008-03-23 10:09 1,025 --a------ C:\WINDOWS\system32\clauth1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 20:02 --------- d-----w C:\Program Files\SnadBoy's Revelation v2
2008-04-17 20:32 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Azureus
2008-04-17 20:19 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Vso
2008-04-17 20:02 87,608 ----a-w C:\Documents and Settings\STEPHEN\Application Data\inst.exe
2008-04-17 20:01 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-17 20:01 47,360 ----a-w C:\Documents and Settings\STEPHEN\Application Data\pcouffin.sys
2008-04-17 20:00 --------- d-----w C:\Program Files\vso
2008-04-17 17:41 --------- d-----w C:\Program Files\Azureus
2008-04-17 07:21 --------- d-----w C:\Program Files\VueScan
2008-04-17 06:32 --------- d-----w C:\Program Files\UltraISO
2008-04-17 06:31 --------- d-----w C:\Program Files\Common Files\EZB Systems
2008-04-17 05:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 04:25 --------- d-----w C:\Program Files\winscv
2008-04-17 03:40 --------- d-----w C:\Program Files\LG Software Innovations
2008-04-17 03:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-16 22:32 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-16 07:13 --------- d-----w C:\Program Files\badcdrepair
2008-04-15 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-15 05:33 --------- d-----w C:\Program Files\iPod
2008-04-15 05:29 --------- d-----w C:\Program Files\QuickTime
2008-03-31 08:49 --------- d-----w C:\Program Files\FolderSizes
2008-03-30 01:38 1,882,904 ----a-w C:\WINDOWS\system32\AutoPartNt.exe
2008-03-28 02:30 --------- d-----w C:\Program Files\Ontrack
2008-03-26 19:49 2,280 ----a-w C:\WINDOWS\AUTOLNCH.REG
2008-03-24 10:00 --------- d-----w C:\Program Files\Norton SystemWorks
2008-03-23 08:02 --------- d-----w C:\Program Files\Safari
2008-03-23 01:12 --------- d-----w C:\Program Files\PowerArchiver
2008-03-21 23:14 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-03 08:14 --------- d-----w C:\Program Files\Phone Call Recorder
2008-03-03 02:00 --------- d-----w C:\Program Files\Smart Phone Recorder Demo
2008-03-03 01:50 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Advanced Phone Recorder
2008-03-03 01:45 --------- d-----w C:\Program Files\Concel Systems
2008-03-03 01:15 --------- d-----w C:\Program Files\EzPhone Recorder 1.1
2008-03-03 00:41 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Modem Spy
2008-03-02 22:58 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\DVD Profiler
2008-03-02 22:20 --------- d-----w C:\Program Files\DVD Profiler
2008-03-02 22:07 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Desktopicon
2008-03-02 22:03 --------- d-----w C:\Program Files\Unlocker
2008-03-02 10:41 --------- d-----w C:\Program Files\Call Corder
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-01 02:45 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\DigitalPersona
2008-03-01 01:55 --------- d-----w C:\Program Files\DigitalPersona
2008-03-01 01:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 01:08 --------- d-----w C:\Program Files\RAXCO
2008-02-29 08:19 --------- d-----w C:\Program Files\QuickTax 2007
2008-02-29 06:54 --------- d-----w C:\Program Files\QuickTax 2005
2008-02-29 06:54 --------- d-----w C:\Program Files\Quicken
2008-02-29 06:43 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-29 03:02 --------- d--h--w C:\Program Files\Zero G Registry
2008-02-29 03:02 --------- d-----w C:\Program Files\T4_Internet_T4_ par_Internet_6.1
2008-02-27 07:54 --------- d-----w C:\Program Files\Opera
2008-02-27 07:14 --------- d-----w C:\Program Files\Steam
2008-02-27 06:28 --------- d-----w C:\Program Files\Windows Live
2008-02-26 09:30 --------- d-----w C:\Program Files\QU5D47~1
2008-02-26 09:10 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Intuit Canada
2008-02-26 09:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit Canada
2008-02-26 01:33 --------- d-----w C:\Program Files\T4_Internet_T4_ par_Internet_8.1
2008-02-24 08:56 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\XnView
2008-02-24 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-02-24 06:31 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\ATI MMC
2008-02-24 05:36 --------- d-----w C:\Program Files\Common Files\ATI
2008-02-24 05:36 --------- d-----w C:\Program Files\ATI Multimedia
2008-02-24 02:39 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2008-02-24 02:36 --------- d-----w C:\Program Files\Common Files\CyberLink
2008-02-24 02:26 --------- d-----w C:\Program Files\TitanTV
2008-02-24 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-02-24 01:50 --------- d-----w C:\Program Files\ATI Technologies
2008-02-23 19:45 --------- d--h--w C:\Program Files\Creative Installation Information
2008-02-23 19:40 --------- d-----w C:\Program Files\Creative
2008-02-23 19:39 --------- d-----w C:\Program Files\Common Files\Creative
2008-02-23 18:30 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-02-23 18:30 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-02-23 18:29 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Creative
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-13 12:27 27,262,976 ----a-w C:\VIRTPART.DAT
2008-02-01 17:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-01-29 17:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2008-01-22 20:44 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-01-22 20:43 272,384 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-01-22 20:42 593,920 ----a-w C:\WINDOWS\system32\ati2sgag.exe
2008-01-22 20:39 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-01-22 20:36 9,949,184 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-01-22 20:35 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-01-22 20:35 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-01-22 20:35 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-01-22 20:35 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-01-22 20:35 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-01-22 20:34 512,000 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-01-22 20:33 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-01-22 20:25 3,121,920 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-01-22 20:14 1,664,256 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-01-22 20:04 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-01-22 20:01 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-01-22 19:59 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-01-22 19:58 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-01-22 19:57 163,840 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-01-22 19:53 503,808 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-01-20 18:05 219 ----a-w C:\Program Files\2RU44SFN.bat
2006-05-24 21:38 233,472 ----a-w C:\Program Files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-18 22:00 204,895 ----a-w C:\Program Files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 19:41 77,824 ----a-w C:\Program Files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-05-18 21:59 426,081 ----a-w C:\Program Files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 17:19 458,752 ----a-w C:\Program Files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 23:35 139,264 ----a-w C:\Program Files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 16:10 204,800 ----a-w C:\Program Files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 16:42 106,496 ----a-w C:\Program Files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 16:22 212,992 ----a-w C:\Program Files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 16:21 167,936 ----a-w C:\Program Files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2004-08-19 20:25 220 --sh--w C:\WINDOWS\dwin.sys
2001-08-23 12:00 989 --sha-r C:\WINDOWS\ntosboot.dat
2003-02-15 14:08 3,958 --sha-w C:\WINDOWS\rreg64.dll
2003-02-15 14:08 1,057 --sha-w C:\WINDOWS\utapi64.dll
2008-01-21 20:31 2 --shatr C:\WINDOWS\winstart.bat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\{13FEA7F5-3455-4F16-B9F2-F38D736EB683}.dat
2003-02-28 19:48 32 --sha-w C:\WINDOWS\{3397F6B4-E5EF-4D1A-956E-33A924C3FCD8}.dat
2003-02-28 19:52 32 --sha-w C:\WINDOWS\{3EBD59AC-EC26-4900-9168-5E5B8A27609A}.dat
2003-02-28 19:51 32 --sha-w C:\WINDOWS\{6C508746-7EF1-439C-8A5C-6CE60858ED9C}.dat
2003-02-28 19:51 32 --sha-w C:\WINDOWS\{6F40350B-AD67-4A15-8351-FA3547E91933}.dat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\{93D76E51-EB68-4780-8BDD-5E6B6557B74E}.dat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\{9AFE5258-F07C-4EF7-8CF3-83A89E03964A}.dat
2006-05-08 01:00 56 --sha-r C:\WINDOWS\system32\FF074B50CF.sys
2006-05-08 01:00 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2004-08-04 07:56 22,528 --sha-r C:\WINDOWS\system32\wsock32.dll
2003-02-28 19:51 32 --sha-w C:\WINDOWS\system32\{2BA47833-53C1-4DE9-B8D2-2CEA4C27925E}.dat
2003-02-28 19:52 32 --sha-w C:\WINDOWS\system32\{371696FE-D158-45C0-B4E7-3732A6A9507F}.dat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\system32\{50861BDB-DC6B-4407-B42A-999E0E8F8F99}.dat
2003-02-28 19:51 32 --sha-w C:\WINDOWS\system32\{7CD86ABA-4C4A-41B1-B135-636648E44446}.dat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\system32\{84478FED-A3BB-40C8-912B-3066701D7F3F}.dat
2003-02-28 19:48 32 --sha-w C:\WINDOWS\system32\{A4EEE221-EF03-4C60-B3DD-219A779664FA}.dat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\system32\{A9CE5FE7-40C9-4B63-AE34-A2ACEB5F8061}.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{379E2B31-3561-4E41-8850-E657A1A5C215}]
C:\WINDOWS\system32\pmnmjGYO.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51126754-66B8-4BDC-A197-17426524CDC9}]
C:\WINDOWS\system32\qoMcaxYp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E15C29A-B33F-45A3-A540-A6E66832FC3B}]
2003-12-05 19:35 174080 --a------ C:\PROGRA~1\FOLDER~1\BETA1~1\SUBCLA~1.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90C8E8F8-A7C9-41E4-92E4-C679AE6FB78D}]
2007-10-26 18:17 83248 --a------ C:\Program Files\RapidSolution\Videoraptor\VideoRaptorIePlugin.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Adobe]
@={8AB18ADC-402A-4B52-A63A-155F45C07F4E}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"DynSite"="C:\Program Files\Noël Danjou\DynSite\DynSite.exe" [2006-07-05 04:44 1376256]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Network Assistant"="C:\Program Files\Network Assistant\Nassi.exe" [2005-10-06 12:30 2450944]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-22 05:55 68856]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2006-10-31 22:24 57344]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 18:33 53096]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RemotelyAnywhere GUI"="C:\Program Files\RemotelyAnywhere\RAGui.exe" [2006-05-02 18:40 377608]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-30 21:06 2595616]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 21:11 909208]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 21:07 140568]
"Norton Ghost 12.0"="C:\Program Files\Norton Ghost\Agent\VProTray.exe" [2008-01-10 05:43 2037088]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 13:01 1037736]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [2006-10-09 17:27 807440]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 12:13 988584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 02:56 15360]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-02-04 02:37 160592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 03:48 53760 C:\WINDOWS\system32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 00:59 44544]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-09-03 14:56:06 499779]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-04-22 05:55:08 124912]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24 258048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"LoginPrompt"= DADEDADADCD4D8D9
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Urlodfav"= {4A8CE92D-C832-4E79-9096-FC5531C4760B} - C:\WINDOWS\system32\movelavi.dll [2007-04-16 10:52 1490944]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\system32\DPWLEvHd.dll 2006-10-09 17:27 99856 C:\WINDOWS\system32\DPWLEvHd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPNotifier]
OPWinLogon.dll 2004-04-21 10:42 45056 C:\WINDOWS\system32\OPWinLogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2006-02-14 12:00 8704 C:\WINDOWS\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RAinit]
RAinit.dll 2006-05-02 18:40 10496 C:\WINDOWS\system32\RAinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=acaptuser32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL
"VIDC.VDOM"= vdowave.drv
"VIDC.NSVI"= nsvideo.dll
"vidc.dvsd"= dvc.dll
"msacm.msnaudio"= msnaudio.acm
"vidc.XVID"= xvid.dll
"msacm.divxa32"= divxa32.acm
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.UV12"= SCDeluxe.ax
"SENTINEL"= snti386.dll
"msacm.lameacm"= lameACM.acm
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"vidc.CDVC"= cdvccodc.dll
"msacm.enc"= ITIG726.acm
"vidc.aflc"= flccodec32.dll
"vidc.afli"= flccodec32.dll
"vidc.aasc"= aasc32.dll
"VIDC.CFHD"= CFHD.dll
