View Full Version : Virtumonde
GiantSpider
2008-05-06, 21:35
I will apologise immediately, I feel rather stupid for getting this, seems fairly widespread though.
Thanks in advance for any help recieved.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:27:41, on 06/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conime.exe
C:\Windows\System32\LVCOMSX.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\System32\wltray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\rundll32.exe
C:\Users\Administrator\Downloads\HiJackThis.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {2D364D64-A765-45C8-9341-298C7325C766} - C:\Windows\system32\nnNGYqPg.dll
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\Windows\system32\dhlbilfa.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9C8A64FD-AB81-47AD-B7D5-A14A44AD5870} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {EB807519-5E10-43E1-B587-2B14AE50EB89} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\tuvVlJBq.dll,#1
O4 - HKLM\..\Run: [9c54449d] rundll32.exe "C:\Windows\system32\yqctjwxp.dll",b
O4 - HKLM\..\Run: [BM9f677701] Rundll32.exe "C:\Windows\system32\ybujsoxr.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204583586132
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204583677198
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbv_device - - C:\Windows\system32\lxbvcoms.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 9853 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 06, 2008 7:04:21 AM
Operating System: Microsoft Windows Vista Home Edition, Service Pack 1 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/05/2008
Kaspersky Anti-Virus database records: 741235
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
Scan Statistics:
Total number of scanned objects: 268623
Number of viruses found: 4
Number of infected objects: 33
Number of suspicious objects: 0
Duration of the scan process: 04:35:42
Infected Object Name / Virus Name / Last Action
C:\5e21410ace9b0a38ba5c1465cb5ad6\%temp%dd_msxml_retMSI.txt Object is locked skipped
C:\8144b5b45a417cb5e246\msxml4-KB927978-enu.log Object is locked skipped
C:\a400c4887a28afe603d7c024fb\update\update.exe Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\sw_ae-20080505-212024.log Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\ProgramData\McAfee\Easynet\MHNData Object is locked skipped
C:\ProgramData\McAfee\MNA\NAData Object is locked skipped
C:\ProgramData\McAfee\MPF\data\log.edb Object is locked skipped
C:\ProgramData\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\ProgramData\McAfee\MSC\Logs\{CBE50441-BA28-437E-B471-2CD9B1B510F4}.log Object is locked skipped
C:\ProgramData\McAfee\MSC\McUsers.dat Object is locked skipped
C:\ProgramData\McAfee\VirusScan\Data\TFRF7C9.tmp Object is locked skipped
C:\ProgramData\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\1238f2c2b2af9ace47515dd77cd38356_d1091046-6c3b-4573-b845-09655b1c4bcd Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\cda2dcbe785516cb783f72d6612c70f2_d1091046-6c3b-4573-b845-09655b1c4bcd Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_d1091046-6c3b-4573-b845-09655b1c4bcd Object is locked skipped
C:\ProgramData\Microsoft\eHome\EPG\tracehelper\DefaultDomain-YOUR-C68A66632D$.xml Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.368.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.368.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010020.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010026.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy1827.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf17E8.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf1847.tmp Object is locked skipped
C:\Users\Administrator\AppData\Local\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse Object is locked skipped
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db Object is locked skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1QRUD91R\css4[1] Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1QRUD91R\css4[2] Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1QRUD91R\glas[1] Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CI7O87W\kriv[2] Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I5POMDJU\rld[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MHE867ND\css4[1] Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MHE867ND\css4[2] Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U08HFKMR\css4[1] Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U08HFKMR\css4[2] Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U08HFKMR\idkfa[1] Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat{7d342c52-ef43-11db-8867-0016e3994e97}.TM.blf Object is locked skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat{7d342c52-ef43-11db-8867-0016e3994e97}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat{7d342c52-ef43-11db-8867-0016e3994e97}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\w003l6b3.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\w003l6b3.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\w003l6b3.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\w003l6b3.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\Administrator\AppData\Local\Temp\mirc631.exe/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Users\Administrator\AppData\Local\Temp\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Users\Administrator\AppData\Local\Temp\mirc631.exe NSIS: infected - 2 skipped
C:\Users\Administrator\AppData\Local\Temp\tmp0001d627 Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Administrator\AppData\Local\Temp\tmp000298bb Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Administrator\AppData\Local\Temp\tmp00033ebf Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Administrator\AppData\Local\Temp\tmp0024f5f9 Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Administrator\AppData\Local\Temp\tmp0027eb0e Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\w003l6b3.default\cert8.db Object is locked skipped
C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\w003l6b3.default\history.dat Object is locked skipped
C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\w003l6b3.default\key3.db Object is locked skipped
C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\w003l6b3.default\parent.lock Object is locked skipped
C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\w003l6b3.default\search.sqlite Object is locked skipped
C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\w003l6b3.default\urlclassifier2.sqlite Object is locked skipped
C:\Users\Administrator\Documents\Azureus Downloads\Fruity Loops Studio 8.0 RC3 XXL Producer Edition + Activation Key\flstudio_8.0_install.exe/data0000.cab/is201888.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qrr skipped
C:\Users\Administrator\Documents\Azureus Downloads\Fruity Loops Studio 8.0 RC3 XXL Producer Edition + Activation Key\flstudio_8.0_install.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qrr skipped
C:\Users\Administrator\Documents\Azureus Downloads\Fruity Loops Studio 8.0 RC3 XXL Producer Edition + Activation Key\flstudio_8.0_install.exe Rsrc-Package: infected - 2 skipped
C:\Users\Administrator\Downloads\mirc631.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Users\Administrator\Downloads\mirc631.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Users\Administrator\Downloads\mirc631.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Users\Administrator\Downloads\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Users\Administrator\Downloads\mirc631.exe NSIS: infected - 4 skipped
C:\Users\Administrator\ntuser.dat Object is locked skipped
C:\Users\Administrator\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Administrator\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Administrator\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Users\Administrator\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Administrator\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\SchedLgU.Txt Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\adwibrpt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\Windows\System32\bgbbijou.dll Infected: Trojan.Win32.Monder.gen skipped
C:\Windows\System32\bjvmpgah.dll Infected: Trojan.Win32.Monder.gen skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\cbXrPiIC.dll Infected: Trojan.Win32.Monder.gen skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{ce8ac7f0-1ac6-11dd-a201-0016e3994e97}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{ce8ac7f0-1ac6-11dd-a201-0016e3994e97}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{ce8ac7f0-1ac6-11dd-a201-0016e3994e97}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{ce8ac7f0-1ac6-11dd-a201-0016e3994e97}.TxR.blf Object is locked skipped
C:\Windows\System32\drivers\sptd.sys Object is locked skipped
C:\Windows\System32\ljJYRICT.dll Infected: Trojan.Win32.Monder.gen skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\SQM\SQMLogger_2008-5-5-20-31-43_0.etl Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\nnNGYqPg.dll Infected: Trojan.Win32.Monder.gen skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.003 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\ACEEventLog.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Temp\mcafee_KAdmLrNZwIsk7Z4 Object is locked skipped
C:\Windows\Temp\mcmsc_eabolBb5UdHtY3Y Object is locked skipped
C:\Windows\Temp\mcmsc_NOVZtFqylwHTQRb Object is locked skipped
C:\Windows\Temp\mcmsc_Oe5wbxWEimuuS0m Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
Scan process completed.
Rorschach112
2008-05-06, 22:41
Hello
You got infected by downloading cracks
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
[kill explorer]
C:\Users\Administrator\Documents\Azureus Downloads\Fruity Loops Studio 8.0 RC3 XXL Producer Edition + Activation Key
C:\Windows\System32\adwibrpt.dll
C:\Windows\System32\bgbbijou.dll
C:\Windows\System32\bjvmpgah.dll
C:\Windows\System32\cbXrPiIC.dll
C:\Windows\System32\ljJYRICT.dll
C:\Windows\System32\nnNGYqPg.dll
purity
[start explorer]
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
GiantSpider
2008-05-06, 23:09
Thanks for the quick reply, I vow to kill whoever downloaded that crap onto my computer. Nobody even listens to dance music here anyway......
Explorer killed successfully
C:\Users\Administrator\Documents\Azureus Downloads\Fruity Loops Studio 8.0 RC3 XXL Producer Edition + Activation Key moved successfully.
File/Folder C:\Windows\System32\adwibrpt.dll not found.
File/Folder C:\Windows\System32\bgbbijou.dll not found.
File/Folder C:\Windows\System32\bjvmpgah.dll not found.
File/Folder C:\Windows\System32\cbXrPiIC.dll not found.
File/Folder C:\Windows\System32\ljJYRICT.dll not found.
DllUnregisterServer procedure not found in C:\Windows\System32\nnNGYqPg.dll
C:\Windows\System32\nnNGYqPg.dll NOT unregistered.
File move failed. C:\Windows\System32\nnNGYqPg.dll scheduled to be moved on reboot.
< purity >
Explorer started successfully
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05062008_205737
Files moved on Reboot...
DllUnregisterServer procedure not found in C:\Windows\System32\nnNGYqPg.dll
C:\Windows\System32\nnNGYqPg.dll NOT unregistered.
File move failed. C:\Windows\System32\nnNGYqPg.dll scheduled to be moved on reboot.
PS: Your sig quote is my favourite ever.
Rorschach112
2008-05-06, 23:58
Hello
Please visit this web page for instructions for downloading and running ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
This includes installing the Windows XP Recovery Console in case you have not installed it yet.
For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.
Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
GiantSpider
2008-05-07, 19:23
ComboFix 08-05-01.3 - Administrator 2008-05-07 16:39:21.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1273 [GMT 1:00]
Running from: C:\Users\Administrator\Downloads\ComboFix.exe
* Resident AV is active
.
/wow section not completed
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.
2008-05-07 16:38 . 2008-05-07 16:38 <DIR> d-------- C:\327882R2FWJFW
2008-05-07 16:34 . 2008-05-03 14:26 43,520 --a------ C:\Windows\System32\khFYrSIA.dll
2008-05-06 22:15 . 2008-05-06 22:15 281,600 --a------ C:\Windows\System32\ssqRHXPJ.dll
2008-05-06 22:15 . 2008-05-06 22:15 284 --ahs---- C:\Windows\System32\JPXHRqss.ini
2008-05-06 21:10 . 2008-05-06 21:10 281,600 --a------ C:\Windows\System32\lJaaWmKb.dll
2008-05-06 21:10 . 2008-05-06 21:10 148 --ahs---- C:\Windows\System32\bKmWaaJl.ini
2008-05-06 21:06 . 2008-05-06 22:15 143 --a------ C:\Windows\System32\mcrh.tmp
2008-05-06 20:58 . 2008-05-07 16:39 707,119 ---hs---- C:\Windows\System32\moyqmhkl.ini
2008-05-06 20:58 . 2008-05-06 20:58 96,832 --a------ C:\Windows\System32\lkhmqyom.dll
2008-05-06 20:58 . 2008-05-06 20:58 2,112 --a------ C:\Windows\System32\ygvqejdc.exe
2008-05-06 20:57 . 2008-05-06 20:57 <DIR> d-------- C:\_OTMoveIt
2008-05-06 19:52 . 2008-05-06 19:52 108,608 --a------ C:\Windows\System32\jwtxqtfu.dll
2008-05-06 19:46 . 2008-05-06 19:46 53,312 --a------ C:\Windows\System32\bjimtyit.dll
2008-05-06 19:44 . 2008-05-06 19:44 104,512 --a------ C:\Windows\System32\afyvxxeq.dll
2008-05-06 19:25 . 2008-05-06 20:58 706,663 ---hs---- C:\Windows\System32\pxwjtcqy.ini
2008-05-06 19:19 . 2008-05-06 19:19 53,312 --a------ C:\Windows\System32\dhlbilfa.dll
2008-05-06 19:17 . 2008-05-06 19:17 104,512 --a------ C:\Windows\System32\ybujsoxr.dll
2008-05-06 19:04 . 2008-05-06 19:04 323 --a------ C:\Windows\wininit.ini
2008-05-06 17:39 . 2008-05-06 19:12 54,156 --ah----- C:\Windows\QTFont.qfn
2008-05-06 17:39 . 2008-05-06 17:39 1,409 --a------ C:\Windows\QTFont.for
2008-05-06 17:25 . 2008-05-06 17:25 706,592 ---hs---- C:\Windows\System32\thbvlbnr.ini
2008-05-05 21:42 . 2008-05-05 21:42 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-05-05 19:22 . 2008-05-05 19:22 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-05-05 19:22 . 2008-05-05 19:22 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-05-03 14:34 . 2008-05-06 21:25 <DIR> d-------- C:\Program Files\VstPlugins
2008-05-03 14:34 . 2006-06-20 09:56 225,280 --a------ C:\Windows\System32\rewire.dll
2008-05-03 14:33 . 2002-07-07 23:14 1,294,336 --a------ C:\Windows\System32\vorbis.acm
2008-05-03 14:32 . 2008-05-03 14:32 <DIR> d-------- C:\Program Files\Outsim
2008-05-03 14:32 . 2008-05-07 16:38 271,754 --ahs---- C:\Windows\System32\gPqYGNnn.ini2
2008-05-03 14:32 . 2008-05-07 16:39 271,738 --ahs---- C:\Windows\System32\gPqYGNnn.ini
2008-05-03 14:31 . 2008-05-03 14:31 281,600 --------- C:\Windows\System32\nnNGYqPg.dll
2008-05-03 14:28 . 2008-05-06 21:27 <DIR> d-------- C:\Program Files\Image-Line
2008-05-02 20:40 . 2008-05-02 20:40 100,605 --a------ C:\Users\Administrator\AppData\Roaming\NMM-MetaData.db
2008-04-25 22:16 . 2008-04-25 22:16 0 --ah----- C:\Windows\System32\drivers\Msft_User_PCCSWpdDriver_01_05_00.Wdf
2008-04-25 22:14 . 2008-04-25 22:14 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-04-25 22:02 . 2007-09-17 15:53 21,632 --a------ C:\Windows\System32\drivers\pccsmcfd.sys
2008-04-25 22:00 . 2008-04-25 22:00 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-04-18 00:01 . 2008-04-18 00:01 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-09 11:29 . 2008-02-29 08:11 988,216 --a------ C:\Windows\System32\winload.exe
2008-04-09 11:29 . 2008-02-29 08:11 927,288 --a------ C:\Windows\System32\winresume.exe
2008-04-09 11:29 . 2008-02-22 06:05 615,992 --a------ C:\Windows\System32\ci.dll
2008-04-09 11:29 . 2008-02-29 07:53 378,368 --a------ C:\Windows\System32\srcore.dll
2008-04-09 11:29 . 2008-02-29 05:12 318,464 --a------ C:\Windows\System32\rstrui.exe
2008-04-09 11:29 . 2008-02-29 07:53 46,592 --a------ C:\Windows\System32\setbcdlocale.dll
2008-04-09 11:29 . 2008-02-29 07:53 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-09 11:29 . 2008-02-29 08:14 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-09 11:29 . 2008-02-29 05:12 14,848 --a------ C:\Windows\System32\srdelayed.exe
2008-04-09 11:29 . 2008-02-29 07:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-09 11:28 . 2008-02-29 05:21 2,032,128 --a------ C:\Windows\System32\win32k.sys
2008-04-09 11:28 . 2008-02-22 03:50 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-04-09 11:28 . 2008-02-22 06:01 826,880 --a------ C:\Windows\System32\wininet.dll
2008-04-09 11:26 . 2008-02-22 05:57 295,936 --a------ C:\Windows\System32\gdi32.dll
2008-04-07 14:20 . 2008-04-07 14:20 <DIR> d-------- C:\Program Files\Guitar Pro 5
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 20:18 --------- d-----w C:\Users\Administrator\AppData\Roaming\Azureus
2008-05-05 20:18 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-05-05 12:29 --------- d-----w C:\Users\Administrator\AppData\Roaming\Vso
2008-05-05 12:29 --------- d-----w C:\Users\Administrator\AppData\Roaming\CopyToDvd
2008-05-02 19:40 --------- d-----w C:\Users\Administrator\AppData\Roaming\Nokia
2008-05-02 18:44 --------- d-----w C:\Users\Administrator\AppData\Roaming\LimeWire
2008-05-01 23:03 --------- d-----w C:\ProgramData\Installations
2008-05-01 22:26 --------- d-----w C:\Program Files\Nokia
2008-05-01 22:25 --------- d-----w C:\Program Files\Common Files\Nokia
2008-04-25 22:25 --------- d-----w C:\Program Files\LimeWire
2008-04-25 21:05 --------- d-----w C:\ProgramData\Downloaded Installations
2008-04-25 21:05 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-25 21:02 --------- d-----w C:\Program Files\DIFX
2008-04-17 23:18 --------- d-----w C:\Program Files\Azureus
2008-04-12 16:01 --------- d-----w C:\Program Files\SopCast
2008-04-10 17:47 --------- d-----w C:\Users\Administrator\AppData\Roaming\dvdcss
2008-04-10 00:30 --------- d-----w C:\Program Files\Windows Mail
2008-04-10 00:06 --------- d-----w C:\Program Files\TVAnts
2008-04-09 10:37 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-08 19:31 --------- d-----w C:\Program Files\Common Files\Steam
2008-04-07 13:45 --------- d-----w C:\ProgramData\Messenger Plus!