"msacm.mkdmp3enc"= C:\PROGRA~1\CYBERL~1\MakeDVD\Kernel\Burner\MKDMP3Enc.ACM
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll
"MSVideo1"= CSvidcap.dll
"VIDC.ACDV"= ACDV.dll
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YV12"= ATIYUV12.DLL
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\40b9f88d]
C:\WINDOWS\system32\cjmcnddx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 21:52 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
-ra------ 2007-02-13 15:00 61440 C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
--a------ 2005-04-04 19:58 856064 C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2006-10-31 22:24 57344 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Scheduler]
--a------ 2006-10-31 22:25 26624 C:\Program Files\ATI Multimedia\main\ATISched.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM438acb11]
C:\WINDOWS\system32\afjnfupf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 19:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
--------- 2006-11-09 11:19 204800 C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--------- 2003-06-18 02:00 45056 C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-03-12 22:43 81920 C:\Program Files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Directory Opus Desktop Dblclk]
--a------ 2007-09-13 15:41 275984 C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 08:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2006-05-05 12:19 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InvisibleBrowsing]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-16 16:15 221184 c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-10-12 16:52 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\modemspy]
C:\Program Files\Modem Spy\modemspy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nitro PDF Printer Monitor]
--a------ 2007-10-31 21:18 204800 C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware15]
--a------ 2005-07-06 00:58 69632 C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2006-05-05 12:18 36864 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pfp.exe]
C:\Program Files\Protect Files Pro\pfp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter]
--------- 2004-08-17 16:07 143360 C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-01-18 08:47 1687552 C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-01-18 21:17 163840 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SeePassword]
--a------ 2005-06-25 18:18 1347584 C:\Program Files\SeePassword\SeePassword.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMPAutoStart]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-02-23 21:16 1266936 C:\Program Files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
--a------ 2005-05-18 14:51 81920 C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVR SchSvr]
--a------ 2003-06-09 13:23 151552 C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
--------- 2005-04-11 15:34 69721 C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"perfmons"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\mirc for DVDtorrents\\mirc.exe"=
"C:\\Program Files\\Mirc for sattech\\Sattech.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Capturix VideoSpy\\cvs.exe"=
"C:\\Program Files\\Capturix VideoSpy\\cvs2.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"=
"C:\\Program Files\\Call of Duty\\CoDUOMP.exe"=
"C:\\Program Files\\webcamXP\\webcamXP.exe"=
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\g3torrent\\g3torrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\CyberLink\\MakeDVD\\MakeDVD.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Network Assistant\\Nassi.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"50000:TCP"= 50000:TCP:AZUREUS
R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 22:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 22:41]
R0 dontgo;Promise Removable Disk Control Driver;C:\WINDOWS\system32\DRIVERS\DontGo.sys [2004-06-29 15:25]
R0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys [2007-05-16 12:42]
R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-01-24 21:08]
R0 ulsata2;ulsata2;C:\WINDOWS\system32\DRIVERS\ulsata2.sys [2005-06-29 17:44]
R0 xmasbus;xmasbus;C:\WINDOWS\system32\DRIVERS\xmasbus.sys [2003-12-21 17:24]
R0 xmasscsi;xmasscsi;C:\WINDOWS\system32\Drivers\xmasscsi.sys [2003-12-23 02:15]
R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 21:27]
R1 CINEMSUP;Cinemsup;C:\WINDOWS\System32\drivers\cinemsup.sys [2002-07-19 08:10]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 16:11]
R1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\lvsound2.sys [2002-06-10 14:20]
R1 Myscope;Myscope;C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\W2k\myscope.sys [2002-09-02 19:42]
R1 pivot;pivot;C:\WINDOWS\system32\drivers\pivot.sys [2005-11-10 11:37]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 18:09]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 18:09]
R2 OOCleverCache;O&O CleverCache Pro;C:\Program Files\OO Software\CleverCache\OOCCSVC.exe [2002-04-11 14:55]
R2 pardrv;pardrv;C:\WINDOWS\system32\drivers\pardrv.sys [2006-01-10 14:59]
R2 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe" [2008-01-16 11:52]
R2 RAInfo;RemotelyAnywhere Kernel Information Provider;C:\Program Files\RemotelyAnywhere\RaInfo.sys [2006-05-02 18:41]
R2 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-10-30 21:51]
R2 UtMsgSvc;UtMsgAgt;"C:\Program Files\Promise\Promise Disk Controller Manager\UtMsgAgt.exe" [2004-09-22 18:06]
R2 V7;V7;C:\WINDOWS\system32\drivers\V7.sys [2000-03-10 01:24]
R2 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-09-29 00:58]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 11:53]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys [2006-09-16 18:25]
R3 EuMusDesignVirtualAudioCableWdm_jrm;MuvEnum Virtual Cable;C:\WINDOWS\system32\DRIVERS\vacjrmkd.sys [2007-04-07 13:17]
R3 hpusbfd;Hewlett-Packard USB Filter Class;C:\WINDOWS\system32\DRIVERS\hpusbfd.sys [2002-05-22 10:40]
R3 LVBulk;LVBulk Service;C:\WINDOWS\system32\DRIVERS\LVBulk.sys [2002-06-10 14:21]
R3 LVVI500A;LVVI500A Service;C:\WINDOWS\system32\DRIVERS\lvvi500a.sys [2002-06-10 14:24]
R3 ramirr;ramirr;C:\WINDOWS\system32\DRIVERS\ramirr.sys [2006-05-02 18:41]
R3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2006-09-16 18:23]
R3 uscsc108;uscsc108;C:\WINDOWS\system32\DRIVERS\uscsc108.sys [2003-03-09 18:41]
R3 UTDpcService;ULEVTBDG;C:\Program Files\Promise\Promise Disk Controller Manager\ULEVTBDG.sys [2004-09-20 16:54]
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys []
S0 SI3112;SiI-3112 SATALink Controller;C:\WINDOWS\system32\DRIVERS\SI3112.sys []
S2 Parclass;Parclass;C:\WINDOWS\system32\Drivers\Parclass.sys [2003-02-10 15:30]
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\System32\drivers\ASUSHWIO.sys []
S3 AWGateway;Symantec pcAnywhere Gateway Service;"C:\Program Files\Symantec\pcAnywhere Gateway\AWGateway.exe" [2006-05-01 13:40]
S3 bepldr;BCL easyPDF SDK 5 Loader;"C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe" [2007-08-22 17:19]
S3 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 16:19]
S3 FTD2XX;HiLo Systems -- USB Drivers;C:\WINDOWS\system32\Drivers\FTD2XX.sys [2004-10-15 16:49]
S3 IBService;IBService;C:\Program Files\Invisible Browsing\servers\IBService.exe [2007-01-09 15:38]
S3 LV506AV;Logitech QuickCam Cordless(PID_0430);C:\WINDOWS\system32\DRIVERS\LV506AV.SYS [2002-12-10 17:56]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\59.tmp []
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-05-07 15:11]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 15:22]
S3 OPStorage;WebCCTV Storage Service;C:\Program Files\Quadrox\WebCCTV\Bin\OPStorage.exe [2004-05-07 15:46]
S3 OV681;EZMega Cam;C:\WINDOWS\system32\Drivers\om681vid.sys []
S3 PCD61X2;PCD61X2;C:\DOCUME~1\STEPHEN\LOCALS~1\Temp\PCD61X2.sys []
S3 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe" [2008-01-16 11:52]
S3 Pg4uUSB;BK PRECISION driver;C:\WINDOWS\system32\DRIVERS\pg4uusb.sys [2006-10-18 10:04]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2004-02-14 12:09]
S3 pivotmou;Pivot Mouse/Pointers Filter Driver;C:\WINDOWS\System32\drivers\pivotmou.sys [2005-11-10 11:37]
S3 SCDELUXES;SiPix StyleCam Deluxe (still);C:\WINDOWS\system32\DRIVERS\se402sc.sys []
S3 SCDELUXEV;SiPix StyleCam Deluxe (video);C:\WINDOWS\system32\DRIVERS\se402vc.sys []
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]
S3 SMTPSVC;SMTPSVC;C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 02:56]
S3 TEC9120;TECV35Q Digital Camera;C:\WINDOWS\system32\Drivers\SQcaptur.sys [2002-05-06 13:58]
S3 Usrserft;Myscope Upper Filter Driver;C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\W2k\usrserft.sys [2002-09-02 19:41]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E3A395C2-0AF7-DCBB-57DA-004281800B55}]
C:\Program Files\winscv\install.exe s
.
Contents of the 'Scheduled Tasks' folder
"2008-03-22 14:00:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-31 08:01:39 C:\WINDOWS\Tasks\BACKUP OF C DRIVE - DOCUMENTS & SETTINGS.job"
- C:\WINDOWS\system32\ntbackup.exe?backup
"2008-04-15 08:01:15 C:\WINDOWS\Tasks\BACKUP OF C DRIVE - SYSTEM STATE.job"
- C:\WINDOWS\system32\ntbackup.exe?backup
"2008-04-16 08:22:02 C:\WINDOWS\Tasks\BACKUP OF D DRIVE.job"
- C:\WINDOWS\system32\ntbackup.exeSbackup
"2008-04-21 17:40:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2002-01-01 05:15:23 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-19 01:44:07 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - STEPHEN.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
"2008-03-31 10:00:20 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-04-17 15:27:55 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2008-04-21 05:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 23:17:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
C:\WINDOWS\explorer.exe [5252] 0x869D2020
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\59.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.exe
-> C:\Program Files\Network Assistant\HOOKS.DLL
.
Completion time: 2008-04-21 23:22:43
ComboFix-quarantined-files.txt 2008-04-22 04:22:25
Pre-Run: 39,414,878,208 bytes free
Post-Run: 39,353,331,712 bytes free
575 --- E O F --- 2008-04-18 00:08:44
Another curious thing has changed since being infected with Vurtumonde - the Language Bar cannot be removed. I have tried changing the settings by "unchecking" the "display language bar" box, clicking "Apply", but it still continues to display it. Do you have any suggestions on how to fix this?
Hi
We can take a look at that after your system is clean. :)
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Upload following file to http://virusscan.jotti.org and post back the results:
C:\WINDOWS\system32\movelavi.dll
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
MEMSWEEP2
File::
C:\WINDOWS\system32\pjndfuay.ini
C:\WINDOWS\system32\xddncmjc.ini
C:\WINDOWS\BM438acb11.xml
C:\WINDOWS\system32\lihlytjq.ini
C:\WINDOWS\system32\novfkfek.ini
C:\WINDOWS\system32\59.tmp
Folder:
C:\VundoFix Backups
DirLook::
C:\Program Files\winscv
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{379E2B31-3561-4E41-8850-E657A1A5C215}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51126754-66B8-4BDC-A197-17426524CDC9}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\40b9f88d]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM438acb11]
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Run Kaspersky online scanner and post back its report & a fresh hjt log (without forgetting ComboFix resultant log meantioned above).
The scan of movelavi.dll did not complete.
Here is result of the Upload of the file to http://virusscan.jotti.org found in:
C:\WINDOWS\system32\movelavi.dll
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file.
All steps were completed except the Kaspersky online scan. It has been running for 5 hours and is only at 54%. It should take another 5 hours and then I can try to post it. I predict it will exceed the 64,000 character limit and will not post similat to the first scan. Please advise if you would prefer me to send the log as a text file. It is important to note that the first Kaspersy scan found over 100 viruses and*300 infected files - however, these were primarily already in quarantine in by Norton.
Here is the log of the new ComboFix which completed successfully.
ComboFix 08-04-20.5 - 2008-04-22 5:06:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.730 [GMT -5:00]Running from: C:\Documents and Settings\STEPHEN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\STEPHEN\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\BM438acb11.xml
C:\WINDOWS\system32\59.tmp
C:\WINDOWS\system32\lihlytjq.ini
C:\WINDOWS\system32\novfkfek.ini
C:\WINDOWS\system32\pjndfuay.ini
C:\WINDOWS\system32\xddncmjc.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\STEPHEN\Application Data\inst.exe
C:\WINDOWS\BM438acb11.xml
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\lihlytjq.ini
C:\WINDOWS\system32\novfkfek.ini
C:\WINDOWS\system32\pjndfuay.ini
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\xddncmjc.ini
.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.
2008-04-18 15:40 . 2008-04-18 15:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-18 15:40 . 2008-04-18 15:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-18 01:00 . 2008-04-18 01:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 22:47 . 2008-04-18 04:16 <DIR> d-------- C:\VundoFix Backups
2008-04-17 21:43 . 2008-04-18 06:52 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-17 17:07 . 2004-08-04 02:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-04-17 17:07 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-04-17 17:07 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-04-17 17:07 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-04-17 17:07 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-04-17 17:05 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-04-17 17:04 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-04-17 17:03 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-04-17 17:02 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-04-17 17:01 . 2001-08-17 12:50 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2008-04-17 17:00 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-04-17 16:59 . 2001-08-23 07:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-04-17 16:58 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-04-17 16:57 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-04-17 16:56 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-04-17 16:55 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-04-17 16:54 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-04-17 15:02 . 2008-04-17 15:02 94,208 --a------ C:\WINDOWS\system32\drivers\ezplay.sys
2008-04-17 15:02 . 2008-04-17 15:02 94,208 --a------ C:\Documents and Settings\STEPHEN\Application Data\ezplay.sys
2008-04-17 14:54 . 2008-04-17 14:57 <DIR> d-------- C:\Program Files\WinSnap
2008-04-17 03:08 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-04-17 03:08 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-04-17 03:08 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-04-17 03:08 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-04-17 00:25 . 2008-04-17 00:27 <DIR> d-------- C:\Documents and Settings\STEPHEN\Application Data\ooVoo Details
2008-04-17 00:24 . 2008-04-17 00:24 <DIR> d-------- C:\Program Files\ooVoo
2008-04-16 23:24 . 2008-04-16 23:24 12,288 --a------ C:\WINDOWS\system32\aplib.dll
2008-04-16 22:51 . 2008-04-16 22:53 <DIR> d-------- C:\Documents and Settings\STEPHEN\Application Data\Hide IP NG
2008-04-16 22:50 . 2008-04-17 00:02 <DIR> d-------- C:\Program Files\Hide IP NG
2008-04-16 22:43 . 2008-04-16 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\1Click DVDTOIPOD
2008-04-16 22:10 . 2008-04-16 22:10 <DIR> d-------- C:\Program Files\SharpC
2008-04-16 21:52 . 2008-04-16 21:52 <DIR> d-------- C:\Program Files\AL-Software
2008-04-15 00:35 . 2008-04-15 14:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 00:35 . 2008-04-15 00:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-15 00:33 . 2008-04-15 00:33 <DIR> d-------- C:\Program Files\iTunes
2008-04-14 10:34 . 2008-04-14 10:34 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-23 10:09 . 2008-03-23 10:09 1,025 --a------ C:\WINDOWS\system32\clauth2.dll
2008-03-23 10:09 . 2008-03-23 10:09 1,025 --a------ C:\WINDOWS\system32\clauth1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 09:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-22 08:03 --------- d-----w C:\Program Files\RemotelyAnywhere
2008-04-18 20:02 --------- d-----w C:\Program Files\SnadBoy's Revelation v2
2008-04-17 20:32 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Azureus
2008-04-17 20:19 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Vso
2008-04-17 20:01 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-17 20:01 47,360 ----a-w C:\Documents and Settings\STEPHEN\Application Data\pcouffin.sys
2008-04-17 20:00 --------- d-----w C:\Program Files\vso
2008-04-17 17:41 --------- d-----w C:\Program Files\Azureus
2008-04-17 07:21 --------- d-----w C:\Program Files\VueScan
2008-04-17 06:32 --------- d-----w C:\Program Files\UltraISO
2008-04-17 06:31 --------- d-----w C:\Program Files\Common Files\EZB Systems
2008-04-17 05:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 04:25 --------- d-----w C:\Program Files\winscv
2008-04-17 03:40 --------- d-----w C:\Program Files\LG Software Innovations
2008-04-17 03:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-16 22:32 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-16 07:13 --------- d-----w C:\Program Files\badcdrepair
2008-04-15 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-15 05:33 --------- d-----w C:\Program Files\iPod
2008-04-15 05:29 --------- d-----w C:\Program Files\QuickTime
2008-03-31 08:49 --------- d-----w C:\Program Files\FolderSizes
2008-03-30 01:38 1,882,904 ----a-w C:\WINDOWS\system32\AutoPartNt.exe
2008-03-28 02:30 --------- d-----w C:\Program Files\Ontrack
2008-03-26 19:49 2,280 ----a-w C:\WINDOWS\AUTOLNCH.REG
2008-03-24 10:00 --------- d-----w C:\Program Files\Norton SystemWorks
2008-03-23 08:02 --------- d-----w C:\Program Files\Safari
2008-03-23 01:12 --------- d-----w C:\Program Files\PowerArchiver
2008-03-21 23:14 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-03 08:14 --------- d-----w C:\Program Files\Phone Call Recorder
2008-03-03 02:00 --------- d-----w C:\Program Files\Smart Phone Recorder Demo
2008-03-03 01:50 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Advanced Phone Recorder
2008-03-03 01:45 --------- d-----w C:\Program Files\Concel Systems
2008-03-03 01:15 --------- d-----w C:\Program Files\EzPhone Recorder 1.1
2008-03-03 00:41 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Modem Spy
2008-03-02 22:58 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\DVD Profiler
2008-03-02 22:20 --------- d-----w C:\Program Files\DVD Profiler
2008-03-02 22:07 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Desktopicon
2008-03-02 22:03 --------- d-----w C:\Program Files\Unlocker
2008-03-02 10:41 --------- d-----w C:\Program Files\Call Corder
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-01 02:45 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\DigitalPersona
2008-03-01 01:55 --------- d-----w C:\Program Files\DigitalPersona
2008-03-01 01:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 01:08 --------- d-----w C:\Program Files\RAXCO
2008-02-29 08:19 --------- d-----w C:\Program Files\QuickTax 2007
2008-02-29 06:54 --------- d-----w C:\Program Files\QuickTax 2005
2008-02-29 06:54 --------- d-----w C:\Program Files\Quicken
2008-02-29 06:43 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-29 03:02 --------- d--h--w C:\Program Files\Zero G Registry
2008-02-29 03:02 --------- d-----w C:\Program Files\T4_Internet_T4_ par_Internet_6.1
2008-02-27 07:54 --------- d-----w C:\Program Files\Opera
2008-02-27 07:14 --------- d-----w C:\Program Files\Steam
2008-02-27 06:28 --------- d-----w C:\Program Files\Windows Live
2008-02-26 09:30 --------- d-----w C:\Program Files\QU5D47~1
2008-02-26 09:10 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Intuit Canada
2008-02-26 09:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit Canada
2008-02-26 01:33 --------- d-----w C:\Program Files\T4_Internet_T4_ par_Internet_8.1
2008-02-24 08:56 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\XnView
2008-02-24 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-02-24 06:31 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\ATI MMC
2008-02-24 05:36 --------- d-----w C:\Program Files\Common Files\ATI
2008-02-24 05:36 --------- d-----w C:\Program Files\ATI Multimedia
2008-02-24 02:39 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2008-02-24 02:36 --------- d-----w C:\Program Files\Common Files\CyberLink
2008-02-24 02:26 --------- d-----w C:\Program Files\TitanTV
2008-02-24 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-02-24 01:50 --------- d-----w C:\Program Files\ATI Technologies
2008-02-23 19:45 --------- d--h--w C:\Program Files\Creative Installation Information
2008-02-23 19:40 --------- d-----w C:\Program Files\Creative
2008-02-23 19:39 --------- d-----w C:\Program Files\Common Files\Creative
2008-02-23 18:30 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-02-23 18:30 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-02-23 18:29 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Creative
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-13 12:27 27,262,976 ----a-w C:\VIRTPART.DAT
2008-02-01 17:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-01-29 17:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2008-01-22 20:44 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-01-22 20:43 272,384 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-01-22 20:42 593,920 ----a-w C:\WINDOWS\system32\ati2sgag.exe
2008-01-22 20:39 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-01-22 20:36 9,949,184 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-01-22 20:35 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-01-22 20:35 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-01-22 20:35 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-01-22 20:35 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-01-22 20:35 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-01-22 20:34 512,000 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-01-22 20:33 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-01-22 20:25 3,121,920 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-01-22 20:14 1,664,256 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-01-22 20:04 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-01-22 20:01 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-01-22 19:59 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-01-22 19:58 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-01-22 19:57 163,840 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-01-22 19:53 503,808 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2006-05-24 21:38 233,472 ----a-w C:\Program Files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-18 22:00 204,895 ----a-w C:\Program Files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 19:41 77,824 ----a-w C:\Program Files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-05-18 21:59 426,081 ----a-w C:\Program Files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 17:19 458,752 ----a-w C:\Program Files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 23:35 139,264 ----a-w C:\Program Files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 16:10 204,800 ----a-w C:\Program Files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 16:42 106,496 ----a-w C:\Program Files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 16:22 212,992 ----a-w C:\Program Files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 16:21 167,936 ----a-w C:\Program Files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2004-08-19 20:25 220 --sh--w C:\WINDOWS\dwin.sys
2001-08-23 12:00 989 --sha-r C:\WINDOWS\ntosboot.dat
2003-02-15 14:08 3,958 --sha-w C:\WINDOWS\rreg64.dll
2003-02-15 14:08 1,057 --sha-w C:\WINDOWS\utapi64.dll
2008-01-21 20:31 2 --shatr C:\WINDOWS\winstart.bat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\{13FEA7F5-3455-4F16-B9F2-F38D736EB683}.dat
2003-02-28 19:48 32 --sha-w C:\WINDOWS\{3397F6B4-E5EF-4D1A-956E-33A924C3FCD8}.dat
2003-02-28 19:52 32 --sha-w C:\WINDOWS\{3EBD59AC-EC26-4900-9168-5E5B8A27609A}.dat
2003-02-28 19:51 32 --sha-w C:\WINDOWS\{6C508746-7EF1-439C-8A5C-6CE60858ED9C}.dat
2003-02-28 19:51 32 --sha-w C:\WINDOWS\{6F40350B-AD67-4A15-8351-FA3547E91933}.dat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\{93D76E51-EB68-4780-8BDD-5E6B6557B74E}.dat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\{9AFE5258-F07C-4EF7-8CF3-83A89E03964A}.dat
2006-05-08 01:00 56 --sha-r C:\WINDOWS\system32\FF074B50CF.sys
2006-05-08 01:00 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2004-08-04 07:56 22,528 --sha-r C:\WINDOWS\system32\wsock32.dll
2003-02-28 19:51 32 --sha-w C:\WINDOWS\system32\{2BA47833-53C1-4DE9-B8D2-2CEA4C27925E}.dat
2003-02-28 19:52 32 --sha-w C:\WINDOWS\system32\{371696FE-D158-45C0-B4E7-3732A6A9507F}.dat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\system32\{50861BDB-DC6B-4407-B42A-999E0E8F8F99}.dat
2003-02-28 19:51 32 --sha-w C:\WINDOWS\system32\{7CD86ABA-4C4A-41B1-B135-636648E44446}.dat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\system32\{84478FED-A3BB-40C8-912B-3066701D7F3F}.dat
2003-02-28 19:48 32 --sha-w C:\WINDOWS\system32\{A4EEE221-EF03-4C60-B3DD-219A779664FA}.dat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\system32\{A9CE5FE7-40C9-4B63-AE34-A2ACEB5F8061}.dat
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\Program Files\winscv ----
2008-04-16 23:25 0 --ahs---- C:\Program Files\winscv\winini.dat
2007-06-13 05:23 56189 --a------ C:\Program Files\winscv\install.exe
((((((((((((((((((((((((((((( snapshot@2008-04-21_23.21.53.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-04-16 15:52:53 158,070 ----a-w C:\WINDOWS\system32\delipwiz32.dll
+ 2007-04-16 15:52:53 158,526 ----a-w C:\WINDOWS\system32\delipwiz32.dll
+ 2008-04-22 10:13:04 53,248 ----a-w C:\WINDOWS\Temp\catchme.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E15C29A-B33F-45A3-A540-A6E66832FC3B}]
2003-12-05 19:35 174080 --a------ C:\PROGRA~1\FOLDER~1\BETA1~1\SUBCLA~1.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90C8E8F8-A7C9-41E4-92E4-C679AE6FB78D}]
2007-10-26 18:17 83248 --a------ C:\Program Files\RapidSolution\Videoraptor\VideoRaptorIePlugin.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Adobe]