2008-04-03 19:46 --------- d-----w C:\Program Files\iTunes
2008-04-03 19:45 --------- d-----w C:\Program Files\iPod
2008-04-03 19:44 --------- d-----w C:\Program Files\QuickTime Alternative
2008-04-02 18:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-26 12:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-25 18:32 --------- d-----w C:\Program Files\StuffPlug3
2008-03-24 22:33 --------- d-----w C:\Users\Administrator\AppData\Roaming\mIRC
2008-03-24 20:39 --------- d-----w C:\Program Files\mIRC
2008-03-24 19:57 --------- d-----w C:\Program Files\McAfee
2008-03-24 19:42 --------- d-----w C:\ProgramData\McAfee
2008-03-22 19:52 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-03-22 16:19 --------- d-----w C:\Users\Administrator\AppData\Roaming\TVU networks
2008-03-22 16:19 --------- d-----w C:\ProgramData\TVU networks
2008-03-22 16:19 --------- d-----w C:\Program Files\TVUPlayer
2008-03-21 17:37 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-21 17:35 --------- d-----w C:\ProgramData\WLInstaller
2008-03-21 14:24 174 --sha-w C:\Program Files\desktop.ini
2008-03-21 14:14 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-21 14:14 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-21 14:14 --------- d-----w C:\Program Files\Windows Journal
2008-03-21 14:14 --------- d-----w C:\Program Files\Windows Defender
2008-03-21 14:14 --------- d-----w C:\Program Files\Windows Collaboration
2008-03-21 14:14 --------- d-----w C:\Program Files\Windows Calendar
2008-03-21 13:20 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-21 13:20 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-19 21:54 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-16 18:24 --------- d-----w C:\Program Files\Java
2008-03-16 18:15 --------- d-----w C:\ProgramData\Xfire
2008-03-15 18:21 --------- d-----w C:\Users\Administrator\AppData\Roaming\Xfire
2008-03-15 15:32 --------- d-s---w C:\Program Files\Xfire
2008-03-12 23:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 23:16 --------- d-----w C:\Users\Administrator\AppData\Roaming\AccurateRip
2008-03-12 23:16 --------- d-----w C:\Program Files\Virtuosa
2008-03-12 17:53 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-11 20:08 1,694,501 ----a-w C:\MsgPlusDebug (GS).zip
2008-03-10 17:57 --------- d-----w C:\Program Files\FLAC
2008-02-21 01:57 54,608 ----a-w C:\Windows\System32\xfcodec.dll
2008-02-18 23:43 87,608 ----a-w C:\Users\Administrator\AppData\Roaming\inst.exe
2008-02-18 23:43 47,360 ----a-w C:\Users\Administrator\AppData\Roaming\pcouffin.sys
2008-02-18 21:03 81,920 ----a-w C:\Users\Administrator\AppData\Roaming\ezpinst.exe
2007-01-27 17:29 19,784 ----a-w C:\Users\Chelsey\AppData\Roaming\GDIPFONTCACHEV1.DAT
2006-12-30 16:11 87,608 ----a-w C:\Users\Chelsey\AppData\Roaming\ezpinst.exe
2006-12-30 16:11 47,360 ----a-w C:\Users\Chelsey\AppData\Roaming\pcouffin.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{679F54FD-18AE-4CA7-A63F-009503A8ECC6}]
2008-05-03 14:31 281600 --------- C:\Windows\system32\nnNGYqPg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C8A64FD-AB81-47AD-B7D5-A14A44AD5870}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB807519-5E10-43E1-B587-2B14AE50EB89}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ebc8d604-43b1-4481-b662-9d3520bd84f1}]
2008-05-06 19:52 108608 --a------ C:\Windows\system32\jwtxqtfu.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-26 18:15 171448]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 08:33 125952]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-01-13 17:53 4608]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53 1079808]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 08:33 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 08:38 1008184]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 10:12 90112]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 16:07 61952 C:\Windows\System32\HdAShCut.exe]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 12:52 221184]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [2005-01-29 03:09 696422]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"RtHDVCpl"="RtHDVCpl.exe" [2007-11-14 16:50 4706304 C:\Windows\RtHDVCpl.exe]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 06:42 1164576]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [2008-03-28 23:37 413696]
"MSServer"="C:\Windows\system32\khFYrSIA.dll" [2008-05-03 14:26 43520]
"9c54449d"="C:\Windows\system32\lkhmqyom.dll" [2008-05-06 20:58 96832]
"BM9f677701"="C:\Windows\system32\afyvxxeq.dll" [2008-05-06 19:44 104512]
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [12/28/2007 9:01:00 PM 557568]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6584C510-924B-486A-A1A0-E380DE08C2DB}"= C:\Windows\system32\khFYrSIA.dll [2008-05-03 14:26 43520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.imc"= imc32.acm
"msacm.l3fhg"= mp3fhg.acm
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.X264"= x264vfw.dll
"vidc.yv12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\Windows\system32\nnNGYqPg
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3545415102-2881654489-136399401-500]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"C:\\Program Files\\MSN Messenger\\livecall.exe"= C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
"C:\\Program Files\\MSN Messenger\\msncall.exe"= C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"%windir%\\Network Diagnostic\\xpnetdiag.exe-UDP-Domain"= TCP:%windir%\Network Diagnostic\xpnetdiag.exe:@xpsp3res.dll,-20000
"%windir%\\Network Diagnostic\\xpnetdiag.exe-TCP-Domain"= UDP:%windir%\Network Diagnostic\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\Yahoo!\Messenger\ypager.exe:Yahoo! Messenger
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\Yahoo!\Messenger\ypager.exe:Yahoo! Messenger
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe:SmartFTP Client 2.0
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe:SmartFTP Client 2.0
"C:\\Program Files\\Skype\\Phone\\Skype.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\Skype\Phone\Skype.exe:Skype
"C:\\Program Files\\Skype\\Phone\\Skype.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\Skype\Phone\Skype.exe:Skype
"C:\\Program Files\\Messenger\\msmsgs.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\Messenger\msmsgs.exe:Windows Messenger
"C:\\Program Files\\Messenger\\msmsgs.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\Messenger\msmsgs.exe:Windows Messenger
"C:\\Program Files\\LimeWire\\LimeWire.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"C:\\Program Files\\LimeWire\\LimeWire.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"C:\\Program Files\\iTunes\\iTunes.exe-UDP-Standard"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"C:\\Program Files\\iTunes\\iTunes.exe-TCP-Standard"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"%windir%\\Network Diagnostic\\xpnetdiag.exe-UDP-Standard"= TCP:Profile=Public|%windir%\Network Diagnostic\xpnetdiag.exe:@xpsp3res.dll,-20000
"%windir%\\Network Diagnostic\\xpnetdiag.exe-TCP-Standard"= UDP:Profile=Public|%windir%\Network Diagnostic\xpnetdiag.exe:@xpsp3res.dll,-20000
"{3E9864C1-8C12-43D0-AF3B-E1B609CE7C0B}"= UDP:C:\Windows\System32\lxbkcoms.exe:Lexmark Communications System
"{6377CEF0-CF72-43EA-8235-496A0FDB6C7C}"= TCP:C:\Windows\System32\lxbkcoms.exe:Lexmark Communications System
"{CE0676EA-0EDB-45BC-9242-2DE00840759A}"= UDP:C:\Windows\System32\lxbvcoms.exe:Lexmark Communications System
"{8A9E6EF1-0E8D-4570-83BB-4FB18E322D74}"= TCP:C:\Windows\System32\lxbvcoms.exe:Lexmark Communications System
"{08F9E737-0646-4806-AAB8-7FA864E7EB7D}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxbvpswx.exe:Printer Status Window
"{D7421346-D6B9-489F-984B-0ECBA6B25204}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxbvpswx.exe:Printer Status Window
"{B7D936D7-9EA9-4FBF-9743-A0DEA41DD635}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{BE0DC8BB-DD62-4FA2-9187-A948B2E6BA0B}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{DDA72088-2204-43C0-9C23-7F26AB6D826C}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"{46CAEEE3-A11E-4E85-8D07-11DC1044F5E0}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"{B62DC84F-05AF-4035-8919-04C25B52CD32}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{EF74AC87-4249-46C4-BA34-7FE6399CA486}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{DC531144-15B6-4682-8FD3-C93517529506}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{E5F3738C-99AB-4965-9797-F8045B77CE9F}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{B8F49208-EFE1-4B21-9235-DE821574E968}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{A22D7E66-52E3-4FD2-B7D2-341FF0A336F9}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{E15B0662-6C51-4B77-AB29-F0D69C8EDE83}"= UDP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{FFD36E9D-75A3-4CC9-A8A0-649DC5F8D9D8}"= TCP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{1E55F48E-7AF2-447C-9F9B-AF9467C70575}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{258436B9-7163-4A97-A203-0E8004222850}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{5576B1D8-72B4-4D1D-BF0A-9838E9A32A47}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{160D2620-9D6B-42DC-9961-D0AD3526F961}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{3D3ECB73-F344-47B7-B10F-880BF0E57F8F}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{BDB976D9-D68D-4770-8E94-5C60050CF0B7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{0A634EBE-54A8-4D79-AD2A-A2FCB07ACA16}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"= C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4
"C:\\Program Files\\iTunes\\iTunes.exe"= C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
"C:\\Program Files\\LimeWire\\LimeWire.exe"= C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
"C:\\Program Files\\Messenger\\msmsgs.exe"= C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
"C:\\Program Files\\MSN Messenger\\livecall.exe"= C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
"C:\\Program Files\\MSN Messenger\\msncall.exe"= C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
"C:\\Program Files\\Skype\\Phone\\Skype.exe"= C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"= C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"= C:\Program Files\Yahoo!\Messenger\ypager.exe:*:Enabled:Yahoo! Messenger
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"= 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
R2 BUFADPT;BUFADPT;C:\WINDOWS\system32\BUFADPT.SYS [2005-03-10 06:44]
R2 CrackTcpip;Crack Tcpip;C:\Windows\system32\drivers\CrackTcpip.sys [2008-01-13 18:55]
R2 lxbv_device;lxbv_device;C:\Windows\system32\lxbvcoms.exe [2007-04-25 13:18]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-01-22 22:39]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSGB6.sys [2008-03-03 08:12]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\Windows\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\Windows\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]
S3 pccsmcfd;PCCS Mode Change Filter Driver;C:\Windows\system32\DRIVERS\pccsmcfd.sys [2007-09-17 15:53]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-01-22 22:39]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-04-04 23:41]
S3 upperdev;upperdev;C:\Windows\system32\DRIVERS\usbser_lowerflt.sys [2007-11-29 10:39]
S3 UsbserFilt;UsbserFilt;C:\Windows\system32\DRIVERS\usbser_lowerfltj.sys [2007-11-29 10:39]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WudfServiceGroup REG_MULTI_SZ WUDFSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30b3653f-39e7-11dc-b731-0016e3994e97}]
\shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c13ada6-8215-11db-b358-0016e39953e5}]
\shell\AutoRun\command - K:\autorun.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 01:00:00 C:\Windows\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-01-01 00:59:59 C:\Windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
"2008-05-06 18:10:17 C:\Windows\Tasks\User_Feed_Synchronization-{99A1AE20-38DF-44E4-8B25-1186140D2A3A}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 16:43:37
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\Windows\system32\winlogon.exe
-> C:\Windows\system32\khFYrSIA.dll
PROCESS: C:\Windows\system32\lsass.exe
-> C:\Windows\system32\nnNGYqPg.dll
PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\lkhmqyom.dll
-> C:\Windows\system32\afyvxxeq.dll
-> ?:\Windows\system32\ieframe.dll
.
Completion time: 2008-05-07 16:47:45
Pre-Run: 114,309,328,896 bytes free
Post-Run: 116,691,869,696 bytes free
318 --- E O F --- 2008-04-09 10:37:19
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:22:44, on 07/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\LVCOMSX.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\System32\wltray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Administrator\Downloads\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {679F54FD-18AE-4CA7-A63F-009503A8ECC6} - C:\Windows\system32\nnNGYqPg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9C8A64FD-AB81-47AD-B7D5-A14A44AD5870} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {EB807519-5E10-43E1-B587-2B14AE50EB89} - (no file)
O2 - BHO: {1f48db02-53d9-266b-1844-1b34406d8cbe} - {ebc8d604-43b1-4481-b662-9d3520bd84f1} - C:\Windows\system32\jwtxqtfu.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\khFYrSIA.dll,#1
O4 - HKLM\..\Run: [9c54449d] rundll32.exe "C:\Windows\system32\lkhmqyom.dll",b
O4 - HKLM\..\Run: [BM9f677701] Rundll32.exe "C:\Windows\system32\afyvxxeq.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204583586132
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204583677198
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbv_device - - C:\Windows\system32\lxbvcoms.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 9573 bytes
Rorschach112
2008-05-07, 19:24
Please post the logs normally, and not in code boxes
GiantSpider
2008-05-07, 19:26
ComboFix 08-05-01.3 - Administrator 2008-05-07 16:39:21.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1273 [GMT 1:00]
Running from: C:\Users\Administrator\Downloads\ComboFix.exe
* Resident AV is active
.
/wow section not completed
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.