@={8AB18ADC-402A-4B52-A63A-155F45C07F4E}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"DynSite"="C:\Program Files\Noël Danjou\DynSite\DynSite.exe" [2006-07-05 04:44 1376256]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Network Assistant"="C:\Program Files\Network Assistant\Nassi.exe" [2005-10-06 12:30 2450944]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-22 05:55 68856]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2006-10-31 22:24 57344]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 18:33 53096]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RemotelyAnywhere GUI"="C:\Program Files\RemotelyAnywhere\RAGui.exe" [2006-05-02 18:40 377608]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-30 21:06 2595616]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 21:11 909208]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 21:07 140568]
"Norton Ghost 12.0"="C:\Program Files\Norton Ghost\Agent\VProTray.exe" [2008-01-10 05:43 2037088]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 13:01 1037736]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [2006-10-09 17:27 807440]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 12:13 988584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 02:56 15360]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-02-04 02:37 160592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 03:48 53760 C:\WINDOWS\system32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 00:59 44544]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-09-03 14:56:06 499779]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-04-22 05:55:08 124912]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24 258048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"LoginPrompt"= DADEDADADCD4D8D9
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Urlodfav"= {4A8CE92D-C832-4E79-9096-FC5531C4760B} - C:\WINDOWS\system32\movelavi.dll [2007-04-16 10:52 1490944]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\system32\DPWLEvHd.dll 2006-10-09 17:27 99856 C:\WINDOWS\system32\DPWLEvHd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPNotifier]
OPWinLogon.dll 2004-04-21 10:42 45056 C:\WINDOWS\system32\OPWinLogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2006-02-14 12:00 8704 C:\WINDOWS\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RAinit]
RAinit.dll 2006-05-02 18:40 10496 C:\WINDOWS\system32\RAinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=acaptuser32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL
"VIDC.VDOM"= vdowave.drv
"VIDC.NSVI"= nsvideo.dll
"vidc.dvsd"= dvc.dll
"msacm.msnaudio"= msnaudio.acm
"vidc.XVID"= xvid.dll
"msacm.divxa32"= divxa32.acm
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.UV12"= SCDeluxe.ax
"SENTINEL"= snti386.dll
"msacm.lameacm"= lameACM.acm
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"vidc.CDVC"= cdvccodc.dll
"msacm.enc"= ITIG726.acm
"vidc.aflc"= flccodec32.dll
"vidc.afli"= flccodec32.dll
"vidc.aasc"= aasc32.dll
"VIDC.CFHD"= CFHD.dll
"msacm.mkdmp3enc"= C:\PROGRA~1\CYBERL~1\MakeDVD\Kernel\Burner\MKDMP3Enc.ACM
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll
"MSVideo1"= CSvidcap.dll
"VIDC.ACDV"= ACDV.dll
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YV12"= ATIYUV12.DLL
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 21:52 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
-ra------ 2007-02-13 15:00 61440 C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
--a------ 2005-04-04 19:58 856064 C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2006-10-31 22:24 57344 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Scheduler]
--a------ 2006-10-31 22:25 26624 C:\Program Files\ATI Multimedia\main\ATISched.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 19:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
--------- 2006-11-09 11:19 204800 C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--------- 2003-06-18 02:00 45056 C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-03-12 22:43 81920 C:\Program Files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Directory Opus Desktop Dblclk]
--a------ 2007-09-13 15:41 275984 C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 08:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2006-05-05 12:19 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InvisibleBrowsing]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-16 16:15 221184 c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-10-12 16:52 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\modemspy]
C:\Program Files\Modem Spy\modemspy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nitro PDF Printer Monitor]
--a------ 2007-10-31 21:18 204800 C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware15]
--a------ 2005-07-06 00:58 69632 C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2006-05-05 12:18 36864 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pfp.exe]
C:\Program Files\Protect Files Pro\pfp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter]
--------- 2004-08-17 16:07 143360 C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-01-18 08:47 1687552 C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-01-18 21:17 163840 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SeePassword]
--a------ 2005-06-25 18:18 1347584 C:\Program Files\SeePassword\SeePassword.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMPAutoStart]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-02-23 21:16 1266936 C:\Program Files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
--a------ 2005-05-18 14:51 81920 C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVR SchSvr]
--a------ 2003-06-09 13:23 151552 C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
--------- 2005-04-11 15:34 69721 C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"perfmons"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\mirc for DVDtorrents\\mirc.exe"=
"C:\\Program Files\\Mirc for sattech\\Sattech.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Capturix VideoSpy\\cvs.exe"=
"C:\\Program Files\\Capturix VideoSpy\\cvs2.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"=
"C:\\Program Files\\Call of Duty\\CoDUOMP.exe"=
"C:\\Program Files\\webcamXP\\webcamXP.exe"=
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\g3torrent\\g3torrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\CyberLink\\MakeDVD\\MakeDVD.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Network Assistant\\Nassi.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"50000:TCP"= 50000:TCP:AZUREUS
R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 22:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 22:41]
R0 dontgo;Promise Removable Disk Control Driver;C:\WINDOWS\system32\DRIVERS\DontGo.sys [2004-06-29 15:25]
R0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys [2007-05-16 12:42]
R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-01-24 21:08]
R0 ulsata2;ulsata2;C:\WINDOWS\system32\DRIVERS\ulsata2.sys [2005-06-29 17:44]
R0 xmasbus;xmasbus;C:\WINDOWS\system32\DRIVERS\xmasbus.sys [2003-12-21 17:24]
R0 xmasscsi;xmasscsi;C:\WINDOWS\system32\Drivers\xmasscsi.sys [2003-12-23 02:15]
R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 21:27]
R1 CINEMSUP;Cinemsup;C:\WINDOWS\System32\drivers\cinemsup.sys [2002-07-19 08:10]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 16:11]
R1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\lvsound2.sys [2002-06-10 14:20]
R1 Myscope;Myscope;C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\W2k\myscope.sys [2002-09-02 19:42]
R1 pivot;pivot;C:\WINDOWS\system32\drivers\pivot.sys [2005-11-10 11:37]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 18:09]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 18:09]
R2 OOCleverCache;O&O CleverCache Pro;C:\Program Files\OO Software\CleverCache\OOCCSVC.exe [2002-04-11 14:55]
R2 pardrv;pardrv;C:\WINDOWS\system32\drivers\pardrv.sys [2006-01-10 14:59]
R2 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe" [2008-01-16 11:52]
R2 RAInfo;RemotelyAnywhere Kernel Information Provider;C:\Program Files\RemotelyAnywhere\RaInfo.sys [2006-05-02 18:41]
R2 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-10-30 21:51]
R2 UtMsgSvc;UtMsgAgt;"C:\Program Files\Promise\Promise Disk Controller Manager\UtMsgAgt.exe" [2004-09-22 18:06]
R2 V7;V7;C:\WINDOWS\system32\drivers\V7.sys [2000-03-10 01:24]
R2 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-09-29 00:58]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 11:53]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys [2006-09-16 18:25]
R3 EuMusDesignVirtualAudioCableWdm_jrm;MuvEnum Virtual Cable;C:\WINDOWS\system32\DRIVERS\vacjrmkd.sys [2007-04-07 13:17]
R3 hpusbfd;Hewlett-Packard USB Filter Class;C:\WINDOWS\system32\DRIVERS\hpusbfd.sys [2002-05-22 10:40]
R3 LVBulk;LVBulk Service;C:\WINDOWS\system32\DRIVERS\LVBulk.sys [2002-06-10 14:21]
R3 LVVI500A;LVVI500A Service;C:\WINDOWS\system32\DRIVERS\lvvi500a.sys [2002-06-10 14:24]
R3 ramirr;ramirr;C:\WINDOWS\system32\DRIVERS\ramirr.sys [2006-05-02 18:41]
R3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2006-09-16 18:23]
R3 uscsc108;uscsc108;C:\WINDOWS\system32\DRIVERS\uscsc108.sys [2003-03-09 18:41]
R3 UTDpcService;ULEVTBDG;C:\Program Files\Promise\Promise Disk Controller Manager\ULEVTBDG.sys [2004-09-20 16:54]
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys []
S0 SI3112;SiI-3112 SATALink Controller;C:\WINDOWS\system32\DRIVERS\SI3112.sys []
S2 Parclass;Parclass;C:\WINDOWS\system32\Drivers\Parclass.sys [2003-02-10 15:30]
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\System32\drivers\ASUSHWIO.sys []
S3 AWGateway;Symantec pcAnywhere Gateway Service;"C:\Program Files\Symantec\pcAnywhere Gateway\AWGateway.exe" [2006-05-01 13:40]
S3 bepldr;BCL easyPDF SDK 5 Loader;"C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe" [2007-08-22 17:19]
S3 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 16:19]
S3 FTD2XX;HiLo Systems -- USB Drivers;C:\WINDOWS\system32\Drivers\FTD2XX.sys [2004-10-15 16:49]
S3 IBService;IBService;C:\Program Files\Invisible Browsing\servers\IBService.exe [2007-01-09 15:38]
S3 LV506AV;Logitech QuickCam Cordless(PID_0430);C:\WINDOWS\system32\DRIVERS\LV506AV.SYS [2002-12-10 17:56]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\59.tmp []
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-05-07 15:11]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 15:22]
S3 OPStorage;WebCCTV Storage Service;C:\Program Files\Quadrox\WebCCTV\Bin\OPStorage.exe [2004-05-07 15:46]
S3 OV681;EZMega Cam;C:\WINDOWS\system32\Drivers\om681vid.sys []
S3 PCD61X2;PCD61X2;C:\DOCUME~1\STEPHEN\LOCALS~1\Temp\PCD61X2.sys []
S3 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe" [2008-01-16 11:52]
S3 Pg4uUSB;BK PRECISION driver;C:\WINDOWS\system32\DRIVERS\pg4uusb.sys [2006-10-18 10:04]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2004-02-14 12:09]
S3 pivotmou;Pivot Mouse/Pointers Filter Driver;C:\WINDOWS\System32\drivers\pivotmou.sys [2005-11-10 11:37]
S3 SCDELUXES;SiPix StyleCam Deluxe (still);C:\WINDOWS\system32\DRIVERS\se402sc.sys []
S3 SCDELUXEV;SiPix StyleCam Deluxe (video);C:\WINDOWS\system32\DRIVERS\se402vc.sys []
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]
S3 SMTPSVC;SMTPSVC;C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 02:56]
S3 TEC9120;TECV35Q Digital Camera;C:\WINDOWS\system32\Drivers\SQcaptur.sys [2002-05-06 13:58]
S3 Usrserft;Myscope Upper Filter Driver;C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\W2k\usrserft.sys [2002-09-02 19:41]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E3A395C2-0AF7-DCBB-57DA-004281800B55}]
C:\Program Files\winscv\install.exe s
.
Contents of the 'Scheduled Tasks' folder
"2008-03-22 14:00:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-31 08:01:39 C:\WINDOWS\Tasks\BACKUP OF C DRIVE - DOCUMENTS & SETTINGS.job"
- C:\WINDOWS\system32\ntbackup.exe?backup
"2008-04-22 08:03:36 C:\WINDOWS\Tasks\BACKUP OF C DRIVE - SYSTEM STATE.job"
- C:\WINDOWS\system32\ntbackup.exe?backup
"2008-04-16 08:22:02 C:\WINDOWS\Tasks\BACKUP OF D DRIVE.job"
- C:\WINDOWS\system32\ntbackup.exeSbackup
"2008-04-22 09:40:14 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-22 10:10:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-19 01:44:07 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - STEPHEN.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
"2008-03-31 10:00:20 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-04-17 15:27:55 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2008-04-22 05:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 05:13:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\59.tmp"
.
Completion time: 2008-04-22 5:20:49
ComboFix-quarantined-files.txt 2008-04-22 10:20:23
ComboFix2.txt 2008-04-22 04:22:45
Pre-Run: 39,839,301,632 bytes free
Post-Run: 39,785,193,472 bytes free
554 --- E O F --- 2008-04-18 00:08:44
Hi
You can upload Kaspersky log to http://rapidshare.com and post back a download link when scanning is ready.
Hi:
Here is the Rapidshare link for my Kaspersky online scan.
http://rapidshare.com/files/109730189/KOS_-_APRIL_23.txt.html
Please note that my Norton Antivirus was active during the Kaspersky scan and during which it detected and removed a virus called Trojan.Vundo located in C:\QooBox\Qarantine\C\WINDOWS\system32\nqfvxlvp.dll.vir
Thank you.
Stephen
Hi
Upload following file to http://virusscan.jotti.org and post back the results:
C:\Program Files\winscv\install.exe
Clear Norton quarantine items. Clear also Java cache (instructions (http://www.java.com/en/download/help/5000020300.xml)). Delete mail messages found by Kaspersky.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\movelavi.dll
Folder::
C:\VundoFix Backups
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Urlodfav"=-
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log & a fresh hjt log in your reply.