2008-05-07 16:38 . 2008-05-07 16:38 <DIR> d-------- C:\327882R2FWJFW
2008-05-07 16:34 . 2008-05-03 14:26 43,520 --a------ C:\Windows\System32\khFYrSIA.dll
2008-05-06 22:15 . 2008-05-06 22:15 281,600 --a------ C:\Windows\System32\ssqRHXPJ.dll
2008-05-06 22:15 . 2008-05-06 22:15 284 --ahs---- C:\Windows\System32\JPXHRqss.ini
2008-05-06 21:10 . 2008-05-06 21:10 281,600 --a------ C:\Windows\System32\lJaaWmKb.dll
2008-05-06 21:10 . 2008-05-06 21:10 148 --ahs---- C:\Windows\System32\bKmWaaJl.ini
2008-05-06 21:06 . 2008-05-06 22:15 143 --a------ C:\Windows\System32\mcrh.tmp
2008-05-06 20:58 . 2008-05-07 16:39 707,119 ---hs---- C:\Windows\System32\moyqmhkl.ini
2008-05-06 20:58 . 2008-05-06 20:58 96,832 --a------ C:\Windows\System32\lkhmqyom.dll
2008-05-06 20:58 . 2008-05-06 20:58 2,112 --a------ C:\Windows\System32\ygvqejdc.exe
2008-05-06 20:57 . 2008-05-06 20:57 <DIR> d-------- C:\_OTMoveIt
2008-05-06 19:52 . 2008-05-06 19:52 108,608 --a------ C:\Windows\System32\jwtxqtfu.dll
2008-05-06 19:46 . 2008-05-06 19:46 53,312 --a------ C:\Windows\System32\bjimtyit.dll
2008-05-06 19:44 . 2008-05-06 19:44 104,512 --a------ C:\Windows\System32\afyvxxeq.dll
2008-05-06 19:25 . 2008-05-06 20:58 706,663 ---hs---- C:\Windows\System32\pxwjtcqy.ini
2008-05-06 19:19 . 2008-05-06 19:19 53,312 --a------ C:\Windows\System32\dhlbilfa.dll
2008-05-06 19:17 . 2008-05-06 19:17 104,512 --a------ C:\Windows\System32\ybujsoxr.dll
2008-05-06 19:04 . 2008-05-06 19:04 323 --a------ C:\Windows\wininit.ini
2008-05-06 17:39 . 2008-05-06 19:12 54,156 --ah----- C:\Windows\QTFont.qfn
2008-05-06 17:39 . 2008-05-06 17:39 1,409 --a------ C:\Windows\QTFont.for
2008-05-06 17:25 . 2008-05-06 17:25 706,592 ---hs---- C:\Windows\System32\thbvlbnr.ini
2008-05-05 21:42 . 2008-05-05 21:42 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-05-05 19:22 . 2008-05-05 19:22 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-05-05 19:22 . 2008-05-05 19:22 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-05-03 14:34 . 2008-05-06 21:25 <DIR> d-------- C:\Program Files\VstPlugins
2008-05-03 14:34 . 2006-06-20 09:56 225,280 --a------ C:\Windows\System32\rewire.dll
2008-05-03 14:33 . 2002-07-07 23:14 1,294,336 --a------ C:\Windows\System32\vorbis.acm
2008-05-03 14:32 . 2008-05-03 14:32 <DIR> d-------- C:\Program Files\Outsim
2008-05-03 14:32 . 2008-05-07 16:38 271,754 --ahs---- C:\Windows\System32\gPqYGNnn.ini2
2008-05-03 14:32 . 2008-05-07 16:39 271,738 --ahs---- C:\Windows\System32\gPqYGNnn.ini
2008-05-03 14:31 . 2008-05-03 14:31 281,600 --------- C:\Windows\System32\nnNGYqPg.dll
2008-05-03 14:28 . 2008-05-06 21:27 <DIR> d-------- C:\Program Files\Image-Line
2008-05-02 20:40 . 2008-05-02 20:40 100,605 --a------ C:\Users\Administrator\AppData\Roaming\NMM-MetaData.db
2008-04-25 22:16 . 2008-04-25 22:16 0 --ah----- C:\Windows\System32\drivers\Msft_User_PCCSWpdDriver_01_05_00.Wdf
2008-04-25 22:14 . 2008-04-25 22:14 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-04-25 22:02 . 2007-09-17 15:53 21,632 --a------ C:\Windows\System32\drivers\pccsmcfd.sys
2008-04-25 22:00 . 2008-04-25 22:00 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-04-18 00:01 . 2008-04-18 00:01 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-09 11:29 . 2008-02-29 08:11 988,216 --a------ C:\Windows\System32\winload.exe
2008-04-09 11:29 . 2008-02-29 08:11 927,288 --a------ C:\Windows\System32\winresume.exe
2008-04-09 11:29 . 2008-02-22 06:05 615,992 --a------ C:\Windows\System32\ci.dll
2008-04-09 11:29 . 2008-02-29 07:53 378,368 --a------ C:\Windows\System32\srcore.dll
2008-04-09 11:29 . 2008-02-29 05:12 318,464 --a------ C:\Windows\System32\rstrui.exe
2008-04-09 11:29 . 2008-02-29 07:53 46,592 --a------ C:\Windows\System32\setbcdlocale.dll
2008-04-09 11:29 . 2008-02-29 07:53 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-09 11:29 . 2008-02-29 08:14 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-09 11:29 . 2008-02-29 05:12 14,848 --a------ C:\Windows\System32\srdelayed.exe
2008-04-09 11:29 . 2008-02-29 07:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-09 11:28 . 2008-02-29 05:21 2,032,128 --a------ C:\Windows\System32\win32k.sys
2008-04-09 11:28 . 2008-02-22 03:50 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-04-09 11:28 . 2008-02-22 06:01 826,880 --a------ C:\Windows\System32\wininet.dll
2008-04-09 11:26 . 2008-02-22 05:57 295,936 --a------ C:\Windows\System32\gdi32.dll
2008-04-07 14:20 . 2008-04-07 14:20 <DIR> d-------- C:\Program Files\Guitar Pro 5
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 20:18 --------- d-----w C:\Users\Administrator\AppData\Roaming\Azureus
2008-05-05 20:18 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-05-05 12:29 --------- d-----w C:\Users\Administrator\AppData\Roaming\Vso
2008-05-05 12:29 --------- d-----w C:\Users\Administrator\AppData\Roaming\CopyToDvd
2008-05-02 19:40 --------- d-----w C:\Users\Administrator\AppData\Roaming\Nokia
2008-05-02 18:44 --------- d-----w C:\Users\Administrator\AppData\Roaming\LimeWire
2008-05-01 23:03 --------- d-----w C:\ProgramData\Installations
2008-05-01 22:26 --------- d-----w C:\Program Files\Nokia
2008-05-01 22:25 --------- d-----w C:\Program Files\Common Files\Nokia
2008-04-25 22:25 --------- d-----w C:\Program Files\LimeWire
2008-04-25 21:05 --------- d-----w C:\ProgramData\Downloaded Installations
2008-04-25 21:05 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-25 21:02 --------- d-----w C:\Program Files\DIFX
2008-04-17 23:18 --------- d-----w C:\Program Files\Azureus
2008-04-12 16:01 --------- d-----w C:\Program Files\SopCast
2008-04-10 17:47 --------- d-----w C:\Users\Administrator\AppData\Roaming\dvdcss
2008-04-10 00:30 --------- d-----w C:\Program Files\Windows Mail
2008-04-10 00:06 --------- d-----w C:\Program Files\TVAnts
2008-04-09 10:37 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-08 19:31 --------- d-----w C:\Program Files\Common Files\Steam
2008-04-07 13:45 --------- d-----w C:\ProgramData\Messenger Plus!
2008-04-03 19:46 --------- d-----w C:\Program Files\iTunes
2008-04-03 19:45 --------- d-----w C:\Program Files\iPod
2008-04-03 19:44 --------- d-----w C:\Program Files\QuickTime Alternative
2008-04-02 18:37 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-26 12:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-25 18:32 --------- d-----w C:\Program Files\StuffPlug3
2008-03-24 22:33 --------- d-----w C:\Users\Administrator\AppData\Roaming\mIRC
2008-03-24 20:39 --------- d-----w C:\Program Files\mIRC
2008-03-24 19:57 --------- d-----w C:\Program Files\McAfee
2008-03-24 19:42 --------- d-----w C:\ProgramData\McAfee
2008-03-22 19:52 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-03-22 16:19 --------- d-----w C:\Users\Administrator\AppData\Roaming\TVU networks
2008-03-22 16:19 --------- d-----w C:\ProgramData\TVU networks
2008-03-22 16:19 --------- d-----w C:\Program Files\TVUPlayer
2008-03-21 17:37 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-21 17:35 --------- d-----w C:\ProgramData\WLInstaller
2008-03-21 14:24 174 --sha-w C:\Program Files\desktop.ini
2008-03-21 14:14 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-21 14:14 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-21 14:14 --------- d-----w C:\Program Files\Windows Journal
2008-03-21 14:14 --------- d-----w C:\Program Files\Windows Defender
2008-03-21 14:14 --------- d-----w C:\Program Files\Windows Collaboration
2008-03-21 14:14 --------- d-----w C:\Program Files\Windows Calendar
2008-03-21 13:20 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-21 13:20 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-19 21:54 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-16 18:24 --------- d-----w C:\Program Files\Java
2008-03-16 18:15 --------- d-----w C:\ProgramData\Xfire
2008-03-15 18:21 --------- d-----w C:\Users\Administrator\AppData\Roaming\Xfire
2008-03-15 15:32 --------- d-s---w C:\Program Files\Xfire
2008-03-12 23:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 23:16 --------- d-----w C:\Users\Administrator\AppData\Roaming\AccurateRip
2008-03-12 23:16 --------- d-----w C:\Program Files\Virtuosa
2008-03-12 17:53 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-11 20:08 1,694,501 ----a-w C:\MsgPlusDebug (GS).zip
2008-03-10 17:57 --------- d-----w C:\Program Files\FLAC
2008-02-21 01:57 54,608 ----a-w C:\Windows\System32\xfcodec.dll
2008-02-18 23:43 87,608 ----a-w C:\Users\Administrator\AppData\Roaming\inst.exe
2008-02-18 23:43 47,360 ----a-w C:\Users\Administrator\AppData\Roaming\pcouffin.sys
2008-02-18 21:03 81,920 ----a-w C:\Users\Administrator\AppData\Roaming\ezpinst.exe
2007-01-27 17:29 19,784 ----a-w C:\Users\Chelsey\AppData\Roaming\GDIPFONTCACHEV1.DAT
2006-12-30 16:11 87,608 ----a-w C:\Users\Chelsey\AppData\Roaming\ezpinst.exe
2006-12-30 16:11 47,360 ----a-w C:\Users\Chelsey\AppData\Roaming\pcouffin.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{679F54FD-18AE-4CA7-A63F-009503A8ECC6}]
2008-05-03 14:31 281600 --------- C:\Windows\system32\nnNGYqPg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C8A64FD-AB81-47AD-B7D5-A14A44AD5870}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB807519-5E10-43E1-B587-2B14AE50EB89}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ebc8d604-43b1-4481-b662-9d3520bd84f1}]
2008-05-06 19:52 108608 --a------ C:\Windows\system32\jwtxqtfu.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-26 18:15 171448]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 08:33 125952]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-01-13 17:53 4608]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53 1079808]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 08:33 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 08:38 1008184]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 10:12 90112]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 16:07 61952 C:\Windows\System32\HdAShCut.exe]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 12:52 221184]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [2005-01-29 03:09 696422]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"RtHDVCpl"="RtHDVCpl.exe" [2007-11-14 16:50 4706304 C:\Windows\RtHDVCpl.exe]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 06:42 1164576]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [2008-03-28 23:37 413696]
"MSServer"="C:\Windows\system32\khFYrSIA.dll" [2008-05-03 14:26 43520]
"9c54449d"="C:\Windows\system32\lkhmqyom.dll" [2008-05-06 20:58 96832]
"BM9f677701"="C:\Windows\system32\afyvxxeq.dll" [2008-05-06 19:44 104512]
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [12/28/2007 9:01:00 PM 557568]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6584C510-924B-486A-A1A0-E380DE08C2DB}"= C:\Windows\system32\khFYrSIA.dll [2008-05-03 14:26 43520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.imc"= imc32.acm
"msacm.l3fhg"= mp3fhg.acm
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.X264"= x264vfw.dll
"vidc.yv12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\Windows\system32\nnNGYqPg
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3545415102-2881654489-136399401-500]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"C:\\Program Files\\MSN Messenger\\livecall.exe"= C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
"C:\\Program Files\\MSN Messenger\\msncall.exe"= C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"%windir%\\Network Diagnostic\\xpnetdiag.exe-UDP-Domain"= TCP:%windir%\Network Diagnostic\xpnetdiag.exe:@xpsp3res.dll,-20000
"%windir%\\Network Diagnostic\\xpnetdiag.exe-TCP-Domain"= UDP:%windir%\Network Diagnostic\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\Yahoo!\Messenger\ypager.exe:Yahoo! Messenger
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\Yahoo!\Messenger\ypager.exe:Yahoo! Messenger
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe:SmartFTP Client 2.0
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe:SmartFTP Client 2.0
"C:\\Program Files\\Skype\\Phone\\Skype.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\Skype\Phone\Skype.exe:Skype
"C:\\Program Files\\Skype\\Phone\\Skype.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\Skype\Phone\Skype.exe:Skype
"C:\\Program Files\\Messenger\\msmsgs.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\Messenger\msmsgs.exe:Windows Messenger
"C:\\Program Files\\Messenger\\msmsgs.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\Messenger\msmsgs.exe:Windows Messenger
"C:\\Program Files\\LimeWire\\LimeWire.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"C:\\Program Files\\LimeWire\\LimeWire.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"C:\\Program Files\\iTunes\\iTunes.exe-UDP-Standard"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"C:\\Program Files\\iTunes\\iTunes.exe-TCP-Standard"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:Sid Meier's Civilization 4
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"%windir%\\Network Diagnostic\\xpnetdiag.exe-UDP-Standard"= TCP:Profile=Public|%windir%\Network Diagnostic\xpnetdiag.exe:@xpsp3res.dll,-20000
"%windir%\\Network Diagnostic\\xpnetdiag.exe-TCP-Standard"= UDP:Profile=Public|%windir%\Network Diagnostic\xpnetdiag.exe:@xpsp3res.dll,-20000
"{3E9864C1-8C12-43D0-AF3B-E1B609CE7C0B}"= UDP:C:\Windows\System32\lxbkcoms.exe:Lexmark Communications System
"{6377CEF0-CF72-43EA-8235-496A0FDB6C7C}"= TCP:C:\Windows\System32\lxbkcoms.exe:Lexmark Communications System
"{CE0676EA-0EDB-45BC-9242-2DE00840759A}"= UDP:C:\Windows\System32\lxbvcoms.exe:Lexmark Communications System
"{8A9E6EF1-0E8D-4570-83BB-4FB18E322D74}"= TCP:C:\Windows\System32\lxbvcoms.exe:Lexmark Communications System
"{08F9E737-0646-4806-AAB8-7FA864E7EB7D}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxbvpswx.exe:Printer Status Window
"{D7421346-D6B9-489F-984B-0ECBA6B25204}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxbvpswx.exe:Printer Status Window
"{B7D936D7-9EA9-4FBF-9743-A0DEA41DD635}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{BE0DC8BB-DD62-4FA2-9187-A948B2E6BA0B}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{DDA72088-2204-43C0-9C23-7F26AB6D826C}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"{46CAEEE3-A11E-4E85-8D07-11DC1044F5E0}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"{B62DC84F-05AF-4035-8919-04C25B52CD32}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{EF74AC87-4249-46C4-BA34-7FE6399CA486}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{DC531144-15B6-4682-8FD3-C93517529506}"= UDP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{E5F3738C-99AB-4965-9797-F8045B77CE9F}"= TCP:C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{B8F49208-EFE1-4B21-9235-DE821574E968}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{A22D7E66-52E3-4FD2-B7D2-341FF0A336F9}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{E15B0662-6C51-4B77-AB29-F0D69C8EDE83}"= UDP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{FFD36E9D-75A3-4CC9-A8A0-649DC5F8D9D8}"= TCP:C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{1E55F48E-7AF2-447C-9F9B-AF9467C70575}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{258436B9-7163-4A97-A203-0E8004222850}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{5576B1D8-72B4-4D1D-BF0A-9838E9A32A47}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{160D2620-9D6B-42DC-9961-D0AD3526F961}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{3D3ECB73-F344-47B7-B10F-880BF0E57F8F}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{BDB976D9-D68D-4770-8E94-5C60050CF0B7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{0A634EBE-54A8-4D79-AD2A-A2FCB07ACA16}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"= C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4
"C:\\Program Files\\iTunes\\iTunes.exe"= C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
"C:\\Program Files\\LimeWire\\LimeWire.exe"= C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
"C:\\Program Files\\Messenger\\msmsgs.exe"= C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
"C:\\Program Files\\MSN Messenger\\livecall.exe"= C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
"C:\\Program Files\\MSN Messenger\\msncall.exe"= C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
"C:\\Program Files\\Skype\\Phone\\Skype.exe"= C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"= C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"= C:\Program Files\Yahoo!\Messenger\ypager.exe:*:Enabled:Yahoo! Messenger
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"= 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
R2 BUFADPT;BUFADPT;C:\WINDOWS\system32\BUFADPT.SYS [2005-03-10 06:44]
R2 CrackTcpip;Crack Tcpip;C:\Windows\system32\drivers\CrackTcpip.sys [2008-01-13 18:55]
R2 lxbv_device;lxbv_device;C:\Windows\system32\lxbvcoms.exe [2007-04-25 13:18]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-01-22 22:39]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSGB6.sys [2008-03-03 08:12]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\Windows\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\Windows\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]
S3 pccsmcfd;PCCS Mode Change Filter Driver;C:\Windows\system32\DRIVERS\pccsmcfd.sys [2007-09-17 15:53]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-01-22 22:39]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-04-04 23:41]
S3 upperdev;upperdev;C:\Windows\system32\DRIVERS\usbser_lowerflt.sys [2007-11-29 10:39]
S3 UsbserFilt;UsbserFilt;C:\Windows\system32\DRIVERS\usbser_lowerfltj.sys [2007-11-29 10:39]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WudfServiceGroup REG_MULTI_SZ WUDFSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30b3653f-39e7-11dc-b731-0016e3994e97}]
\shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c13ada6-8215-11db-b358-0016e39953e5}]
\shell\AutoRun\command - K:\autorun.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 01:00:00 C:\Windows\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2008-01-01 00:59:59 C:\Windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
"2008-05-06 18:10:17 C:\Windows\Tasks\User_Feed_Synchronization-{99A1AE20-38DF-44E4-8B25-1186140D2A3A}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 16:43:37
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\Windows\system32\winlogon.exe
-> C:\Windows\system32\khFYrSIA.dll
PROCESS: C:\Windows\system32\lsass.exe
-> C:\Windows\system32\nnNGYqPg.dll
PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\lkhmqyom.dll
-> C:\Windows\system32\afyvxxeq.dll
-> ?:\Windows\system32\ieframe.dll
.
Completion time: 2008-05-07 16:47:45
Pre-Run: 114,309,328,896 bytes free
Post-Run: 116,691,869,696 bytes free
318 --- E O F --- 2008-04-09 10:37:19
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:22:44, on 07/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\LVCOMSX.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\System32\wltray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Administrator\Downloads\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {679F54FD-18AE-4CA7-A63F-009503A8ECC6} - C:\Windows\system32\nnNGYqPg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9C8A64FD-AB81-47AD-B7D5-A14A44AD5870} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {EB807519-5E10-43E1-B587-2B14AE50EB89} - (no file)
O2 - BHO: {1f48db02-53d9-266b-1844-1b34406d8cbe} - {ebc8d604-43b1-4481-b662-9d3520bd84f1} - C:\Windows\system32\jwtxqtfu.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\khFYrSIA.dll,#1
O4 - HKLM\..\Run: [9c54449d] rundll32.exe "C:\Windows\system32\lkhmqyom.dll",b
O4 - HKLM\..\Run: [BM9f677701] Rundll32.exe "C:\Windows\system32\afyvxxeq.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204583586132
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204583677198
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbv_device - - C:\Windows\system32\lxbvcoms.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 9573 bytes
Rorschach112
2008-05-07, 20:10
Hello
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Windows\System32\khFYrSIA.dll
C:\Windows\System32\ssqRHXPJ.dll
C:\Windows\System32\JPXHRqss.ini
C:\Windows\System32\lJaaWmKb.dll
C:\Windows\System32\bKmWaaJl.ini
C:\Windows\System32\mcrh.tmp
C:\Windows\System32\moyqmhkl.ini
C:\Windows\System32\lkhmqyom.dll
C:\Windows\System32\ygvqejdc.exe
C:\Windows\System32\jwtxqtfu.dll
C:\Windows\System32\bjimtyit.dll
C:\Windows\System32\afyvxxeq.dll
C:\Windows\System32\pxwjtcqy.ini
C:\Windows\System32\dhlbilfa.dll
C:\Windows\System32\ybujsoxr.dll
C:\Windows\System32\thbvlbnr.ini
C:\Windows\System32\gPqYGNnn.ini2
C:\Windows\System32\gPqYGNnn.ini
C:\Windows\System32\nnNGYqPg.dll
C:\Windows\system32\khFYrSIA.dll
C:\Windows\system32\nnNGYqPg.dll
C:\Windows\system32\lkhmqyom.dll
C:\Windows\system32\afyvxxeq.dll
J:\autorun.exe
K:\autorun.exe
DirLook::
C:\327882R2FWJFW
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30b3653f-39e7-11dc-b731-0016e3994e97}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c13ada6-8215-11db-b358-0016e39953e5}]
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Also post a new HijackThis log
GiantSpider
2008-05-07, 22:22
ComboFix won't run, it was doing this last night as well, but when I tried it earlier today (the first time) it worked. However now it won't work, and restarting does nothing.
It has nothing to do with using the mouse either, I left it earlier for 2 hours and it hadn't been past the "Attempting to Create a new Restore point" stage.
Rorschach112
2008-05-07, 22:23
Can you delete ComboFix.exe and re-download it from that link
Then try the step again
Let me know if it fails
GiantSpider
2008-05-07, 22:43
Still no good.
Rorschach112
2008-05-07, 23:53
Hello
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
[kill explorer]
C:\Windows\System32\khFYrSIA.dll
C:\Windows\System32\ssqRHXPJ.dll
C:\Windows\System32\JPXHRqss.ini
C:\Windows\System32\lJaaWmKb.dll
C:\Windows\System32\bKmWaaJl.ini
C:\Windows\System32\mcrh.tmp
C:\Windows\System32\moyqmhkl.ini
C:\Windows\System32\lkhmqyom.dll
C:\Windows\System32\ygvqejdc.exe
C:\Windows\System32\jwtxqtfu.dll
C:\Windows\System32\bjimtyit.dll
C:\Windows\System32\afyvxxeq.dll
C:\Windows\System32\pxwjtcqy.ini
C:\Windows\System32\dhlbilfa.dll
C:\Windows\System32\ybujsoxr.dll
C:\Windows\System32\thbvlbnr.ini
C:\Windows\System32\gPqYGNnn.ini2
C:\Windows\System32\gPqYGNnn.ini
C:\Windows\System32\nnNGYqPg.dll
C:\Windows\system32\khFYrSIA.dll
C:\Windows\system32\nnNGYqPg.dll
C:\Windows\system32\lkhmqyom.dll
C:\Windows\system32\afyvxxeq.dll
J:\autorun.exe
K:\autorun.exe
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30b3653f-39e7-11dc-b731-0016e3994e97}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c13ada6-8215-11db-b358-0016e39953e5}
C:\327882R2FWJFW
purity
[start explorer]
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Reboot and do this
Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
GiantSpider
2008-05-08, 00:17
Explorer killed successfully
File/Folder C:\Windows\System32\khFYrSIA.dll not found.
DllUnregisterServer procedure not found in C:\Windows\System32\ssqRHXPJ.dll
C:\Windows\System32\ssqRHXPJ.dll NOT unregistered.
C:\Windows\System32\ssqRHXPJ.dll moved successfully.
C:\Windows\System32\JPXHRqss.ini moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\lJaaWmKb.dll
C:\Windows\System32\lJaaWmKb.dll NOT unregistered.
C:\Windows\System32\lJaaWmKb.dll moved successfully.
C:\Windows\System32\bKmWaaJl.ini moved successfully.
C:\Windows\System32\mcrh.tmp moved successfully.
C:\Windows\System32\moyqmhkl.ini moved successfully.
File/Folder C:\Windows\System32\lkhmqyom.dll not found.
C:\Windows\System32\ygvqejdc.exe moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\jwtxqtfu.dll
C:\Windows\System32\jwtxqtfu.dll NOT unregistered.
C:\Windows\System32\jwtxqtfu.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\bjimtyit.dll
C:\Windows\System32\bjimtyit.dll NOT unregistered.
C:\Windows\System32\bjimtyit.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\afyvxxeq.dll
C:\Windows\System32\afyvxxeq.dll NOT unregistered.
C:\Windows\System32\afyvxxeq.dll moved successfully.
C:\Windows\System32\pxwjtcqy.ini moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\dhlbilfa.dll
C:\Windows\System32\dhlbilfa.dll NOT unregistered.
C:\Windows\System32\dhlbilfa.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\ybujsoxr.dll
C:\Windows\System32\ybujsoxr.dll NOT unregistered.
C:\Windows\System32\ybujsoxr.dll moved successfully.
C:\Windows\System32\thbvlbnr.ini moved successfully.
C:\Windows\System32\gPqYGNnn.ini2 moved successfully.
C:\Windows\System32\gPqYGNnn.ini moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\nnNGYqPg.dll
C:\Windows\System32\nnNGYqPg.dll NOT unregistered.
File move failed. C:\Windows\System32\nnNGYqPg.dll scheduled to be moved on reboot.
File/Folder C:\Windows\system32\khFYrSIA.dll not found.
DllUnregisterServer procedure not found in C:\Windows\system32\nnNGYqPg.dll
C:\Windows\system32\nnNGYqPg.dll NOT unregistered.
File move failed. C:\Windows\system32\nnNGYqPg.dll scheduled to be moved on reboot.
File/Folder C:\Windows\system32\lkhmqyom.dll not found.
File/Folder C:\Windows\system32\afyvxxeq.dll not found.
File/Folder J:\autorun.exe not found.
File move failed. K:\autorun.exe scheduled to be moved on reboot.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30b3653f-39e7-11dc-b731-0016e3994e97} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30b3653f-39e7-11dc-b731-0016e3994e97}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c13ada6-8215-11db-b358-0016e39953e5} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c13ada6-8215-11db-b358-0016e39953e5}\\ deleted successfully.
C:\327882R2FWJFW moved successfully.
< purity >
Explorer started successfully
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05072008_220403
Files moved on Reboot...
DllUnregisterServer procedure not found in C:\Windows\System32\nnNGYqPg.dll
C:\Windows\System32\nnNGYqPg.dll NOT unregistered.
File move failed. C:\Windows\System32\nnNGYqPg.dll scheduled to be moved on reboot.
File move failed. K:\autorun.exe scheduled to be moved on reboot.