Hi:
I am not sure which method and what to delete when you say "Delete mail messages found by Kaspersky."
For example: Sould I delete the messages from within Outlook and Outlook Express even though they are archived mail? Or -For example, shall I navigate to a line found in the Kaspersky scan such as "C:\Documents and Settings\STEPHEN\Local Settings\Application Data\Identities\{2B48DF24-83E5-4E80-8E71-1E2C7926B4C2}\Microsoft\Outlook Express\Archived Hotmail - Inbox.dbx/[From "Dan Smilinski" <smilinsk@mb.sympatico.ca>][Date Sat, 24 Aug 2002 02:00:14 -0500]/UNNAMED/Norton Infected: Backdoor.Win32.SubSeven.pac skipped" and delete them using Windows Explorer?
Stephen
Hi
I meant deleting them thru Outlook. If you don't watch those archived ones ever again then it's not so critical to delete them.
Here is the ComboFix log.
ComboFix 08-04-20.5 - STEPHEN 2008-04-24 10:32:02.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.691 [GMT -5:00]
Running from: C:\Documents and Settings\STEPHEN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\STEPHEN\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\movelavi.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\VundoFix Backups\PWRISOSH.DLL.bad
C:\WINDOWS\system32\movelavi.dll
.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.
2008-04-23 11:42 . 2008-04-23 11:42 250 --a------ C:\WINDOWS\gmer.ini
2008-04-18 15:40 . 2008-04-18 15:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-18 15:40 . 2008-04-18 15:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-18 01:00 . 2008-04-18 01:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 21:43 . 2008-04-18 06:52 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-17 17:07 . 2004-08-04 02:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-04-17 17:07 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-04-17 17:07 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-04-17 17:07 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-04-17 17:07 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-04-17 17:05 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-04-17 17:04 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-04-17 17:03 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-04-17 17:02 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-04-17 17:01 . 2001-08-17 12:50 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2008-04-17 17:00 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-04-17 16:59 . 2001-08-23 07:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-04-17 16:58 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-04-17 16:57 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-04-17 16:56 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-04-17 16:55 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-04-17 16:54 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-04-17 15:02 . 2008-04-17 15:02 94,208 --a------ C:\WINDOWS\system32\drivers\ezplay.sys
2008-04-17 15:02 . 2008-04-17 15:02 94,208 --a------ C:\Documents and Settings\STEPHEN\Application Data\ezplay.sys
2008-04-17 14:54 . 2008-04-17 14:57 <DIR> d-------- C:\Program Files\WinSnap
2008-04-17 03:08 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-04-17 03:08 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-04-17 03:08 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-04-17 03:08 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-04-17 00:25 . 2008-04-17 00:27 <DIR> d-------- C:\Documents and Settings\STEPHEN\Application Data\ooVoo Details
2008-04-17 00:24 . 2008-04-17 00:24 <DIR> d-------- C:\Program Files\ooVoo
2008-04-16 23:24 . 2008-04-16 23:24 12,288 --a------ C:\WINDOWS\system32\aplib.dll
2008-04-16 22:51 . 2008-04-16 22:53 <DIR> d-------- C:\Documents and Settings\STEPHEN\Application Data\Hide IP NG
2008-04-16 22:50 . 2008-04-17 00:02 <DIR> d-------- C:\Program Files\Hide IP NG
2008-04-16 22:43 . 2008-04-16 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\1Click DVDTOIPOD
2008-04-16 22:10 . 2008-04-16 22:10 <DIR> d-------- C:\Program Files\SharpC
2008-04-16 21:52 . 2008-04-16 21:52 <DIR> d-------- C:\Program Files\AL-Software
2008-04-15 00:35 . 2008-04-15 14:45 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 00:35 . 2008-04-15 00:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-15 00:33 . 2008-04-15 00:33 <DIR> d-------- C:\Program Files\iTunes
2008-04-14 10:34 . 2008-04-14 10:34 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 05:33 --------- d-----w C:\Program Files\RemotelyAnywhere
2008-04-24 01:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-23 17:37 --------- d-----w C:\Program Files\Network Assistant
2008-04-18 20:02 --------- d-----w C:\Program Files\SnadBoy's Revelation v2
2008-04-17 20:32 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Azureus
2008-04-17 20:19 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Vso
2008-04-17 20:01 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-17 20:01 47,360 ----a-w C:\Documents and Settings\STEPHEN\Application Data\pcouffin.sys
2008-04-17 20:00 --------- d-----w C:\Program Files\vso
2008-04-17 17:41 --------- d-----w C:\Program Files\Azureus
2008-04-17 07:21 --------- d-----w C:\Program Files\VueScan
2008-04-17 06:32 --------- d-----w C:\Program Files\UltraISO
2008-04-17 06:31 --------- d-----w C:\Program Files\Common Files\EZB Systems
2008-04-17 05:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 04:25 --------- d-----w C:\Program Files\winscv
2008-04-17 03:40 --------- d-----w C:\Program Files\LG Software Innovations
2008-04-17 03:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-16 22:32 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-16 07:13 --------- d-----w C:\Program Files\badcdrepair
2008-04-15 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-15 05:33 --------- d-----w C:\Program Files\iPod
2008-04-15 05:29 --------- d-----w C:\Program Files\QuickTime
2008-03-31 08:49 --------- d-----w C:\Program Files\FolderSizes
2008-03-30 01:38 1,882,904 ----a-w C:\WINDOWS\system32\AutoPartNt.exe
2008-03-28 02:30 --------- d-----w C:\Program Files\Ontrack
2008-03-26 19:49 2,280 ----a-w C:\WINDOWS\AUTOLNCH.REG
2008-03-24 10:00 --------- d-----w C:\Program Files\Norton SystemWorks
2008-03-23 08:02 --------- d-----w C:\Program Files\Safari
2008-03-23 01:12 --------- d-----w C:\Program Files\PowerArchiver
2008-03-21 23:14 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-03 08:14 --------- d-----w C:\Program Files\Phone Call Recorder
2008-03-03 02:00 --------- d-----w C:\Program Files\Smart Phone Recorder Demo
2008-03-03 01:50 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Advanced Phone Recorder
2008-03-03 01:45 --------- d-----w C:\Program Files\Concel Systems
2008-03-03 01:15 --------- d-----w C:\Program Files\EzPhone Recorder 1.1
2008-03-03 00:41 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Modem Spy
2008-03-02 22:58 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\DVD Profiler
2008-03-02 22:20 --------- d-----w C:\Program Files\DVD Profiler
2008-03-02 22:07 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Desktopicon
2008-03-02 22:03 --------- d-----w C:\Program Files\Unlocker
2008-03-02 10:41 --------- d-----w C:\Program Files\Call Corder
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-01 02:45 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\DigitalPersona
2008-03-01 01:55 --------- d-----w C:\Program Files\DigitalPersona
2008-03-01 01:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 01:08 --------- d-----w C:\Program Files\RAXCO
2008-02-29 08:19 --------- d-----w C:\Program Files\QuickTax 2007
2008-02-29 06:54 --------- d-----w C:\Program Files\QuickTax 2005
2008-02-29 06:54 --------- d-----w C:\Program Files\Quicken
2008-02-29 06:43 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-29 03:02 --------- d--h--w C:\Program Files\Zero G Registry
2008-02-29 03:02 --------- d-----w C:\Program Files\T4_Internet_T4_ par_Internet_6.1
2008-02-27 07:54 --------- d-----w C:\Program Files\Opera
2008-02-27 07:14 --------- d-----w C:\Program Files\Steam
2008-02-27 06:28 --------- d-----w C:\Program Files\Windows Live
2008-02-26 09:30 --------- d-----w C:\Program Files\QU5D47~1
2008-02-26 09:10 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\Intuit Canada
2008-02-26 09:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit Canada
2008-02-26 01:33 --------- d-----w C:\Program Files\T4_Internet_T4_ par_Internet_8.1
2008-02-24 08:56 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\XnView
2008-02-24 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2008-02-24 06:31 --------- d-----w C:\Documents and Settings\STEPHEN\Application Data\ATI MMC
2008-02-24 05:36 --------- d-----w C:\Program Files\Common Files\ATI
2008-02-24 05:36 --------- d-----w C:\Program Files\ATI Multimedia
2008-02-24 02:39 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2008-02-24 02:36 --------- d-----w C:\Program Files\Common Files\CyberLink
2008-02-24 02:26 --------- d-----w C:\Program Files\TitanTV
2008-02-24 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-02-24 01:50 --------- d-----w C:\Program Files\ATI Technologies
2008-02-23 18:30 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-02-23 18:30 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-13 12:27 27,262,976 ----a-w C:\VIRTPART.DAT
2008-02-01 17:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-01-29 17:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2008-01-20 18:05 219 ----a-w C:\Program Files\2RU44SFN.bat
2007-11-25 09:39 22,328 ------w C:\Documents and Settings\STEPHEN\Application Data\PnkBstrK.sys
2007-08-07 04:31 6,713 ------w C:\Documents and Settings\STEPHEN\Application Data\SAS7_000.DAT
2007-06-19 02:58 92,064 ------w C:\Documents and Settings\STEPHEN\mqdmmdm.sys
2007-06-19 02:58 9,232 ------w C:\Documents and Settings\STEPHEN\mqdmmdfl.sys
2007-06-19 02:58 79,328 ------w C:\Documents and Settings\STEPHEN\mqdmserd.sys
2007-06-19 02:58 66,656 ------w C:\Documents and Settings\STEPHEN\mqdmbus.sys
2007-06-19 02:58 6,208 ------w C:\Documents and Settings\STEPHEN\mqdmcmnt.sys
2007-06-19 02:58 5,936 ------w C:\Documents and Settings\STEPHEN\mqdmwhnt.sys
2007-06-19 02:58 4,048 ------w C:\Documents and Settings\STEPHEN\mqdmcr.sys
2007-06-19 02:58 25,600 ------w C:\Documents and Settings\STEPHEN\usbsermptxp.sys
2007-06-19 02:58 22,768 ------w C:\Documents and Settings\STEPHEN\usbsermpt.sys
2006-04-15 07:40 49,024 ----a-w C:\WINDOWS\inf\gsiata.sys
2004-06-19 06:49 36 ------w C:\Documents and Settings\STEPHEN\klextlock.dat
2004-02-15 11:36 7 ------w C:\Documents and Settings\STEPHEN\language.dat
2003-12-12 09:46 203 ------w C:\Documents and Settings\STEPHEN\ccd4.reg
2003-11-20 20:53 474,080 ------w C:\Documents and Settings\STEPHEN\Application Data\GDIPFONTCACHEV1.DAT
2003-05-29 14:59 64,512 ---h--w C:\Documents and Settings\STEPHEN\Application Data\dach100.dll
2001-01-05 22:51 265,728 ----a-w C:\Program Files\UNWISE.EXE
1998-08-24 18:09 10,000 ----a-w C:\WINDOWS\inf\unregpn.exe
2006-05-24 21:38 233,472 ----a-w C:\Program Files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-18 22:00 204,895 ----a-w C:\Program Files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 19:41 77,824 ----a-w C:\Program Files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-05-18 21:59 426,081 ----a-w C:\Program Files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 17:19 458,752 ----a-w C:\Program Files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 23:35 139,264 ----a-w C:\Program Files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 16:10 204,800 ----a-w C:\Program Files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 16:42 106,496 ----a-w C:\Program Files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 16:22 212,992 ----a-w C:\Program Files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 16:21 167,936 ----a-w C:\Program Files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2004-08-19 20:25 220 --sh--w C:\WINDOWS\dwin.sys
2001-08-23 12:00 989 --sha-r C:\WINDOWS\ntosboot.dat
2003-02-15 14:08 3,958 --sha-w C:\WINDOWS\rreg64.dll
2003-02-15 14:08 1,057 --sha-w C:\WINDOWS\utapi64.dll
2008-01-21 20:31 2 --shatr C:\WINDOWS\winstart.bat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\{13FEA7F5-3455-4F16-B9F2-F38D736EB683}.dat
2003-02-28 19:48 32 --sha-w C:\WINDOWS\{3397F6B4-E5EF-4D1A-956E-33A924C3FCD8}.dat
2003-02-28 19:52 32 --sha-w C:\WINDOWS\{3EBD59AC-EC26-4900-9168-5E5B8A27609A}.dat
2003-02-28 19:51 32 --sha-w C:\WINDOWS\{6C508746-7EF1-439C-8A5C-6CE60858ED9C}.dat
2003-02-28 19:51 32 --sha-w C:\WINDOWS\{6F40350B-AD67-4A15-8351-FA3547E91933}.dat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\{93D76E51-EB68-4780-8BDD-5E6B6557B74E}.dat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\{9AFE5258-F07C-4EF7-8CF3-83A89E03964A}.dat
2006-05-08 01:00 56 --sha-r C:\WINDOWS\system32\FF074B50CF.sys
2006-05-08 01:00 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2004-08-04 07:56 22,528 --sha-r C:\WINDOWS\system32\wsock32.dll
2003-02-28 19:51 32 --sha-w C:\WINDOWS\system32\{2BA47833-53C1-4DE9-B8D2-2CEA4C27925E}.dat
2003-02-28 19:52 32 --sha-w C:\WINDOWS\system32\{371696FE-D158-45C0-B4E7-3732A6A9507F}.dat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\system32\{50861BDB-DC6B-4407-B42A-999E0E8F8F99}.dat
2003-02-28 19:51 32 --sha-w C:\WINDOWS\system32\{7CD86ABA-4C4A-41B1-B135-636648E44446}.dat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\system32\{84478FED-A3BB-40C8-912B-3066701D7F3F}.dat
2003-02-28 19:48 32 --sha-w C:\WINDOWS\system32\{A4EEE221-EF03-4C60-B3DD-219A779664FA}.dat
2003-02-28 19:49 32 --sha-w C:\WINDOWS\system32\{A9CE5FE7-40C9-4B63-AE34-A2ACEB5F8061}.dat
.