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-07 22:10:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- Last 5 Restore Point(s) --
9: 2008-05-07 19:54:23 UTC - RP303 - ComboFix created restore point
8: 2008-05-07 19:35:30 UTC - RP302 - ComboFix created restore point
7: 2008-05-07 19:15:27 UTC - RP301 - ComboFix created restore point
6: 2008-05-07 19:05:17 UTC - RP300 - ComboFix created restore point
5: 2008-05-07 18:06:50 UTC - RP299 - ComboFix created restore point
-- First Restore Point --
1: 2008-05-07 16:23:43 UTC - RP295 - Last known good configuration
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:13, on 2008-05-07
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\notepad.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\System32\LVCOMSX.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\System32\wltray.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Administrator\Downloads\dss.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\system32\conime.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Users\ADMINI~1\DOWNLO~1\Administrator.exe
C:\Windows\system32\SearchFilterHost.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\Windows\system32\fajvvbpe.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8331C902-4A5F-417D-B739-B3AA4C60E44E} - C:\Windows\system32\nnNGYqPg.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {61549d2f-3910-c8fa-0934-1daccf5e1729} - {9271e5fc-cad1-4390-af8c-0193f2d94516} - C:\Windows\system32\gdbtsinv.dll
O2 - BHO: (no name) - {9C8A64FD-AB81-47AD-B7D5-A14A44AD5870} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {EB807519-5E10-43E1-B587-2B14AE50EB89} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [9c54449d] rundll32.exe "C:\Windows\system32\obtmdhvg.dll",b
O4 - HKLM\..\Run: [BM9f677701] Rundll32.exe "C:\Windows\system32\nuvrnndi.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204583586132
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204583677198
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbv_device - - C:\Windows\system32\lxbvcoms.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 9656 bytes
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 BUFADPT - \??\c:\windows\system32\bufadpt.sys
R2 CrackTcpip (Crack Tcpip) - c:\windows\system32\drivers\cracktcpip.sys
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
S3 SiSGbeXP (SiS191/SiS190 Ethernet Device NDIS 5.1 Driver) - c:\windows\system32\drivers\sisgbexp.sys <Not Verified; Silicon Integrated Systems Corp.; SiS191/190 Ethernet Device>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-05-07 19:51:11 434 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{99A1AE20-38DF-44E4-8B25-1186140D2A3A}.job
2008-03-15 02:00:00 268 --a------ C:\Windows\Tasks\McDefragTask.job
2008-01-01 01:59:59 360 --a------ C:\Windows\Tasks\McQcTask.job
-- Files created between 2008-04-07 and 2008-05-07 -----------------------------
2008-05-07 21:06:31 96832 --a------ C:\Windows\system32\obtmdhvg.dll
2008-05-07 21:04:17 53312 --a------ C:\Windows\system32\fajvvbpe.dll
2008-05-07 21:04:11 105024 --a------ C:\Windows\system32\nuvrnndi.dll
2008-05-07 21:00:54 103936 --a------ C:\Windows\system32\edhrofrt.dll
2008-05-07 20:58:35 53248 --a------ C:\Windows\system32\ywresphx.dll
2008-05-07 20:22:51 106560 --a------ C:\Windows\system32\gdbtsinv.dll
2008-05-07 20:22:51 2112 --a------ C:\Windows\system32\frfsjynp.exe
2008-05-07 20:15:03 96832 -----n--- C:\Windows\system32\ajmjywhh.dll
2008-05-07 20:12:14 53312 --a------ C:\Windows\system32\cnglkouu.dll
2008-05-07 20:09:57 105024 --a------ C:\Windows\system32\kwnhwfvv.dll
2008-05-07 20:09:10 53248 --a------ C:\Windows\system32\qhdptbbe.dll
2008-05-07 20:08:07 103936 --a------ C:\Windows\system32\qgbeivrc.dll
2008-05-07 19:49:03 53312 --a------ C:\Windows\system32\nhdujwrq.dll
2008-05-07 19:46:03 105024 --a------ C:\Windows\system32\khkcceuy.dll
2008-05-07 16:39:47 53248 --a------ C:\Windows\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-05-06 22:20:39 68096 --a------ C:\Windows\zip.exe
2008-05-06 22:20:39 49152 --a------ C:\Windows\VFind.exe
2008-05-06 22:20:39 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-06 22:20:39 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-06 22:20:39 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-06 22:20:39 98816 --a------ C:\Windows\sed.exe
2008-05-06 22:20:39 80412 --a------ C:\Windows\grep.exe
2008-05-06 22:20:39 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-05 21:42:04 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-05-05 19:22:28 0 d-------- C:\Users\All Users\Kaspersky Lab
2008-05-03 14:34:01 0 d-------- C:\Program Files\VstPlugins
2008-05-03 14:34:00 225280 --a------ C:\Windows\system32\rewire.dll <Not Verified; Propellerhead Software AB; ReWire>
2008-05-03 14:32:00 0 d-------- C:\Program Files\Outsim
2008-05-03 14:31:57 281600 -----n--- C:\Windows\system32\nnNGYqPg.dll
2008-05-03 14:28:12 0 d-------- C:\Program Files\Image-Line
2008-04-25 22:00:52 0 d-------- C:\Program Files\PC Connectivity Solution
2008-04-18 00:01:05 0 d-------- C:\Program Files\Apple Software Update
2008-04-07 14:20:44 0 d-------- C:\Program Files\Guitar Pro 5
-- Find3M Report ---------------------------------------------------------------
2008-05-06 21:27:02 0 d-------- C:\Program Files\Common Files
2008-05-05 21:18:06 0 d-------- C:\Users\Administrator\AppData\Roaming\Azureus
2008-05-05 13:29:13 0 d-------- C:\Users\Administrator\AppData\Roaming\Vso
2008-05-05 13:29:08 0 d-------- C:\Users\Administrator\AppData\Roaming\CopyToDvd
2008-05-02 20:40:39 0 d-------- C:\Users\Administrator\AppData\Roaming\Nokia
2008-05-02 20:40:39 100605 --a------ C:\Users\Administrator\AppData\Roaming\NMM-MetaData.db
2008-05-02 19:44:58 0 d-------- C:\Users\Administrator\AppData\Roaming\LimeWire
2008-05-01 23:26:26 0 d-------- C:\Program Files\Nokia
2008-05-01 23:25:36 0 d-------- C:\Program Files\Common Files\Nokia
2008-04-25 23:25:02 0 d-------- C:\Program Files\LimeWire
2008-04-25 22:05:14 0 d-------- C:\Program Files\Common Files\PCSuite
2008-04-25 22:02:37 0 d-------- C:\Program Files\DIFX
2008-04-18 00:18:04 0 d-------- C:\Program Files\Azureus
2008-04-12 17:01:44 0 d-------- C:\Program Files\SopCast
2008-04-10 18:47:18 0 d-------- C:\Users\Administrator\AppData\Roaming\dvdcss
2008-04-10 01:30:33 0 d-------- C:\Program Files\Windows Mail
2008-04-10 01:06:06 0 d-------- C:\Program Files\TVAnts
2008-04-08 20:31:55 0 d-------- C:\Program Files\Common Files\Steam
2008-04-03 20:46:08 0 d-------- C:\Program Files\iTunes
2008-04-03 20:45:58 0 d-------- C:\Program Files\iPod
2008-04-03 20:44:38 0 d-------- C:\Program Files\QuickTime Alternative
2008-04-02 19:37:12 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-25 19:32:26 0 d-------- C:\Program Files\StuffPlug3
2008-03-24 23:33:49 0 d-------- C:\Users\Administrator\AppData\Roaming\mIRC
2008-03-24 21:39:21 0 d-------- C:\Program Files\mIRC
2008-03-24 20:57:14 0 d-------- C:\Program Files\McAfee
2008-03-22 17:19:49 0 d-------- C:\Users\Administrator\AppData\Roaming\TVU networks
2008-03-22 17:19:42 0 d-------- C:\Program Files\TVUPlayer
2008-03-21 18:37:07 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-21 15:24:46 174 --ahs---- C:\Program Files\desktop.ini
2008-03-21 15:14:33 0 d-------- C:\Program Files\Windows Calendar
2008-03-21 15:14:32 0 d-------- C:\Program Files\Windows Sidebar
2008-03-21 15:14:32 0 d-------- C:\Program Files\Movie Maker
2008-03-21 15:14:28 0 d-------- C:\Program Files\Windows Collaboration
2008-03-21 15:14:27 0 d-------- C:\Program Files\Windows Journal
2008-03-21 15:14:26 0 d-------- C:\Program Files\Windows Photo Gallery
2008-03-21 15:14:19 0 d-------- C:\Program Files\Windows Defender
2008-03-19 22:54:53 0 d-------- C:\Program Files\Messenger Plus! Live
2008-03-19 18:26:53 0 d-------- C:\Users\Administrator\AppData\Roaming\Google
2008-03-16 19:24:50 0 d-------- C:\Program Files\Java
2008-03-15 19:21:12 0 d-------- C:\Users\Administrator\AppData\Roaming\Xfire
2008-03-15 16:32:24 0 d---s---- C:\Program Files\Xfire
2008-03-13 00:16:40 0 d-------- C:\Users\Administrator\AppData\Roaming\AccurateRip
2008-03-13 00:16:30 0 d-------- C:\Program Files\Virtuosa
2008-03-13 00:16:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-12 18:53:47 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-10 18:57:42 0 d-------- C:\Program Files\FLAC
2008-02-19 18:46:00 668 --a------ C:\Users\Administrator\AppData\Roaming\vso_ts_preview.xml
2008-02-19 00:45:29 34 --a------ C:\Users\Administrator\AppData\Roaming\pcouffin.log
2008-02-19 00:43:44 7887 --a------ C:\Users\Administrator\AppData\Roaming\pcouffin.cat
2008-02-18 22:03:49 81920 --a------ C:\Users\Administrator\AppData\Roaming\ezpinst.exe
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-05-07 21:04 53312 --a------ C:\Windows\system32\fajvvbpe.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8331C902-4A5F-417D-B739-B3AA4C60E44E}]
2008-05-03 14:31 281600 --------- C:\Windows\system32\nnNGYqPg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9271e5fc-cad1-4390-af8c-0193f2d94516}]
2008-05-07 20:22 106560 --a------ C:\Windows\system32\gdbtsinv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C8A64FD-AB81-47AD-B7D5-A14A44AD5870}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB807519-5E10-43E1-B587-2B14AE50EB89}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 08:38]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 10:12]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 16:07 C:\Windows\System32\HdAShCut.exe]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 12:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25]
"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [2005-01-29 03:09]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33]
"RtHDVCpl"="RtHDVCpl.exe" [2007-11-14 16:50 C:\Windows\RtHDVCpl.exe]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 06:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [2008-03-28 23:37]
"9c54449d"="C:\Windows\system32\obtmdhvg.dll" [2008-05-07 21:06]
"BM9f677701"="C:\Windows\system32\nuvrnndi.dll" [2008-05-07 21:04]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-26 18:15]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 08:33]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-01-13 17:53]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 08:33]
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [12/28/2007 9:01:00 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6584C510-924B-486A-A1A0-E380DE08C2DB}"= C:\Windows\system32\nnnnkhhh.dll [ ]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\nnNGYqPg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
WudfServiceGroup WUDFSvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- Hosts -----------------------------------------------------------------------
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
8333 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2008-05-07 22:15:28 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft® Windows Vista™ Home Premium (build 6001) SP 1.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) D CPU 2.80GHz
Percentage of Memory in Use: 35%
Physical Memory (total/avail): 2045.89 MiB / 1317.54 MiB
Pagefile Memory (total/avail): 3523.06 MiB / 2625.27 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1884 MiB
C: is Fixed (NTFS) - 232.88 GiB total, 112.53 GiB free.
D: is CDROM (CDFS)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is CDROM (No Media)
K: is CDROM (UDF)
L: is Removable (FAT)
M: is CDROM (UDF)
\\.\PHYSICALDRIVE0 - ST3250820AS ATA Device - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:
\\.\PHYSICALDRIVE6 - Alliance Flash Disk USB Device - 494.19 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 501.48 MiB - L:
\\.\PHYSICALDRIVE1 - Generic 2.0 Reader -0 USB Device
\\.\PHYSICALDRIVE2 - Generic 2.0 Reader -1 USB Device
\\.\PHYSICALDRIVE3 - Generic 2.0 Reader -2 USB Device
\\.\PHYSICALDRIVE4 - Generic 2.0 Reader -3 USB Device
\\.\PHYSICALDRIVE5 - Generic 2.0 Reader -4 USB Device
-- Security Center -------------------------------------------------------------
AUOptions is set to notify before download.
Windows Internal Firewall is disabled.
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.) Disabled
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Administrator\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-C68A66632D
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Administrator
LOCALAPPDATA=C:\Users\Administrator\AppData\Local
LOGONSERVER=\\YOUR-C68A66632D
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\Program Files\Mozilla Firefox;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Program Files\PC Connectivity Solution;C:\Program Files\ATI Technologies\ATI.ACE;C:\Program Files\QuickTime Alternative\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0407
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\ADMINI~1\AppData\Local\Temp
TMP=C:\Users\ADMINI~1\AppData\Local\Temp
USERDOMAIN=YOUR-C68A66632D
USERNAME=Administrator
USERPROFILE=C:\Users\Administrator
windir=C:\Windows
-- User Profiles ---------------------------------------------------------------
Chelsey (admin)
Administrator (admin)
-- Add/Remove Programs ---------------------------------------------------------
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
AbsoluteShield File Shredder --> "C:\Program Files\SysShield Tools\File Shredder\unins000.exe"
Adobe Download Manager 2.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
ATI Catalyst Control Center --> MsiExec.exe /I{8FC4BF66-CA1C-457B-8DB3-0336E797BE24}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
Audacity 1.3.3 (Unicode) --> "C:\Program Files\Audacity 1.3 Beta (Unicode)\unins000.exe"
Audiosurf --> "C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/12900
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Azureus --> C:\Program Files\Azureus\Uninstall.exe
Azureus 3.0 --> C:\Program Files\Azureus\uninstall.exe
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
BT Voyager Wireless Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0FD0FF9D-C87C-47C4-AEC5-98C760E783E7}\setup.exe" -l0x9
Command & Conquer 3 --> MsiExec.exe /I{B0C30E93-D3D9-4F04-A2AC-54749B573275}
ConvertXtoDVD 2.99.13.900 --> "C:\Program Files\VSO\ConvertX\3\unins000.exe"
Developer Certificate Request 2.1.1 --> C:\Program Files\InstallShield Installation Information\{4FDF4C76-5789-4AA9-8112-ADA95C79B798}\setup.exe -runfromtemp -l0x0009 -removeonly
Driving Test Success 2006/7 --> "C:\Program Files\Driving Test Success 2006-2007\unins000.exe"
DVD-Cover Printmaster 1.2 --> MsiExec.exe /I{9DCDC0A8-2280-4F43-B290-465AFDC281BC}
DVD Audio Extractor 4.2.0 --> "C:\Program Files\DVD Audio Extractor\unins000.exe"
EA SPORTS online 2007 --> C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
FLAC 1.2.1b (remove only) --> C:\Program Files\FLAC\uninstall.exe
Football Manager 2007 --> C:\Program Files\Sports Interactive\Football Manager 2007\uninstall\Uninstall FM 2007.exe
Football Manager 2008 --> "C:\Program Files\Sports Interactive\Football Manager 2008\Uninstall_Football Manager 2008\Uninstall Football Manager 2008.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Guitar Pro 5.2 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
Half-Life(R) 2 --> MsiExec.exe /I{D45EC259-4A19-4656-B588-C2C360DD18EA}
HijackThis 2.0.2 --> "C:\Users\Administrator\Downloads\HijackThis.exe" /uninstall
iDump Build: 22 --> C:\Program Files\iDump\uninst.exe
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 8 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
K-Lite Codec Pack 2.83 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Online Scanner --> C:\Windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LADSPA_plugins-win-0.4.15 --> "C:\Program Files\Audacity\Plug-Ins\unins000.exe"
Lexmark 2200 Series --> C:\Program Files\Lexmark 2200 Series\Install\x86\Uninst.exe
LimeWire 4.16.7 --> "C:\Program Files\LimeWire\uninstall.exe"
Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
MagicDisc 2.5.79 --> C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
McAfee Uninstall Wizard --> C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /uninstall=1 /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\comrem.dll::uninstall.htm
Messenger Plus! 3 --> "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /Remove
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB929729) --> "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M929729\M929729Uninstall.msp"
Microsoft Office Access 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ACCESS /dll OSETUP.DLL
Microsoft Office Access 2007 --> MsiExec.exe /X{90120000-0015-0000-0000-0000000FF1CE}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall EXCEL /dll OSETUP.DLL
Microsoft Office Excel 2007 --> MsiExec.exe /X{90120000-0016-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall POWERPOINT /dll OSETUP.DLL
Microsoft Office PowerPoint 2007 --> MsiExec.exe /X{90120000-0018-0000-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PUBLISHER /dll OSETUP.DLL
Microsoft Office Publisher 2007 --> MsiExec.exe /X{90120000-0019-0000-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office SharePoint Designer 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall SHAREPOINTDESIGNER /dll OSETUP.DLL
Microsoft Office SharePoint Designer 2007 --> MsiExec.exe /X{90120000-0017-0000-0000-0000000FF1CE}
Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1) --> msiexec /package {90120000-0017-0000-0000-0000000FF1CE} /uninstall {37180755-CA2B-40AD-9637-89FB0CE7CB36}
Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1) --> msiexec /package {90120000-0017-0409-0000-0000000FF1CE} /uninstall {E3FED5B9-29D7-42E7-B10D-88AFEAF470F0}
Microsoft Office SharePoint Designer MUI (English) 2007 --> MsiExec.exe /X{90120000-0017-0409-0000-0000000FF1CE}
Microsoft Office Word 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall WORD /dll OSETUP.DLL
Microsoft Office Word 2007 --> MsiExec.exe /X{90120000-001B-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIRC --> C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
MSXML 4.0 SP2 (KB925672) --> MsiExec.exe /I{A9CF9052-F4A0-475D-A00F-A8388C62DD63}
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{4F1DCA42-2030-437C-A94E-736692A499C1}
Nokia Flashing Cable Driver --> MsiExec.exe /X{A4E0CA0F-1903-440A-9B98-FEA6CB049999}
Nokia MTP driver --> MsiExec.exe /I{0E94871C-623C-464F-A117-B8474BFF84E1}
Nokia Multimedia Factory --> "C:\ProgramData\Installations\{4CFB3821-1582-4f3b-BF8D-30986923B36B}\Nokia_Multimedia_Factory_2_0.exe" /MAINTENANCE /SILENT="SWLPCER" /LANG="2057" /MSI_COMMON_OPTIONS="PCSLANG= MMFLANG=eng"
Nokia Multimedia Factory --> MsiExec.exe /I{4CFB3821-1582-4F3B-BF8D-30986923B36B}
Nokia PC Suite --> C:\ProgramData\Installations\{9C05FA75-0337-4523-AA57-9D3511018887}\Nokia_PC_Suite_rel_6_86_9_3_eng_web.exe
Nokia PC Suite --> MsiExec.exe /I{9C05FA75-0337-4523-AA57-9D3511018887}
Nokia Software Launcher --> MsiExec.exe /I{5CCABD37-479D-4304-B1A5-67952C25F8F2}
Nokia Software Updater --> MsiExec.exe /X{2B06E7FD-C5A1-403E-B387-A8D4AA858F48}
Nokia Video Manager --> "C:\ProgramData\Installations\{B1B4E612-9ACC-4fab-BD04-1721D9503266}\NokiaVideoManager1.6.exe" /MAINTENANCE /SILENT="SGWLRPFCE" /LANG="2057" /O=";EXTUNINSTALL=1"
Nokia Video Manager --> MsiExec.exe /I{B1B4E612-9ACC-4FAB-BD04-1721D9503266}
PC Connectivity Solution --> MsiExec.exe /I{AC599724-5755-48C1-ABE7-ABB857652930}
PoiZone --> C:\Program Files\Image-Line\PoiZone\uninstall.exe
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
QuickTime Alternative 1.76 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
Real Alternative 1.52 --> "C:\Program Files\Real Alternative\unins000.exe"
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0016-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0018-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-001B-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Shockwave --> C:\Windows\System32\Macromed\SHOCKW~2\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~2\INSTALL.LOG
Sid Meier's Civilization 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}\setup.exe" -l0x9 -removeonly
Sid Meier's Civilization 4 - Beyond the Sword --> C:\Program Files\InstallShield Installation Information\{32E4F0D2-C135-475E-A841-1D59A0D22989}\setup.exe -runfromtemp -l0x0009 -removeonly
Sid Meier's Civilization 4 - Warlords --> C:\Program Files\InstallShield Installation Information\{3E4B349F-10B5-4586-9D99-489A90A8B228}\setup.exe -runfromtemp -l0x0009 -removeonly
Skype 3.0 --> "C:\Program Files\Skype\Phone\unins000.exe"
SmartFTP Client 2.0 --> MsiExec.exe /I{C169D3BB-9A27-43F5-9979-09A0D65FE95C}
SmartFTP Client 2.0 Setup Files (remove only) --> "C:\Program Files\SmartFTP Client 2.0 Setup Files\uninst-sftp.exe"
Soldier of Fortune II - Double Helix --> C:\PROGRA~1\SOLDIE~1\UNINST~1\UNWISE.EXE /u C:\PROGRA~1\SOLDIE~1\UNINST~1\INSTALL.LOG
SopCast 3.0.1 --> C:\Program Files\SopCast\uninst.exe
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
StuffPlug 3 --> C:\Program Files\StuffPlug3\Uninstall.exe
Team Fortress 2 --> "C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/440
Theme Hospital --> C:\Windows\uninst.exe -f"C:\Program Files\Bullfrog\Hospital\DeIsL1.isu"
Total Video Converter 2.52 --> "C:\Program Files\Total Video Converter\unins000.exe"
Toxic Biohazard --> C:\Program Files\Image-Line\Toxic Biohazard\uninstall.exe
TVAnts 1.0 --> C:\PROGRA~1\TVAnts\UNWISE.EXE C:\PROGRA~1\TVAnts\INSTALL.LOG
TVUPlayer 2.3.5.4 --> C:\Program Files\TVUPlayer\uninst.exe
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0015-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0016-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0017-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0018-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0019-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-001B-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Videora iPod Converter 0.91 --> C:\Program Files\VideoraiPodConverter\uninst.exe
VSO CopyToDVD 4 --> "C:\Program Files\VSO\unins000.exe"
Windows Driver Package - Nokia Modem (03/05/2008 3.7) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\nokia_bluetooth.inf_ce5ad925\nokia_bluetooth.inf
Windows Driver Package - Nokia Modem (03/13/2008 6.86.0.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\nokbtmdm.inf_674398ba\nokbtmdm.inf
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\system32\DRVSTORE\pccsmcfd_4A1E30386F4D0DEC8F5DF262CFBD8845EEBAB175\pccsmcfd.inf
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 11 --> "C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Vista Upgrade Advisor --> MsiExec.exe /I{B79FBFDD-8B0C-4B8E-B70E-499E39978281}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->
-- Application Event Log -------------------------------------------------------
Event Record #/Type26529 / Warning
Event Submitted/Written: 05/07/2008 10:09:47 PM
Event ID/Source: 1 / Microsoft-Windows-ApplicationExperienceInfrastructure
Event Description:
1528ATI Catalyst Control Center4ATI109ATI Catalyst Control Center is incompatible with this version of Windows. For more information, contact ATI.1
Event Record #/Type26528 / Warning
Event Submitted/Written: 05/07/2008 10:09:46 PM
Event ID/Source: 1 / Microsoft-Windows-ApplicationExperienceInfrastructure
Event Description:
1528ATI Catalyst Control Center4ATI109ATI Catalyst Control Center is incompatible with this version of Windows. For more information, contact ATI.1
Event Record #/Type26526 / Warning
Event Submitted/Written: 05/07/2008 10:08:48 PM
Event ID/Source: 1 / Microsoft-Windows-ApplicationExperienceInfrastructure
Event Description:
1528ATI Catalyst Control Center4ATI109ATI Catalyst Control Center is incompatible with this version of Windows. For more information, contact ATI.1
Event Record #/Type26522 / Success
Event Submitted/Written: 05/07/2008 10:06:59 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.