((((((((((((((((((((((((((((( snapshot@2008-04-21_23.21.53.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2002-01-01 05:11:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 17:32:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 16:41:53 819,200 ----a-w C:\WINDOWS\gmer.dll
+ 2008-03-04 01:29:06 761,856 ----a-w C:\WINDOWS\gmer.exe
- 2007-04-16 15:52:53 158,070 ----a-w C:\WINDOWS\system32\delipwiz32.dll
+ 2007-04-16 15:52:53 162,900 ----a-w C:\WINDOWS\system32\delipwiz32.dll
+ 2008-04-23 16:41:53 86,097 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
- 2002-01-01 05:14:22 233,131 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-04-23 17:35:00 233,131 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2002-01-01 05:18:18 111,794 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-23 17:06:39 111,794 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2002-01-01 05:18:18 554,488 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-23 17:06:39 554,488 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-23 17:33:04 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7a4.dat
+ 2008-04-23 17:33:10 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_998.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E15C29A-B33F-45A3-A540-A6E66832FC3B}]
2003-12-05 19:35 174080 --a------ C:\PROGRA~1\FOLDER~1\BETA1~1\SUBCLA~1.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90C8E8F8-A7C9-41E4-92E4-C679AE6FB78D}]
2007-10-26 18:17 83248 --a------ C:\Program Files\RapidSolution\Videoraptor\VideoRaptorIePlugin.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Adobe]
@={8AB18ADC-402A-4B52-A63A-155F45C07F4E}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"DynSite"="C:\Program Files\Noël Danjou\DynSite\DynSite.exe" [2006-07-05 04:44 1376256]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Network Assistant"="C:\Program Files\Network Assistant\Nassi.exe" [2005-10-06 12:30 2450944]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-22 05:55 68856]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2006-10-31 22:24 57344]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 18:33 53096]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RemotelyAnywhere GUI"="C:\Program Files\RemotelyAnywhere\RAGui.exe" [2006-05-02 18:40 377608]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-30 21:06 2595616]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 21:11 909208]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 21:07 140568]
"Norton Ghost 12.0"="C:\Program Files\Norton Ghost\Agent\VProTray.exe" [2008-01-10 05:43 2037088]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 13:01 1037736]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [2006-10-09 17:27 807440]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 12:13 988584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 02:56 15360]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-02-04 02:37 160592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 03:48 53760 C:\WINDOWS\system32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 00:59 44544]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-09-03 14:56:06 499779]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-04-22 05:55:08 124912]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24 258048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"LoginPrompt"= DADEDADADCD4D8D9
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\system32\DPWLEvHd.dll 2006-10-09 17:27 99856 C:\WINDOWS\system32\DPWLEvHd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPNotifier]
OPWinLogon.dll 2004-04-21 10:42 45056 C:\WINDOWS\system32\OPWinLogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2006-02-14 12:00 8704 C:\WINDOWS\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RAinit]
RAinit.dll 2006-05-02 18:40 10496 C:\WINDOWS\system32\RAinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=acaptuser32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL
"VIDC.VDOM"= vdowave.drv
"VIDC.NSVI"= nsvideo.dll
"vidc.dvsd"= dvc.dll
"msacm.msnaudio"= msnaudio.acm
"vidc.XVID"= xvid.dll
"msacm.divxa32"= divxa32.acm
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.UV12"= SCDeluxe.ax
"SENTINEL"= snti386.dll
"msacm.lameacm"= lameACM.acm
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"vidc.CDVC"= cdvccodc.dll
"msacm.enc"= ITIG726.acm
"vidc.aflc"= flccodec32.dll
"vidc.afli"= flccodec32.dll
"vidc.aasc"= aasc32.dll
"VIDC.CFHD"= CFHD.dll
"msacm.mkdmp3enc"= C:\PROGRA~1\CYBERL~1\MakeDVD\Kernel\Burner\MKDMP3Enc.ACM
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll
"MSVideo1"= CSvidcap.dll
"VIDC.ACDV"= ACDV.dll
"VIDC.VCR2"= ATIVCR2.DLL
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.VCR1"= ATIVCR1.DLL
"VIDC.YV12"= ATIYUV12.DLL
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 21:52 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
-ra------ 2007-02-13 15:00 61440 C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
--a------ 2005-04-04 19:58 856064 C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI DeviceDetect]
--a------ 2006-10-31 22:24 57344 C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Scheduler]
--a------ 2006-10-31 22:25 26624 C:\Program Files\ATI Multimedia\main\ATISched.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 19:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
--------- 2006-11-09 11:19 204800 C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--------- 2003-06-18 02:00 45056 C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-03-12 22:43 81920 C:\Program Files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Directory Opus Desktop Dblclk]
--a------ 2007-09-13 15:41 275984 C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 08:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2006-05-05 12:19 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InvisibleBrowsing]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-16 16:15 221184 c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-10-12 16:52 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\modemspy]
C:\Program Files\Modem Spy\modemspy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nitro PDF Printer Monitor]
--a------ 2007-10-31 21:18 204800 C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware15]
--a------ 2005-07-06 00:58 69632 C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2006-05-05 12:18 36864 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pfp.exe]
C:\Program Files\Protect Files Pro\pfp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter]
--------- 2004-08-17 16:07 143360 C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-01-18 08:47 1687552 C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-01-18 21:17 163840 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SeePassword]
--a------ 2005-06-25 18:18 1347584 C:\Program Files\SeePassword\SeePassword.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMPAutoStart]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-02-23 21:16 1266936 C:\Program Files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
--a------ 2005-05-18 14:51 81920 C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVR SchSvr]
--a------ 2003-06-09 13:23 151552 C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
--------- 2005-04-11 15:34 69721 C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"perfmons"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\mirc for DVDtorrents\\mirc.exe"=
"C:\\Program Files\\Mirc for sattech\\Sattech.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Capturix VideoSpy\\cvs.exe"=
"C:\\Program Files\\Capturix VideoSpy\\cvs2.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"=
"C:\\Program Files\\Call of Duty\\CoDUOMP.exe"=
"C:\\Program Files\\webcamXP\\webcamXP.exe"=
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\g3torrent\\g3torrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\CyberLink\\MakeDVD\\MakeDVD.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Network Assistant\\Nassi.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"50000:TCP"= 50000:TCP:AZUREUS
R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 22:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 22:41]
R0 dontgo;Promise Removable Disk Control Driver;C:\WINDOWS\system32\DRIVERS\DontGo.sys [2004-06-29 15:25]
R0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys [2007-05-16 12:42]
R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-01-24 21:08]
R0 ulsata2;ulsata2;C:\WINDOWS\system32\DRIVERS\ulsata2.sys [2005-06-29 17:44]
R0 xmasbus;xmasbus;C:\WINDOWS\system32\DRIVERS\xmasbus.sys [2003-12-21 17:24]
R0 xmasscsi;xmasscsi;C:\WINDOWS\system32\Drivers\xmasscsi.sys [2003-12-23 02:15]
R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 21:27]
R1 CINEMSUP;Cinemsup;C:\WINDOWS\System32\drivers\cinemsup.sys [2002-07-19 08:10]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 16:11]
R1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\lvsound2.sys [2002-06-10 14:20]
R1 Myscope;Myscope;C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\W2k\myscope.sys [2002-09-02 19:42]
R1 pivot;pivot;C:\WINDOWS\system32\drivers\pivot.sys [2005-11-10 11:37]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 18:09]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 18:09]
R2 OOCleverCache;O&O CleverCache Pro;C:\Program Files\OO Software\CleverCache\OOCCSVC.exe [2002-04-11 14:55]
R2 pardrv;pardrv;C:\WINDOWS\system32\drivers\pardrv.sys [2006-01-10 14:59]
R2 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe" [2008-01-16 11:52]
R2 RAInfo;RemotelyAnywhere Kernel Information Provider;C:\Program Files\RemotelyAnywhere\RaInfo.sys [2006-05-02 18:41]
R2 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-10-30 21:51]
R2 UtMsgSvc;UtMsgAgt;"C:\Program Files\Promise\Promise Disk Controller Manager\UtMsgAgt.exe" [2004-09-22 18:06]
R2 V7;V7;C:\WINDOWS\system32\drivers\V7.sys [2000-03-10 01:24]
R2 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-09-29 00:58]
R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 11:53]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys [2006-09-16 18:25]
R3 EuMusDesignVirtualAudioCableWdm_jrm;MuvEnum Virtual Cable;C:\WINDOWS\system32\DRIVERS\vacjrmkd.sys [2007-04-07 13:17]
R3 hpusbfd;Hewlett-Packard USB Filter Class;C:\WINDOWS\system32\DRIVERS\hpusbfd.sys [2002-05-22 10:40]
R3 LVBulk;LVBulk Service;C:\WINDOWS\system32\DRIVERS\LVBulk.sys [2002-06-10 14:21]
R3 LVVI500A;LVVI500A Service;C:\WINDOWS\system32\DRIVERS\lvvi500a.sys [2002-06-10 14:24]
R3 ramirr;ramirr;C:\WINDOWS\system32\DRIVERS\ramirr.sys [2006-05-02 18:41]
R3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2006-09-16 18:23]
R3 uscsc108;uscsc108;C:\WINDOWS\system32\DRIVERS\uscsc108.sys [2003-03-09 18:41]
R3 UTDpcService;ULEVTBDG;C:\Program Files\Promise\Promise Disk Controller Manager\ULEVTBDG.sys [2004-09-20 16:54]
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys []
S0 SI3112;SiI-3112 SATALink Controller;C:\WINDOWS\system32\DRIVERS\SI3112.sys []
S2 Parclass;Parclass;C:\WINDOWS\system32\Drivers\Parclass.sys [2003-02-10 15:30]
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\System32\drivers\ASUSHWIO.sys []
S3 AWGateway;Symantec pcAnywhere Gateway Service;"C:\Program Files\Symantec\pcAnywhere Gateway\AWGateway.exe" [2006-05-01 13:40]
S3 bepldr;BCL easyPDF SDK 5 Loader;"C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe" [2007-08-22 17:19]
S3 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 16:19]
S3 FTD2XX;HiLo Systems -- USB Drivers;C:\WINDOWS\system32\Drivers\FTD2XX.sys [2004-10-15 16:49]
S3 IBService;IBService;C:\Program Files\Invisible Browsing\servers\IBService.exe [2007-01-09 15:38]
S3 LV506AV;Logitech QuickCam Cordless(PID_0430);C:\WINDOWS\system32\DRIVERS\LV506AV.SYS [2002-12-10 17:56]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\59.tmp []
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-05-07 15:11]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 15:22]
S3 OPStorage;WebCCTV Storage Service;C:\Program Files\Quadrox\WebCCTV\Bin\OPStorage.exe [2004-05-07 15:46]
S3 OV681;EZMega Cam;C:\WINDOWS\system32\Drivers\om681vid.sys []
S3 PCD61X2;PCD61X2;C:\DOCUME~1\STEPHEN\LOCALS~1\Temp\PCD61X2.sys []
S3 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe" [2008-01-16 11:52]
S3 Pg4uUSB;BK PRECISION driver;C:\WINDOWS\system32\DRIVERS\pg4uusb.sys [2006-10-18 10:04]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2004-02-14 12:09]
S3 pivotmou;Pivot Mouse/Pointers Filter Driver;C:\WINDOWS\System32\drivers\pivotmou.sys [2005-11-10 11:37]
S3 SCDELUXES;SiPix StyleCam Deluxe (still);C:\WINDOWS\system32\DRIVERS\se402sc.sys []
S3 SCDELUXEV;SiPix StyleCam Deluxe (video);C:\WINDOWS\system32\DRIVERS\se402vc.sys []
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]
S3 SMTPSVC;SMTPSVC;C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 02:56]
S3 TEC9120;TECV35Q Digital Camera;C:\WINDOWS\system32\Drivers\SQcaptur.sys [2002-05-06 13:58]
S3 Usrserft;Myscope Upper Filter Driver;C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\W2k\usrserft.sys [2002-09-02 19:41]
*Newly Created Service* - CATCHME
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E3A395C2-0AF7-DCBB-57DA-004281800B55}]
C:\Program Files\winscv\install.exe s
.