Event Record #/Type26514 / Success
Event Submitted/Written: 05/07/2008 10:06:52 PM
Event ID/Source: 5617 / WinMgmt
Event Description:
Windows Management Instrumentation Service subsystems initialized successfully
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type101411 / Error
Event Submitted/Written: 05/07/2008 10:09:44 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {28DD3979-0566-4ED3-9B14-1548B3187491} did not register with DCOM within the required timeout.
Event Record #/Type101391 / Error
Event Submitted/Written: 05/07/2008 10:07:22 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
mfehidk
Event Record #/Type101389 / Error
Event Submitted/Written: 05/07/2008 10:07:21 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SBSD Security Center Service service failed to start due to the following error:
%%1053
Event Record #/Type101388 / Error
Event Submitted/Written: 05/07/2008 10:07:21 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the SBSD Security Center Service service to connect.
Event Record #/Type101306 / Error
Event Submitted/Written: 05/07/2008 10:06:45 PM
Event ID/Source: 15016 / HTTP
Event Description:
\Device\Http\ReqQueueKerberos
-- End of Deckard's System Scanner: finished at 2008-05-07 22:15:28 ------------
Rorschach112
2008-05-08, 03:49
Hello
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Also post a new DSS log
GiantSpider
2008-05-08, 22:48
VundoFix V7.0.3
Scan started at 20:07:00 2008-05-08
Listing files found while scanning....
No infected files were found.
Beginning removal...
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-08 20:46:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:46, on 2008-05-08
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\System32\LVCOMSX.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\System32\wltray.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Windows\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Administrator\Downloads\dss.exe
C:\Users\ADMINI~1\DOWNLO~1\ADMINI~1.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\Windows\system32\mfxgwwhr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9C8A64FD-AB81-47AD-B7D5-A14A44AD5870} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: {43f498f0-56f3-14ba-2284-bf1b4684b09b} - {b90b4864-b1fb-4822-ab41-3f650f894f34} - C:\Windows\system32\henmodir.dll
O2 - BHO: (no name) - {D093DEB7-EB35-4677-AE02-1EAB14D59A9E} - C:\Windows\system32\nnNGYqPg.dll
O2 - BHO: (no name) - {EB807519-5E10-43E1-B587-2B14AE50EB89} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [9c54449d] rundll32.exe "C:\Windows\system32\clykhbsd.dll",b
O4 - HKLM\..\Run: [BM9f677701] Rundll32.exe "C:\Windows\system32\hfiwlxty.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204583586132
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204583677198
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbv_device - - C:\Windows\system32\lxbvcoms.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 9804 bytes
-- Files created between 2008-04-08 and 2008-05-08 -----------------------------
2008-05-08 20:07:00 0 d-------- C:\VundoFix Backups
2008-05-07 23:04:24 96832 --a------ C:\Windows\system32\clykhbsd.dll
2008-05-07 23:04:23 2112 --a------ C:\Windows\system32\alipbldn.exe
2008-05-07 23:01:24 106560 --a------ C:\Windows\system32\henmodir.dll
2008-05-07 22:59:10 53312 --a------ C:\Windows\system32\mfxgwwhr.dll
2008-05-07 22:59:03 105024 --a------ C:\Windows\system32\hfiwlxty.dll
2008-05-07 22:58:23 373784 --ahs---- C:\Windows\system32\gPqYGNnn.ini2
2008-05-07 21:04:17 53312 --a------ C:\Windows\system32\fajvvbpe.dll
2008-05-07 21:04:11 105024 --a------ C:\Windows\system32\nuvrnndi.dll
2008-05-07 21:00:54 103936 --a------ C:\Windows\system32\edhrofrt.dll
2008-05-07 20:58:35 53248 --a------ C:\Windows\system32\ywresphx.dll
2008-05-07 20:22:51 106560 --a------ C:\Windows\system32\gdbtsinv.dll
2008-05-07 20:22:51 2112 --a------ C:\Windows\system32\frfsjynp.exe
2008-05-07 20:15:03 96832 -----n--- C:\Windows\system32\ajmjywhh.dll
2008-05-07 20:12:14 53312 --a------ C:\Windows\system32\cnglkouu.dll
2008-05-07 20:09:57 105024 --a------ C:\Windows\system32\kwnhwfvv.dll
2008-05-07 20:09:10 53248 --a------ C:\Windows\system32\qhdptbbe.dll
2008-05-07 20:08:07 103936 --a------ C:\Windows\system32\qgbeivrc.dll
2008-05-07 19:49:03 53312 --a------ C:\Windows\system32\nhdujwrq.dll
2008-05-07 19:46:03 105024 --a------ C:\Windows\system32\khkcceuy.dll
2008-05-07 16:39:47 53248 --a------ C:\Windows\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-05-06 22:20:39 68096 --a------ C:\Windows\zip.exe
2008-05-06 22:20:39 49152 --a------ C:\Windows\VFind.exe
2008-05-06 22:20:39 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-06 22:20:39 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-06 22:20:39 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-06 22:20:39 98816 --a------ C:\Windows\sed.exe
2008-05-06 22:20:39 80412 --a------ C:\Windows\grep.exe
2008-05-06 22:20:39 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-05 21:42:04 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-05-05 19:22:28 0 d-------- C:\Users\All Users\Kaspersky Lab
2008-05-03 14:34:01 0 d-------- C:\Program Files\VstPlugins
2008-05-03 14:34:00 225280 --a------ C:\Windows\system32\rewire.dll <Not Verified; Propellerhead Software AB; ReWire>
2008-05-03 14:32:00 0 d-------- C:\Program Files\Outsim
2008-05-03 14:31:57 281600 -----n--- C:\Windows\system32\nnNGYqPg.dll
2008-05-03 14:28:12 0 d-------- C:\Program Files\Image-Line
2008-04-25 22:00:52 0 d-------- C:\Program Files\PC Connectivity Solution
2008-04-18 00:01:05 0 d-------- C:\Program Files\Apple Software Update
-- Find3M Report ---------------------------------------------------------------
2008-05-06 21:27:02 0 d-------- C:\Program Files\Common Files
2008-05-05 21:18:06 0 d-------- C:\Users\Administrator\AppData\Roaming\Azureus
2008-05-05 13:29:13 0 d-------- C:\Users\Administrator\AppData\Roaming\Vso
2008-05-05 13:29:08 0 d-------- C:\Users\Administrator\AppData\Roaming\CopyToDvd
2008-05-02 20:40:39 0 d-------- C:\Users\Administrator\AppData\Roaming\Nokia
2008-05-02 20:40:39 100605 --a------ C:\Users\Administrator\AppData\Roaming\NMM-MetaData.db
2008-05-02 19:44:58 0 d-------- C:\Users\Administrator\AppData\Roaming\LimeWire
2008-05-01 23:26:26 0 d-------- C:\Program Files\Nokia
2008-05-01 23:25:36 0 d-------- C:\Program Files\Common Files\Nokia
2008-04-25 23:25:02 0 d-------- C:\Program Files\LimeWire
2008-04-25 22:05:14 0 d-------- C:\Program Files\Common Files\PCSuite
2008-04-25 22:02:37 0 d-------- C:\Program Files\DIFX
2008-04-18 00:18:04 0 d-------- C:\Program Files\Azureus
2008-04-12 17:01:44 0 d-------- C:\Program Files\SopCast
2008-04-10 18:47:18 0 d-------- C:\Users\Administrator\AppData\Roaming\dvdcss
2008-04-10 01:30:33 0 d-------- C:\Program Files\Windows Mail
2008-04-10 01:06:06 0 d-------- C:\Program Files\TVAnts
2008-04-08 20:31:55 0 d-------- C:\Program Files\Common Files\Steam
2008-04-07 14:20:49 0 d-------- C:\Program Files\Guitar Pro 5
2008-04-03 20:46:08 0 d-------- C:\Program Files\iTunes
2008-04-03 20:45:58 0 d-------- C:\Program Files\iPod
2008-04-03 20:44:38 0 d-------- C:\Program Files\QuickTime Alternative
2008-04-02 19:37:12 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-25 19:32:26 0 d-------- C:\Program Files\StuffPlug3
2008-03-24 23:33:49 0 d-------- C:\Users\Administrator\AppData\Roaming\mIRC
2008-03-24 21:39:21 0 d-------- C:\Program Files\mIRC
2008-03-24 20:57:14 0 d-------- C:\Program Files\McAfee
2008-03-22 17:19:49 0 d-------- C:\Users\Administrator\AppData\Roaming\TVU networks
2008-03-22 17:19:42 0 d-------- C:\Program Files\TVUPlayer
2008-03-21 18:37:07 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-21 15:24:46 174 --ahs---- C:\Program Files\desktop.ini
2008-03-21 15:14:33 0 d-------- C:\Program Files\Windows Calendar
2008-03-21 15:14:32 0 d-------- C:\Program Files\Windows Sidebar
2008-03-21 15:14:32 0 d-------- C:\Program Files\Movie Maker
2008-03-21 15:14:28 0 d-------- C:\Program Files\Windows Collaboration
2008-03-21 15:14:27 0 d-------- C:\Program Files\Windows Journal
2008-03-21 15:14:26 0 d-------- C:\Program Files\Windows Photo Gallery
2008-03-21 15:14:19 0 d-------- C:\Program Files\Windows Defender
2008-03-19 22:54:53 0 d-------- C:\Program Files\Messenger Plus! Live
2008-03-19 18:26:53 0 d-------- C:\Users\Administrator\AppData\Roaming\Google
2008-03-16 19:24:50 0 d-------- C:\Program Files\Java
2008-03-15 19:21:12 0 d-------- C:\Users\Administrator\AppData\Roaming\Xfire
2008-03-15 16:32:24 0 d---s---- C:\Program Files\Xfire
2008-03-13 00:16:40 0 d-------- C:\Users\Administrator\AppData\Roaming\AccurateRip
2008-03-13 00:16:30 0 d-------- C:\Program Files\Virtuosa
2008-03-13 00:16:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-12 18:53:47 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-10 18:57:42 0 d-------- C:\Program Files\FLAC
2008-02-19 18:46:00 668 --a------ C:\Users\Administrator\AppData\Roaming\vso_ts_preview.xml
2008-02-19 00:45:29 34 --a------ C:\Users\Administrator\AppData\Roaming\pcouffin.log
2008-02-19 00:43:44 7887 --a------ C:\Users\Administrator\AppData\Roaming\pcouffin.cat
2008-02-18 22:03:49 81920 --a------ C:\Users\Administrator\AppData\Roaming\ezpinst.exe
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-05-07 22:59 53312 --a------ C:\Windows\system32\mfxgwwhr.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C8A64FD-AB81-47AD-B7D5-A14A44AD5870}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b90b4864-b1fb-4822-ab41-3f650f894f34}]
2008-05-07 23:01 106560 --a------ C:\Windows\system32\henmodir.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D093DEB7-EB35-4677-AE02-1EAB14D59A9E}]
2008-05-03 14:31 281600 --------- C:\Windows\system32\nnNGYqPg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB807519-5E10-43E1-B587-2B14AE50EB89}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 08:38]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 10:12]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 16:07 C:\Windows\System32\HdAShCut.exe]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 12:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25]
"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [2005-01-29 03:09]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33]
"RtHDVCpl"="RtHDVCpl.exe" [2007-11-14 16:50 C:\Windows\RtHDVCpl.exe]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 06:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [2008-03-28 23:37]
"9c54449d"="C:\Windows\system32\clykhbsd.dll" [2008-05-07 23:04]
"BM9f677701"="C:\Windows\system32\hfiwlxty.dll" [2008-05-07 22:59]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-26 18:15]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 08:33]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-01-13 17:53]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 08:33]
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [12/28/2007 9:01:00 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6584C510-924B-486A-A1A0-E380DE08C2DB}"= C:\Windows\system32\nnnnkhhh.dll [ ]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\nnNGYqPg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
WudfServiceGroup WUDFSvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- End of Deckard's System Scanner: finished at 2008-05-08 20:47:35 ------------
Rorschach112
2008-05-08, 23:09
Hello
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\Windows\system32\mfxgwwhr.dll
O2 - BHO: (no name) - {9C8A64FD-AB81-47AD-B7D5-A14A44AD5870} - (no file)
O2 - BHO: {43f498f0-56f3-14ba-2284-bf1b4684b09b} - {b90b4864-b1fb-4822-ab41-3f650f894f34} - C:\Windows\system32\henmodir.dll
O2 - BHO: (no name) - {D093DEB7-EB35-4677-AE02-1EAB14D59A9E} - C:\Windows\system32\nnNGYqPg.dll
O2 - BHO: (no name) - {EB807519-5E10-43E1-B587-2B14AE50EB89} - (no file)
O4 - HKLM\..\Run: [9c54449d] rundll32.exe "C:\Windows\system32\clykhbsd.dll",b
O4 - HKLM\..\Run: Rundll32.exe "C:\Windows\system32\hfiwlxty.dll",s
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
We are going to run Vundofix again, but change the instructions slightly.