Contents of the 'Scheduled Tasks' folder
"2008-03-22 14:00:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-31 08:01:39 C:\WINDOWS\Tasks\BACKUP OF C DRIVE - DOCUMENTS & SETTINGS.job"
- C:\WINDOWS\system32\ntbackup.exe?backup
"2008-04-22 08:03:36 C:\WINDOWS\Tasks\BACKUP OF C DRIVE - SYSTEM STATE.job"
- C:\WINDOWS\system32\ntbackup.exe?backup
"2008-04-23 08:01:22 C:\WINDOWS\Tasks\BACKUP OF D DRIVE.job"
- C:\WINDOWS\system32\ntbackup.exeSbackup
"2008-04-22 09:40:14 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-24 12:00:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-19 01:44:07 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - STEPHEN.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
"2008-03-31 10:00:20 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-04-24 14:52:29 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2008-04-24 05:00:01 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 10:39:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\59.tmp"
.
Completion time: 2008-04-24 10:46:12
ComboFix-quarantined-files.txt 2008-04-24 15:45:04
ComboFix2.txt 2008-04-22 10:20:50
ComboFix3.txt 2008-04-22 04:22:45
Pre-Run: 39,600,275,456 bytes free
Post-Run: 39,540,166,656 bytes free
544 --- E O F --- 2008-04-23 00:42:31
Here is the GMER scan.
GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-24 11:51:08
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwClose [0xF7599D08]
SSDT 88E94A78 ZwConnectPort
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xF7599CC0]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF758DA20]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB12636C0]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF758E4FC]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF7599E00]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwOpenFile [0xF758DA60]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF7599C84]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF758E51C]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF7599D56]
SSDT d346bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF7599230]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB1263910]
INT 0x06 \??\C:\WINDOWS\System32\drivers\Haspnt.sys B084F16D
INT 0x0E \??\C:\WINDOWS\System32\drivers\Haspnt.sys B084EFC2
---- Kernel code sections - GMER 1.0.14 ----
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.14 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[2108] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2108] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1712 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2108] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A1693 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2108] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A16D7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2108] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A161F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2108] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A1659 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2108] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A174D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2108] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[4120] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 8B8D7110
AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device \FileSystem\Fastfat \FatCdrom 86E1A660
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \FileSystem\DefragFS \Device\RaxcoPerfectDisk 880C2348
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
Device \FileSystem\Rdbss \Device\FsWrap 884E5AD8
Device \FileSystem\DVDVRRdr_xp \Device\DVDVRRdr 890C0E68
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
Device \FileSystem\Srv \Device\LanmanServer 8755D380
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 884D6668
Device \FileSystem\MRxSmb \Device\LanmanRedirector 884D6668
Device \FileSystem\Npfs \Device\NamedPipe 88966D18
Device \FileSystem\cdudf_XP \Device\CdUdf_XP 88EAE6D8
Device \FileSystem\Msfs \Device\Mailslot 88532180
Device \Driver\ntcdrdrv \Device\Scsi\ntcdrdrv1 8993C3E0
Device \Driver\ntcdrdrv \Device\Scsi\ntcdrdrv1 884ABB90
Device \Driver\d346prt \Device\Scsi\d346prt1 897603C8
Device \Driver\d346prt \Device\Scsi\d346prt1 8AC1F2D0
Device \Driver\d346prt \Device\Scsi\d346prt1Port3Path0Target0Lun0 897603C8
Device \Driver\d346prt \Device\Scsi\d346prt1Port3Path0Target0Lun0 8AC1F2D0
Device \Driver\ntcdrdrv \Device\Scsi\ntcdrdrv1Port7Path0Target0Lun0 8993C3E0
Device \Driver\ntcdrdrv \Device\Scsi\ntcdrdrv1Port7Path0Target0Lun0 884ABB90
Device \FileSystem\Fastfat \Fat 86E1A660
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 893F6118
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 893F6118
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 893F6118
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 893F6118
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 893F6118
Device \FileSystem\Cdfs \Cdfs 8851EE68
---- Modules - GMER 1.0.14 ----
Module _________ F7450000-F7468000 (98304 bytes)
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\d346prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d346prt\Cfg\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\d346prt\Cfg\0Jf41@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d346prt\Cfg\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\d346prt\Cfg\0Jf42@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers@H:$\22\1\b MSTakeNoAction???????
---- EOF - GMER 1.0.14 ----
Here is the new hjt log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:17 AM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\OO Software\CleverCache\OOCCSVC.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\RemotelyAnywhere\RaMaint.exe
C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\Slave.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\RemotelyAnywhere\RAGui.exe
C:\Program Files\Promise\Promise Disk Controller Manager\UtMsgAgt.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Noël Danjou\DynSite\DynSite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\System32\LVComsX.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\A1 - DOWNLOADS\HijackThis\GMER\gmer\gmer.exe
C:\PROGRA~1\FOLDER~1\BETA1~1\bxExpHelper.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NetConeal\Anonymity Shield\ProxyNew.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SubClass Explorer - {5E15C29A-B33F-45A3-A540-A6E66832FC3B} - C:\PROGRA~1\FOLDER~1\BETA1~1\SUBCLA~1.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: VideoRaptorIePlugin Class - {90C8E8F8-A7C9-41E4-92E4-C679AE6FB78D} - C:\Program Files\RapidSolution\Videoraptor\VideoRaptorIePlugin.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: Systran40premi.IEPlugIn - {D3919E1A-D6A5-11D6-AC3E-00B0D094B576} - C:\Program Files\Systran\4_0\Premium\IEPlugIn.dll
O3 - Toolbar: &Liquid Surf - {B9F633F6-EA44-45F4-91EB-FABFC65A0634} - C:\Program Files\LiquidSurf\sybil.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~2\TAForIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Get Anonymous - {8892C699-6978-4DD9-8EB2-951C93DB4F62} - C:\Program Files\GetAnonymous 2.1 Professional\IEToolBar.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RemotelyAnywhere GUI] "C:\Program Files\RemotelyAnywhere\RAGui.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DynSite] "C:\Program Files\Noël Danjou\DynSite\DynSite.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Network Assistant] "C:\Program Files\Network Assistant\Nassi.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add this link to WebWhacker... - C:\Program Files\Blue Squirrel\WebWhacker 5.0\Art\wwieextlink.html
O8 - Extra context menu item: Add this page to WebWhacker... - C:\Program Files\Blue Squirrel\WebWhacker 5.0\Art\wwieext.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with ImTOO YouTube to iPod Converter - C:\Program Files\ImTOO\Youtube to iPod Converter\upod_link.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Print Using ClickBook - {180E1E16-F536-4B51-9723-6025D98AA375} - C:\Program Files\Blue Squirrel\ClickBook\macros\ieprint.htm
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: WebWhacker - {E5336D32-0CBE-4E1F-A2C7-38DCAA8B07EF} - C:\Program Files\Blue Squirrel\WebWhacker 5.0\Art\wwietb.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: LinkStash - {4874F370-402D-4d09-A73E-FAB439934E56} - C:\Program Files\LinkStash\lsshow.exe (HKCU)
O9 - Extra 'Tools' menuitem: LinkStash - {4874F370-402D-4d09-A73E-FAB439934E56} - C:\Program Files\LinkStash\lsshow.exe (HKCU)
O9 - Extra button: Add URLs - {957DCFA2-39F7-4443-9677-1B14E83A2F87} - C:\Program Files\LinkStash\lsgrab.exe (HKCU)
O9 - Extra 'Tools' menuitem: LinkStash Add URLs - {957DCFA2-39F7-4443-9677-1B14E83A2F87} - C:\Program Files\LinkStash\lsgrab.exe (HKCU)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {5FB1CBF5-750C-45F0-BE0A-5EF88B23B469} (CUEUpdate Control) - http://www.myottomate.com/cabfiles/ottoupdate.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O16 - DPF: {F9546CC6-0791-43EC-90B4-2759F17837AA} (OttoUpdate Control) - http://www.myottomate.com/myOtto/cabs/myottoupdate.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://slc-main:2000/activex/RACtrl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: OPNotifier - C:\WINDOWS\SYSTEM32\OPWinLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec pcAnywhere Gateway Service (AWGateway) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere Gateway\AWGateway.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: gusvc - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBService - Unknown owner - C:\Program Files\Invisible Browsing\servers\IBService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: O&O CleverCache Pro (OOCleverCache) - O&O Software GmbH - C:\Program Files\OO Software\CleverCache\OOCCSVC.exe
O23 - Service: WebCCTV Storage Service (OPStorage) - Quadrox NV - C:\Program Files\Quadrox\WebCCTV\Bin\OPStorage.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - LogMeIn, Inc. - C:\Program Files\RemotelyAnywhere\RaMaint.exe
O23 - Service: RemotelyAnywhere - LogMeIn, Inc. - C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: RoxLiveShare - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: RA Server (Slave) - TWD Industries SAS - C:\WINDOWS\Slave.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: UtMsgAgt (UtMsgSvc) - Promise Technology Inc. - C:\Program Files\Promise\Promise Disk Controller Manager\UtMsgAgt.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O24 - Desktop Component 0: (no name) - http://www.adobe.com/images/nav/us_mainMainNav.gif
O24 - Desktop Component 1: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2
--
End of file - 29854 bytes
Thank you.
Stephen
Hi
Did you upload C:\Program Files\winscv\install.exe file? What were the results?
Download The Avenger by Swandog46 from here (http://swandog46.geekstogo.com/avenger2/download.php).
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
Drivers to delete:
MEMSWEEP2
In the avenger window, click the Paste Script from Clipboard, http://img220.imageshack.us/img220/8923/pastets4.png button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log, along with a new HijackThis log in your next reply. Let me also know how's the system running currently.
Hi:
Yes I did do the scan but when trying to cut the size of the post down I did not paste it correctly. Sorry about that.
Here is the scan result of C:\Program Files\winscv\install.exe from http://virusscan.jotti.org:
I will complete the The Avenger scan now and post it as soon as it completes.
Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan:
Service
Service load: 0% 100%
File: install.exe
Status: INFECTED/MALWARE
MD5: 67bd238d16c8dfa44b936154d78e8374
Packers detected: PE_PATCH
Bit9 reports: File not found
Scanner results
Scan taken on 23 Apr 2008 15:55:42 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found Heur.Win32.I
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Troj.PSW.W32.LdPinch.cvf
Dr.Web Found Trojan.Inject.3023
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found W32/Buzus.dam
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.Win32.Buzus.egb
Powered by
Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.
Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.
Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.
Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.
Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.
Sponsored by HotelScraper.com.
--------------------------------------------------------------------------------
Statistics
Last file scanned at least one scanner reported something about: Trj.VB_(140).exe (MD5: e198890bcba353f462fc84ea0e10d31d, size: 40960 bytes), detected by:
Scanner Malware name
A-Squared Trojan-Downloader.Win32.VB.dab
AntiVir TR/Dldr.VB.dab
ArcaVir X
Avast Win32:VB-EVX
AVG Antivirus Downloader.Generic7.CZ
BitDefender Trojan.Downloader.VB.VLG
ClamAV X
CPsecure Troj.Downloader.W32.VB.dab
Dr.Web Trojan.DownLoader.49987
F-Prot Antivirus X
F-Secure Anti-Virus Trojan-Downloader.Win32.VB.dab
Fortinet W32/Bluedi.DAB!tr
Ikarus Trojan-Downloader.Win32.VB.ahq
Kaspersky Anti-Virus Trojan-Downloader.Win32.VB.dab
NOD32 a variant of Win32/TrojanDownloader.VB.AHQ
Norman Virus Control W32/DLoader.GKND
Panda Antivirus X
Sophos Antivirus Troj/Bluedi-Gen
VirusBuster Trojan.DL.VB.Gen
VBA32 Trojan-Downloader.Win32.VB.dab
You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.
Frequently asked questions - Feedback - Privacy policy
Page generated by JTPL
© 2004-2008 Jordi Bosveld <jotti@jotti.org>
Hi:
The avenger will not complete after copying and pasting the script, and pressing execute. The ticks have been properly checked/unchecked.
I get the following pop-up message:
Error: Invalid script. A valid script must begin with a command directive. Aborting execution.
Stephen
Hi
Delete C:\Program Files\winscv folder.
Type following manually (two lines) into Avenger window and then try running it again:
Drivers to delete:
MEMSWEEP2
Hi:
Here is the Avender log.
During the Avenger restart it rebooted several times and it also required me to re-activate my copy of Windows, which I did successfully.
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Service Pack 2)
Thu Apr 24 12:53:11 2008
12:53:11: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Service Pack 2)
Thu Apr 24 12:53:58 2008
12:53:58: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Service Pack 2)
Thu Apr 24 12:54:18 2008
12:54:18: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Service Pack 2)
Thu Apr 24 13:12:32 2008
13:12:32: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver "MEMSWEEP2" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Ok. Looks good. Could I see hjt log taken after that Avenger run now? :)
Hi:
Below is the latest hjt log.
By the way, the reason The Avenger did not run the first time is because the copy and paste procedure pasted the script on one line instead of two separate lines.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:41 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\OO Software\CleverCache\OOCCSVC.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\RemotelyAnywhere\RaMaint.exe
C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\Slave.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Promise\Promise Disk Controller Manager\UtMsgAgt.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\RemotelyAnywhere\RAGui.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Noël Danjou\DynSite\DynSite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Assistant\Nassi.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\FOLDER~1\BETA1~1\bxExpHelper.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Anonymizer Proxy - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\NetConeal\Anonymity Shield\ProxyNew.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SubClass Explorer - {5E15C29A-B33F-45A3-A540-A6E66832FC3B} - C:\PROGRA~1\FOLDER~1\BETA1~1\SUBCLA~1.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: VideoRaptorIePlugin Class - {90C8E8F8-A7C9-41E4-92E4-C679AE6FB78D} - C:\Program Files\RapidSolution\Videoraptor\VideoRaptorIePlugin.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216} - C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: Systran40premi.IEPlugIn - {D3919E1A-D6A5-11D6-AC3E-00B0D094B576} - C:\Program Files\Systran\4_0\Premium\IEPlugIn.dll
O3 - Toolbar: &Liquid Surf - {B9F633F6-EA44-45F4-91EB-FABFC65A0634} - C:\Program Files\LiquidSurf\sybil.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~2\TAForIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Get Anonymous - {8892C699-6978-4DD9-8EB2-951C93DB4F62} - C:\Program Files\GetAnonymous 2.1 Professional\IEToolBar.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RemotelyAnywhere GUI] "C:\Program Files\RemotelyAnywhere\RAGui.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DynSite] "C:\Program Files\Noël Danjou\DynSite\DynSite.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Network Assistant] "C:\Program Files\Network Assistant\Nassi.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add this link to WebWhacker... - C:\Program Files\Blue Squirrel\WebWhacker 5.0\Art\wwieextlink.html
O8 - Extra context menu item: Add this page to WebWhacker... - C:\Program Files\Blue Squirrel\WebWhacker 5.0\Art\wwieext.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with ImTOO YouTube to iPod Converter - C:\Program Files\ImTOO\Youtube to iPod Converter\upod_link.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Print Using ClickBook - {180E1E16-F536-4B51-9723-6025D98AA375} - C:\Program Files\Blue Squirrel\ClickBook\macros\ieprint.htm
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: WebWhacker - {E5336D32-0CBE-4E1F-A2C7-38DCAA8B07EF} - C:\Program Files\Blue Squirrel\WebWhacker 5.0\Art\wwietb.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: LinkStash - {4874F370-402D-4d09-A73E-FAB439934E56} - C:\Program Files\LinkStash\lsshow.exe (HKCU)
O9 - Extra 'Tools' menuitem: LinkStash - {4874F370-402D-4d09-A73E-FAB439934E56} - C:\Program Files\LinkStash\lsshow.exe (HKCU)
O9 - Extra button: Add URLs - {957DCFA2-39F7-4443-9677-1B14E83A2F87} - C:\Program Files\LinkStash\lsgrab.exe (HKCU)
O9 - Extra 'Tools' menuitem: LinkStash Add URLs - {957DCFA2-39F7-4443-9677-1B14E83A2F87} - C:\Program Files\LinkStash\lsgrab.exe (HKCU)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {5FB1CBF5-750C-45F0-BE0A-5EF88B23B469} (CUEUpdate Control) - http://www.myottomate.com/cabfiles/ottoupdate.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O16 - DPF: {F9546CC6-0791-43EC-90B4-2759F17837AA} (OttoUpdate Control) - http://www.myottomate.com/myOtto/cabs/myottoupdate.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://slc-main:2000/activex/RACtrl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: OPNotifier - C:\WINDOWS\SYSTEM32\OPWinLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec pcAnywhere Gateway Service (AWGateway) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere Gateway\AWGateway.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: gusvc - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBService - Unknown owner - C:\Program Files\Invisible Browsing\servers\IBService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: O&O CleverCache Pro (OOCleverCache) - O&O Software GmbH - C:\Program Files\OO Software\CleverCache\OOCCSVC.exe
O23 - Service: WebCCTV Storage Service (OPStorage) - Quadrox NV - C:\Program Files\Quadrox\WebCCTV\Bin\OPStorage.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - LogMeIn, Inc. - C:\Program Files\RemotelyAnywhere\RaMaint.exe
O23 - Service: RemotelyAnywhere - LogMeIn, Inc. - C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: RoxLiveShare - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: RA Server (Slave) - TWD Industries SAS - C:\WINDOWS\Slave.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: UtMsgAgt (UtMsgSvc) - Promise Technology Inc. - C:\Program Files\Promise\Promise Disk Controller Manager\UtMsgAgt.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O24 - Desktop Component 0: (no name) - http://www.adobe.com/images/nav/us_mainMainNav.gif
O24 - Desktop Component 1: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2
--
End of file - 29993 bytes
Thank you.
Stephen
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and save it to desktop.
Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 6 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)
The program is available for download here (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the
bad
webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. See here (http://www.freebyte.com/antivirus/#scanners) to choose one
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
See here (http://www.freebyte.com/antivirus/#firewalls) to choose one
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Hi:
I would like to thank you very, very much for your expert help. Fantastic!
I still cannot turn of the language bar. Any ideas? Perhaps it is some left over damage?
Now that my PC is clean, I will follow your recommendation.
Can you advise what will prevent me from being re-infected with the Virtumonde virus again. My Norton Antivirus did not catch it and this concerns me because it is always active. I wonder why Norton did not quarantine the virus - especially since Virtumonde is so prevalent and has been around for so long. I would assume that someone would have reported it to Symantec a long time ago and they would at least have updated defenitions and a fix for it if infected.
I have read the sticky at http://forums.spybot.info/showthread.php?t=279 and intend to follow all the advice - but will that still stop Virtumonde?
When opening bit torrent downloads, which online scanner site(s) do you recommend to check the file before opening it?
When testing software what do you recommend so that it can be uninstalled completely without fouling up the operating system. I was just about to look into several programs such as:
"Deep FreeZe" http://www.faronics.com/html/deepfreeze.asp
"Try and decide" by Acronis http://www.acronis.com/homecomputing/products/trueimage/
"SteadyState" by Microsoft http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx
"ShadowUser Pro" http://www.storagecraft.com/products/ShadowUser/
Thank you.
Stephen
Hi:
As I was uninstalling combofix Norton popped up the following virus warning:
"Norton Antivirus has detected and removed a virus from your computer."
Object name: C:\Qoobox\QUARAN~1\C\WINDOWS\system32\GPCK~1.VIR
Virus name: Trojan.Metajuan
Action taken: The file was automatically deleted.
Strangely there is no directory on my C: drive called Qoobox
Stephen
Hi:
As soon as I clicked OK to close the Norton Antivirus warning another Norton window popped up the following virus warning:
"Norton Antivirus has detected and removed a virus from your computer."
Object name: C:\Qoobox\QUARAN~1\C\WINDOWS\system32\KKIWQI~1.VIR
Virus name: Trojan.Vundo
Action taken: The file was automatically deleted.
Stephen
I still cannot turn of the language bar. Any ideas? Perhaps it is some left over damage?
I assume you've tried this (http://blogs.msdn.com/pstubbs/archive/2005/02/22/378195.aspx)? In case it doesn't help I'd recommend asking at http://forums.pcpitstop.com.
Can you advise what will prevent me from being re-infected with the Virtumonde virus again. My Norton Antivirus did not catch it and this concerns me because it is always active. I wonder why Norton did not quarantine the virus - especially since Virtumonde is so prevalent and has been around for so long. I would assume that someone would have reported it to Symantec a long time ago and they would at least have updated defenitions and a fix for it if infected.
Unfortunately there's no antivirus product that would detect all possible threats. Different Vundo variants exist and new are coming all the time.
I have read the sticky at http://forums.spybot.info/showthread.php?t=279 and intend to follow all the advice - but will that still stop Virtumonde?
It's user's carefulness that counts the most. Of course that doesn't mean that you couldn't still get infected but it lowers the odds.
When opening bit torrent downloads, which online scanner site(s) do you recommend to check the file before opening it?
First of all, you shouldn't download suspicious looking and illegal torrents at all. You should always have local antivirus protection installed too (as you now have Norton). Not relying only on online ones. You can always check a suspicious file in places like Virustotal (http://www.virustotal.com) or Jotti (http://virusscan.jotti.org).
When testing software what do you recommend so that it can be uninstalled completely without fouling up the operating system.
Unfortunately I don't have much selfexperience of those. If I need to test something I usually set it up on my virtual machine.
Those Norton notifications are ok since that Qoobox folder was ComboFix quarantine folder containing all bad items. That should get removed when ComboFix is uninstalled. :)
Hi:
I still cannot get rid of the language bar even after following all the instructions. I wonder if it is still virus related.
Norton has quarantined another virus.
You said:
"Unfortunately I don't have much selfexperience of those. If I need to test something I usually set it up on my virtual machine."
Please explain how you do this on a virtual machine.
Stephen
Hi
What virus did Norton quarantine and where?
Please explain how you do this on a virtual machine.
Virtual machine makes it possible to have another, virtual operating system installed in your physical computer. For example your main operating system is Windows XP but using virtual machine system you can run virtual instances of other operating systems as well in same computer. To understand this better check here (http://en.wikipedia.org/wiki/Virtual_machine) for detailed description of virtual machines. :)
Hi:
THe viris was called hacktool, found in C:\Program Files\Snadboy's Revelation v2\RevelationHelper.dll and has since been quarantined.
There are nummerous Virtual machines, which one(s) have you had the most success with? I would like one that allows you to reboot and undo the changes if they are not wanted. I experimented with Deep Freeze, and it does not allow this - only one reboot to accept the changes or not.
Still no success with the language bar.
Stephen
I've so far tried only VMWare which does it's job well. There's a good tutorial written by wng_z3r0 here (http://spyware-free.us/tutorials/vmware/).
For that language bar problem I suggest already meantioned PC Pitstop forum (http://forums.pcpitstop.com) since we don't have technical issue handling here and to me it looks more like that kind of issue than malware related. :)
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.