Open Notepad (Not Wordpad). Copy and paste the following into NotePad
C:\Windows\system32\clykhbsd.dll
C:\Windows\system32\alipbldn.exe
C:\Windows\system32\henmodir.dll
C:\Windows\system32\mfxgwwhr.dll
C:\Windows\system32\hfiwlxty.dll
C:\Windows\system32\gPqYGNnn.ini2
C:\Windows\system32\fajvvbpe.dll
C:\Windows\system32\nuvrnndi.dll
C:\Windows\system32\edhrofrt.dll
C:\Windows\system32\ywresphx.dll
C:\Windows\system32\gdbtsinv.dll
C:\Windows\system32\frfsjynp.exe
C:\Windows\system32\ajmjywhh.dll
C:\Windows\system32\cnglkouu.dll
C:\Windows\system32\kwnhwfvv.dll
C:\Windows\system32\qhdptbbe.dll
C:\Windows\system32\qgbeivrc.dll
C:\Windows\system32\nhdujwrq.dll
C:\Windows\system32\khkcceuy.dll
C:\Windows\system32\nnNGYqPg.dll
Click [B]File ->> Save As, and type in vundofix.vft (exactly as shown)
Under Save as type Select "All Files" and Save it to your Desktop
Double Click Vundofix.exe to run the program.
Next drag and drop the vundofix.vft file you made into the white window of Vundofix
The list of files should appear in the window
Right click in the open window and Select "Select all" (or manualy add check marks) in the boxes preceeeding the file names.
With the boxes all checked Select "Fix Vundo" Do Not Select "Scan for Vundo"
You will receive a prompt asking "Are you sure you want to remove these files?", click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
The vundofix.vtf file you made will be gone, this is normal.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting
Reboot and post a new DSS log
GiantSpider
2008-05-08, 23:30
Didn't quite happen as expected (see log) and the vundofix.vtf file is still there.
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-08 21:27:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:28, on 2008-05-08
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\LVCOMSX.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\System32\wltray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Users\Administrator\Downloads\dss.exe
C:\Users\ADMINI~1\DOWNLO~1\ADMINI~1.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D02B1661-B963-4EDF-9302-F01F1E33CAC0} - C:\Windows\system32\nnNGYqPg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204583586132
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204583677198
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbv_device - - C:\Windows\system32\lxbvcoms.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 9063 bytes
-- Files created between 2008-04-08 and 2008-05-08 -----------------------------
2008-05-08 21:20:18 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-05-08 20:07:00 0 d-------- C:\VundoFix Backups
2008-05-07 23:04:24 96832 --a------ C:\Windows\system32\clykhbsd.dll
2008-05-07 23:04:23 2112 --a------ C:\Windows\system32\alipbldn.exe
2008-05-07 22:59:03 105024 --a------ C:\Windows\system32\hfiwlxty.dll
2008-05-07 22:58:23 373936 --ahs---- C:\Windows\system32\gPqYGNnn.ini2
2008-05-07 21:04:17 53312 --a------ C:\Windows\system32\fajvvbpe.dll
2008-05-07 21:04:11 105024 --a------ C:\Windows\system32\nuvrnndi.dll
2008-05-07 21:00:54 103936 --a------ C:\Windows\system32\edhrofrt.dll
2008-05-07 20:58:35 53248 --a------ C:\Windows\system32\ywresphx.dll
2008-05-07 20:22:51 106560 --a------ C:\Windows\system32\gdbtsinv.dll
2008-05-07 20:22:51 2112 --a------ C:\Windows\system32\frfsjynp.exe
2008-05-07 20:15:03 96832 -----n--- C:\Windows\system32\ajmjywhh.dll
2008-05-07 20:12:14 53312 --a------ C:\Windows\system32\cnglkouu.dll
2008-05-07 20:09:57 105024 --a------ C:\Windows\system32\kwnhwfvv.dll
2008-05-07 20:09:10 53248 --a------ C:\Windows\system32\qhdptbbe.dll
2008-05-07 20:08:07 103936 --a------ C:\Windows\system32\qgbeivrc.dll
2008-05-07 19:49:03 53312 --a------ C:\Windows\system32\nhdujwrq.dll
2008-05-07 19:46:03 105024 --a------ C:\Windows\system32\khkcceuy.dll
2008-05-07 16:39:47 53248 --a------ C:\Windows\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-05-06 22:20:39 68096 --a------ C:\Windows\zip.exe
2008-05-06 22:20:39 49152 --a------ C:\Windows\VFind.exe
2008-05-06 22:20:39 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-06 22:20:39 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-06 22:20:39 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-06 22:20:39 98816 --a------ C:\Windows\sed.exe
2008-05-06 22:20:39 80412 --a------ C:\Windows\grep.exe
2008-05-06 22:20:39 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-05 21:42:04 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-05-05 19:22:28 0 d-------- C:\Users\All Users\Kaspersky Lab
2008-05-03 14:34:01 0 d-------- C:\Program Files\VstPlugins
2008-05-03 14:34:00 225280 --a------ C:\Windows\system32\rewire.dll <Not Verified; Propellerhead Software AB; ReWire>
2008-05-03 14:32:00 0 d-------- C:\Program Files\Outsim
2008-05-03 14:31:57 281600 -----n--- C:\Windows\system32\nnNGYqPg.dll
2008-05-03 14:28:12 0 d-------- C:\Program Files\Image-Line
2008-04-25 22:00:52 0 d-------- C:\Program Files\PC Connectivity Solution
2008-04-18 00:01:05 0 d-------- C:\Program Files\Apple Software Update
-- Find3M Report ---------------------------------------------------------------
2008-05-06 21:27:02 0 d-------- C:\Program Files\Common Files
2008-05-05 21:18:06 0 d-------- C:\Users\Administrator\AppData\Roaming\Azureus
2008-05-05 13:29:13 0 d-------- C:\Users\Administrator\AppData\Roaming\Vso
2008-05-05 13:29:08 0 d-------- C:\Users\Administrator\AppData\Roaming\CopyToDvd
2008-05-02 20:40:39 0 d-------- C:\Users\Administrator\AppData\Roaming\Nokia
2008-05-02 20:40:39 100605 --a------ C:\Users\Administrator\AppData\Roaming\NMM-MetaData.db
2008-05-02 19:44:58 0 d-------- C:\Users\Administrator\AppData\Roaming\LimeWire
2008-05-01 23:26:26 0 d-------- C:\Program Files\Nokia
2008-05-01 23:25:36 0 d-------- C:\Program Files\Common Files\Nokia
2008-04-25 23:25:02 0 d-------- C:\Program Files\LimeWire
2008-04-25 22:05:14 0 d-------- C:\Program Files\Common Files\PCSuite
2008-04-25 22:02:37 0 d-------- C:\Program Files\DIFX
2008-04-18 00:18:04 0 d-------- C:\Program Files\Azureus
2008-04-12 17:01:44 0 d-------- C:\Program Files\SopCast
2008-04-10 18:47:18 0 d-------- C:\Users\Administrator\AppData\Roaming\dvdcss
2008-04-10 01:30:33 0 d-------- C:\Program Files\Windows Mail
2008-04-10 01:06:06 0 d-------- C:\Program Files\TVAnts
2008-04-08 20:31:55 0 d-------- C:\Program Files\Common Files\Steam
2008-04-07 14:20:49 0 d-------- C:\Program Files\Guitar Pro 5
2008-04-03 20:46:08 0 d-------- C:\Program Files\iTunes
2008-04-03 20:45:58 0 d-------- C:\Program Files\iPod
2008-04-03 20:44:38 0 d-------- C:\Program Files\QuickTime Alternative
2008-04-02 19:37:12 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-25 19:32:26 0 d-------- C:\Program Files\StuffPlug3
2008-03-24 23:33:49 0 d-------- C:\Users\Administrator\AppData\Roaming\mIRC
2008-03-24 21:39:21 0 d-------- C:\Program Files\mIRC
2008-03-24 20:57:14 0 d-------- C:\Program Files\McAfee
2008-03-22 17:19:49 0 d-------- C:\Users\Administrator\AppData\Roaming\TVU networks
2008-03-22 17:19:42 0 d-------- C:\Program Files\TVUPlayer
2008-03-21 18:37:07 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-21 15:24:46 174 --ahs---- C:\Program Files\desktop.ini
2008-03-21 15:14:33 0 d-------- C:\Program Files\Windows Calendar
2008-03-21 15:14:32 0 d-------- C:\Program Files\Windows Sidebar
2008-03-21 15:14:32 0 d-------- C:\Program Files\Movie Maker
2008-03-21 15:14:28 0 d-------- C:\Program Files\Windows Collaboration
2008-03-21 15:14:27 0 d-------- C:\Program Files\Windows Journal
2008-03-21 15:14:26 0 d-------- C:\Program Files\Windows Photo Gallery
2008-03-21 15:14:19 0 d-------- C:\Program Files\Windows Defender
2008-03-19 22:54:53 0 d-------- C:\Program Files\Messenger Plus! Live
2008-03-19 18:26:53 0 d-------- C:\Users\Administrator\AppData\Roaming\Google
2008-03-16 19:24:50 0 d-------- C:\Program Files\Java
2008-03-15 19:21:12 0 d-------- C:\Users\Administrator\AppData\Roaming\Xfire
2008-03-15 16:32:24 0 d---s---- C:\Program Files\Xfire
2008-03-13 00:16:40 0 d-------- C:\Users\Administrator\AppData\Roaming\AccurateRip
2008-03-13 00:16:30 0 d-------- C:\Program Files\Virtuosa
2008-03-13 00:16:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-12 18:53:47 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-10 18:57:42 0 d-------- C:\Program Files\FLAC
2008-02-19 18:46:00 668 --a------ C:\Users\Administrator\AppData\Roaming\vso_ts_preview.xml
2008-02-19 00:45:29 34 --a------ C:\Users\Administrator\AppData\Roaming\pcouffin.log
2008-02-19 00:43:44 7887 --a------ C:\Users\Administrator\AppData\Roaming\pcouffin.cat
2008-02-18 22:03:49 81920 --a------ C:\Users\Administrator\AppData\Roaming\ezpinst.exe
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D02B1661-B963-4EDF-9302-F01F1E33CAC0}]
2008-05-03 14:31 281600 --------- C:\Windows\system32\nnNGYqPg.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 08:38]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 10:12]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 16:07 C:\Windows\System32\HdAShCut.exe]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 12:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25]
"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [2005-01-29 03:09]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33]
"RtHDVCpl"="RtHDVCpl.exe" [2007-11-14 16:50 C:\Windows\RtHDVCpl.exe]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 06:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [2008-03-28 23:37]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-26 18:15]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 08:33]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-01-13 17:53]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 08:33]
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [12/28/2007 9:01:00 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6584C510-924B-486A-A1A0-E380DE08C2DB}"= C:\Windows\system32\nnnnkhhh.dll [ ]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\nnNGYqPg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
WudfServiceGroup WUDFSvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- End of Deckard's System Scanner: finished at 2008-05-08 21:28:53 ------------
VundoFix V7.0.3
Scan started at 20:07:00 2008-05-08
Listing files found while scanning....
No infected files were found.
Beginning removal...
Beginning removal...
Beginning removal...
Rorschach112
2008-05-09, 00:41
Hello
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to delete:
C:\Windows\system32\clykhbsd.dll
C:\Windows\system32\alipbldn.exe
C:\Windows\system32\henmodir.dll
C:\Windows\system32\mfxgwwhr.dll
C:\Windows\system32\hfiwlxty.dll
C:\Windows\system32\gPqYGNnn.ini2
C:\Windows\system32\fajvvbpe.dll
C:\Windows\system32\nuvrnndi.dll
C:\Windows\system32\edhrofrt.dll
C:\Windows\system32\ywresphx.dll
C:\Windows\system32\gdbtsinv.dll
C:\Windows\system32\frfsjynp.exe
C:\Windows\system32\ajmjywhh.dll
C:\Windows\system32\cnglkouu.dll
C:\Windows\system32\kwnhwfvv.dll
C:\Windows\system32\qhdptbbe.dll
C:\Windows\system32\qgbeivrc.dll
C:\Windows\system32\nhdujwrq.dll
C:\Windows\system32\khkcceuy.dll
C:\Windows\system32\nnNGYqPg.dll
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log by using Add/Reply
GiantSpider
2008-05-09, 16:27
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File "C:\Windows\system32\clykhbsd.dll" deleted successfully.
File "C:\Windows\system32\alipbldn.exe" deleted successfully.
Error: file "C:\Windows\system32\henmodir.dll" not found!
Deletion of file "C:\Windows\system32\henmodir.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\Windows\system32\mfxgwwhr.dll" not found!
Deletion of file "C:\Windows\system32\mfxgwwhr.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\Windows\system32\hfiwlxty.dll" deleted successfully.
File "C:\Windows\system32\gPqYGNnn.ini2" deleted successfully.
File "C:\Windows\system32\fajvvbpe.dll" deleted successfully.
File "C:\Windows\system32\nuvrnndi.dll" deleted successfully.
File "C:\Windows\system32\edhrofrt.dll" deleted successfully.
File "C:\Windows\system32\ywresphx.dll" deleted successfully.
File "C:\Windows\system32\gdbtsinv.dll" deleted successfully.
File "C:\Windows\system32\frfsjynp.exe" deleted successfully.
File "C:\Windows\system32\ajmjywhh.dll" deleted successfully.
File "C:\Windows\system32\cnglkouu.dll" deleted successfully.
File "C:\Windows\system32\kwnhwfvv.dll" deleted successfully.
File "C:\Windows\system32\qhdptbbe.dll" deleted successfully.
File "C:\Windows\system32\qgbeivrc.dll" deleted successfully.
File "C:\Windows\system32\nhdujwrq.dll" deleted successfully.
File "C:\Windows\system32\khkcceuy.dll" deleted successfully.
File "C:\Windows\system32\nnNGYqPg.dll" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-09 14:24:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:25, on 2008-05-09
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\conime.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\System32\LVCOMSX.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\System32\wltray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Administrator\Downloads\dss.exe
C:\Users\ADMINI~1\DOWNLO~1\ADMINI~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {658B55EE-8F52-4616-8762-028DC77A51E3} - C:\Windows\system32\nnNGYqPg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204583586132
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204583677198
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbv_device - - C:\Windows\system32\lxbvcoms.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 9129 bytes
-- Files created between 2008-04-09 and 2008-05-09 -----------------------------
2008-05-08 21:20:18 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-05-08 20:07:00 0 d-------- C:\VundoFix Backups
2008-05-07 16:39:47 53248 --a------ C:\Windows\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-05-06 22:20:39 68096 --a------ C:\Windows\zip.exe
2008-05-06 22:20:39 49152 --a------ C:\Windows\VFind.exe
2008-05-06 22:20:39 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-06 22:20:39 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-06 22:20:39 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-06 22:20:39 98816 --a------ C:\Windows\sed.exe
2008-05-06 22:20:39 80412 --a------ C:\Windows\grep.exe
2008-05-06 22:20:39 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-05 21:42:04 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-05-05 19:22:28 0 d-------- C:\Users\All Users\Kaspersky Lab
2008-05-03 14:34:01 0 d-------- C:\Program Files\VstPlugins
2008-05-03 14:34:00 225280 --a------ C:\Windows\system32\rewire.dll <Not Verified; Propellerhead Software AB; ReWire>
2008-05-03 14:32:00 0 d-------- C:\Program Files\Outsim
2008-05-03 14:28:12 0 d-------- C:\Program Files\Image-Line
2008-04-25 22:00:52 0 d-------- C:\Program Files\PC Connectivity Solution
2008-04-18 00:01:05 0 d-------- C:\Program Files\Apple Software Update
-- Find3M Report ---------------------------------------------------------------
2008-05-06 21:27:02 0 d-------- C:\Program Files\Common Files
2008-05-05 21:18:06 0 d-------- C:\Users\Administrator\AppData\Roaming\Azureus
2008-05-05 13:29:13 0 d-------- C:\Users\Administrator\AppData\Roaming\Vso
2008-05-05 13:29:08 0 d-------- C:\Users\Administrator\AppData\Roaming\CopyToDvd
2008-05-02 20:40:39 0 d-------- C:\Users\Administrator\AppData\Roaming\Nokia
2008-05-02 20:40:39 100605 --a------ C:\Users\Administrator\AppData\Roaming\NMM-MetaData.db
2008-05-02 19:44:58 0 d-------- C:\Users\Administrator\AppData\Roaming\LimeWire
2008-05-01 23:26:26 0 d-------- C:\Program Files\Nokia
2008-05-01 23:25:36 0 d-------- C:\Program Files\Common Files\Nokia
2008-04-25 23:25:02 0 d-------- C:\Program Files\LimeWire
2008-04-25 22:05:14 0 d-------- C:\Program Files\Common Files\PCSuite
2008-04-25 22:02:37 0 d-------- C:\Program Files\DIFX
2008-04-18 00:18:04 0 d-------- C:\Program Files\Azureus
2008-04-12 17:01:44 0 d-------- C:\Program Files\SopCast
2008-04-10 18:47:18 0 d-------- C:\Users\Administrator\AppData\Roaming\dvdcss
2008-04-10 01:30:33 0 d-------- C:\Program Files\Windows Mail
2008-04-10 01:06:06 0 d-------- C:\Program Files\TVAnts
2008-04-08 20:31:55 0 d-------- C:\Program Files\Common Files\Steam
2008-04-07 14:20:49 0 d-------- C:\Program Files\Guitar Pro 5
2008-04-03 20:46:08 0 d-------- C:\Program Files\iTunes
2008-04-03 20:45:58 0 d-------- C:\Program Files\iPod
2008-04-03 20:44:38 0 d-------- C:\Program Files\QuickTime Alternative
2008-04-02 19:37:12 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-25 19:32:26 0 d-------- C:\Program Files\StuffPlug3
2008-03-24 23:33:49 0 d-------- C:\Users\Administrator\AppData\Roaming\mIRC
2008-03-24 21:39:21 0 d-------- C:\Program Files\mIRC
2008-03-24 20:57:14 0 d-------- C:\Program Files\McAfee
2008-03-22 17:19:49 0 d-------- C:\Users\Administrator\AppData\Roaming\TVU networks
2008-03-22 17:19:42 0 d-------- C:\Program Files\TVUPlayer
2008-03-21 18:37:07 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-21 15:24:46 174 --ahs---- C:\Program Files\desktop.ini
2008-03-21 15:14:33 0 d-------- C:\Program Files\Windows Calendar
2008-03-21 15:14:32 0 d-------- C:\Program Files\Windows Sidebar
2008-03-21 15:14:32 0 d-------- C:\Program Files\Movie Maker
2008-03-21 15:14:28 0 d-------- C:\Program Files\Windows Collaboration
2008-03-21 15:14:27 0 d-------- C:\Program Files\Windows Journal
2008-03-21 15:14:26 0 d-------- C:\Program Files\Windows Photo Gallery
2008-03-21 15:14:19 0 d-------- C:\Program Files\Windows Defender
2008-03-19 22:54:53 0 d-------- C:\Program Files\Messenger Plus! Live
2008-03-19 18:26:53 0 d-------- C:\Users\Administrator\AppData\Roaming\Google
2008-03-16 19:24:50 0 d-------- C:\Program Files\Java
2008-03-15 19:21:12 0 d-------- C:\Users\Administrator\AppData\Roaming\Xfire
2008-03-15 16:32:24 0 d---s---- C:\Program Files\Xfire
2008-03-13 00:16:40 0 d-------- C:\Users\Administrator\AppData\Roaming\AccurateRip
2008-03-13 00:16:30 0 d-------- C:\Program Files\Virtuosa
2008-03-13 00:16:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-12 18:53:47 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-10 18:57:42 0 d-------- C:\Program Files\FLAC
2008-02-19 18:46:00 668 --a------ C:\Users\Administrator\AppData\Roaming\vso_ts_preview.xml
2008-02-19 00:45:29 34 --a------ C:\Users\Administrator\AppData\Roaming\pcouffin.log
2008-02-19 00:43:44 7887 --a------ C:\Users\Administrator\AppData\Roaming\pcouffin.cat
2008-02-18 22:03:49 81920 --a------ C:\Users\Administrator\AppData\Roaming\ezpinst.exe
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{658B55EE-8F52-4616-8762-028DC77A51E3}]
C:\Windows\system32\nnNGYqPg.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 08:38]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 10:12]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 16:07 C:\Windows\System32\HdAShCut.exe]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 12:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25]
"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [2005-01-29 03:09]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33]
"RtHDVCpl"="RtHDVCpl.exe" [2007-11-14 16:50 C:\Windows\RtHDVCpl.exe]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 06:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [2008-03-28 23:37]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-26 18:15]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 08:33]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-01-13 17:53]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 08:33]
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [12/28/2007 9:01:00 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6584C510-924B-486A-A1A0-E380DE08C2DB}"= C:\Windows\system32\nnnnkhhh.dll [ ]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\nnNGYqPg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
WudfServiceGroup WUDFSvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- End of Deckard's System Scanner: finished at 2008-05-09 14:26:19 ------------
Rorschach112
2008-05-09, 18:31
Hello
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - {658B55EE-8F52-4616-8762-028DC77A51E3} - C:\Windows\system32\nnNGYqPg.dll (file missing)
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Backup Your Registry with ERUNT
Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.
Note: to restore your registry, go to the folder and start ERDNT.exe
Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6584C510-924B-486A-A1A0-E380DE08C2DB}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6584C510-924B-486A-A1A0-E380DE08C2DB}]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
Then double click on the fix.reg file, when it prompts to merge click "Yes".
Reboot and post a new DSS log
GiantSpider
2008-05-09, 19:24
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-09 17:22:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:22, on 2008-05-09
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\LVCOMSX.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\System32\wltray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Administrator\Downloads\dss.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Users\ADMINI~1\DOWNLO~1\ADMINI~1.EXE
C:\Windows\system32\SearchFilterHost.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204583586132
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204583677198
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbv_device - - C:\Windows\system32\lxbvcoms.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 9008 bytes
-- Files created between 2008-04-09 and 2008-05-09 -----------------------------
2008-05-09 17:17:08 388 --a------ C:\fix.reg
2008-05-08 21:20:18 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-05-08 20:07:00 0 d-------- C:\VundoFix Backups
2008-05-07 16:39:47 53248 --a------ C:\Windows\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-05-06 22:20:39 68096 --a------ C:\Windows\zip.exe
2008-05-06 22:20:39 49152 --a------ C:\Windows\VFind.exe
2008-05-06 22:20:39 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-06 22:20:39 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-06 22:20:39 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-06 22:20:39 98816 --a------ C:\Windows\sed.exe
2008-05-06 22:20:39 80412 --a------ C:\Windows\grep.exe
2008-05-06 22:20:39 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-05 21:42:04 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-05-05 19:22:28 0 d-------- C:\Users\All Users\Kaspersky Lab
2008-05-03 14:34:01 0 d-------- C:\Program Files\VstPlugins
2008-05-03 14:34:00 225280 --a------ C:\Windows\system32\rewire.dll <Not Verified; Propellerhead Software AB; ReWire>
2008-05-03 14:32:00 0 d-------- C:\Program Files\Outsim
2008-05-03 14:28:12 0 d-------- C:\Program Files\Image-Line
2008-04-25 22:00:52 0 d-------- C:\Program Files\PC Connectivity Solution
2008-04-18 00:01:05 0 d-------- C:\Program Files\Apple Software Update
-- Find3M Report ---------------------------------------------------------------
2008-05-06 21:27:02 0 d-------- C:\Program Files\Common Files
2008-05-05 21:18:06 0 d-------- C:\Users\Administrator\AppData\Roaming\Azureus
2008-05-05 13:29:13 0 d-------- C:\Users\Administrator\AppData\Roaming\Vso
2008-05-05 13:29:08 0 d-------- C:\Users\Administrator\AppData\Roaming\CopyToDvd
2008-05-02 20:40:39 0 d-------- C:\Users\Administrator\AppData\Roaming\Nokia
2008-05-02 20:40:39 100605 --a------ C:\Users\Administrator\AppData\Roaming\NMM-MetaData.db
2008-05-02 19:44:58 0 d-------- C:\Users\Administrator\AppData\Roaming\LimeWire
2008-05-01 23:26:26 0 d-------- C:\Program Files\Nokia
2008-05-01 23:25:36 0 d-------- C:\Program Files\Common Files\Nokia
2008-04-25 23:25:02 0 d-------- C:\Program Files\LimeWire
2008-04-25 22:05:14 0 d-------- C:\Program Files\Common Files\PCSuite
2008-04-25 22:02:37 0 d-------- C:\Program Files\DIFX
2008-04-18 00:18:04 0 d-------- C:\Program Files\Azureus
2008-04-12 17:01:44 0 d-------- C:\Program Files\SopCast
2008-04-10 18:47:18 0 d-------- C:\Users\Administrator\AppData\Roaming\dvdcss
2008-04-10 01:30:33 0 d-------- C:\Program Files\Windows Mail
2008-04-10 01:06:06 0 d-------- C:\Program Files\TVAnts
2008-04-08 20:31:55 0 d-------- C:\Program Files\Common Files\Steam
2008-04-07 14:20:49 0 d-------- C:\Program Files\Guitar Pro 5
2008-04-03 20:46:08 0 d-------- C:\Program Files\iTunes
2008-04-03 20:45:58 0 d-------- C:\Program Files\iPod
2008-04-03 20:44:38 0 d-------- C:\Program Files\QuickTime Alternative
2008-04-02 19:37:12 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-25 19:32:26 0 d-------- C:\Program Files\StuffPlug3
2008-03-24 23:33:49 0 d-------- C:\Users\Administrator\AppData\Roaming\mIRC
2008-03-24 21:39:21 0 d-------- C:\Program Files\mIRC
2008-03-24 20:57:14 0 d-------- C:\Program Files\McAfee
2008-03-22 17:19:49 0 d-------- C:\Users\Administrator\AppData\Roaming\TVU networks
2008-03-22 17:19:42 0 d-------- C:\Program Files\TVUPlayer
2008-03-21 18:37:07 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-21 15:24:46 174 --ahs---- C:\Program Files\desktop.ini
2008-03-21 15:14:33 0 d-------- C:\Program Files\Windows Calendar
2008-03-21 15:14:32 0 d-------- C:\Program Files\Windows Sidebar
2008-03-21 15:14:32 0 d-------- C:\Program Files\Movie Maker
2008-03-21 15:14:28 0 d-------- C:\Program Files\Windows Collaboration
2008-03-21 15:14:27 0 d-------- C:\Program Files\Windows Journal
2008-03-21 15:14:26 0 d-------- C:\Program Files\Windows Photo Gallery
2008-03-21 15:14:19 0 d-------- C:\Program Files\Windows Defender
2008-03-19 22:54:53 0 d-------- C:\Program Files\Messenger Plus! Live
2008-03-19 18:26:53 0 d-------- C:\Users\Administrator\AppData\Roaming\Google
2008-03-16 19:24:50 0 d-------- C:\Program Files\Java
2008-03-15 19:21:12 0 d-------- C:\Users\Administrator\AppData\Roaming\Xfire
2008-03-15 16:32:24 0 d---s---- C:\Program Files\Xfire
2008-03-13 00:16:40 0 d-------- C:\Users\Administrator\AppData\Roaming\AccurateRip
2008-03-13 00:16:30 0 d-------- C:\Program Files\Virtuosa
2008-03-13 00:16:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-12 18:53:47 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-10 18:57:42 0 d-------- C:\Program Files\FLAC
2008-02-19 18:46:00 668 --a------ C:\Users\Administrator\AppData\Roaming\vso_ts_preview.xml
2008-02-19 00:45:29 34 --a------ C:\Users\Administrator\AppData\Roaming\pcouffin.log
2008-02-19 00:43:44 7887 --a------ C:\Users\Administrator\AppData\Roaming\pcouffin.cat
2008-02-18 22:03:49 81920 --a------ C:\Users\Administrator\AppData\Roaming\ezpinst.exe
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 08:38]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 10:12]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 16:07 C:\Windows\System32\HdAShCut.exe]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 12:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25]
"wltray.exe"="C:\WINDOWS\system32\wltray.exe" [2005-01-29 03:09]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33]
"RtHDVCpl"="RtHDVCpl.exe" [2007-11-14 16:50 C:\Windows\RtHDVCpl.exe]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 06:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [2008-03-28 23:37]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-26 18:15]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 08:33]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-01-13 17:53]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 08:33]
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [12/28/2007 9:01:00 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
WudfServiceGroup WUDFSvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- End of Deckard's System Scanner: finished at 2008-05-09 17:23:43 ------------
Rorschach112
2008-05-09, 20:50
Hello
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Also tell me how your PC is running
GiantSpider
2008-05-10, 12:58
Hey, the main problem I noticed before was that I couldn't get into certain websites. Thats been fine though since the last time I ran HJT. Its running pretty ok now.
Malwarebytes' Anti-Malware 1.12
Database version: 737
Scan type: Quick Scan
Objects scanned: 36756
Time elapsed: 6 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MHE867ND\kriv[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
Rorschach112
2008-05-10, 14:38
Your logs are clean ! We need to do a few things
Follow these steps to uninstall Combofix and tools used in the removal of malware
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
You now need to update your Java and remove your older versions.
Please follow these steps to remove older version Java components.
* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.
Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)
Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)
* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)
Thank you for your patience, and performing all of the procedures requested.
GiantSpider
2008-05-10, 15:00
Cheers bud, thanks a lot.
Rorschach112
2008-05-10, 15:54
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.