View Full Version : smitfraud
i have virus called smitfraud c coreservice that spybot wont remove.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:53 PM, on 9/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Volume Control\Volume Control.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Documents and Settings\nancy\lsass.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\nancy\Desktop\utorrent.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Twain\Twain.exe
C:\Documents and Settings\nancy\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\nancy\Application Data\Microsoft\Windows\pufnqx.exe
C:\DOCUME~1\nancy\APPLIC~1\FNTS~1\alg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx?returnurl=http://www.update.microsoft.com/microsoftupdate&ln=en-us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = cobra
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll (file missing)
O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [VolControl] C:\Program Files\Volume Control\Volume Control.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKLM\..\Run: [flockbox] F:\My Lockbox\flockbox.exe /a
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\nancy\lsass.exe
O4 - HKLM\..\Run: [{52bbc8da-ec77-26b2-4e49-c97178c95e6a}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\brqoqoomirrfxziva.dll" DllStub
O4 - HKLM\..\Run: [a496ad42] rundll32.exe "C:\WINDOWS\system32\opnlLeDu.dll",b
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Documents and Settings\nancy\Desktop\utorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Twain] C:\Program Files\Twain\Twain.exe
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\nancy\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\nancy\Application Data\Microsoft\Windows\pufnqx.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\nancy\APPLIC~1\FNTS~1\alg.exe" -vt yazb
O4 - HKCU\..\Run: [GetPack21] "C:\Program Files\GetPack\GetPack21.exe"
O4 - HKCU\..\Run: [iqoz] C:\Program Files\InetGet2\stub109_4_0_4_0.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FreshDownload - {9F9E33E8-0F27-4A98-9C61-940FDFE31DC2} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://free-game-downloads.mosw.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219878245281
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL goojpq.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 9868 bytes
Hi cobra1
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
when ever i click the save list button hjt just closes and i the file
Then we use this:
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
also when all this started i got a message from windows security alerts saying authentium firewall and antivirus was out of date when i have never even had authentim
thanks
Logfile of random's system information tool 1.02 (written by random/random)
Run by nancy at 2008-09-27 20:04:33
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 54 GB (71%) free of 76 GB
Total RAM: 247 MB (16% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:53 PM, on 9/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Volume Control\Volume Control.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\Documents and Settings\nancy\lsass.exe
C:\Documents and Settings\nancy\Desktop\utorrent.exe
C:\Program Files\Twain\Twain.exe
C:\WINDOWS\system32\mC02\mC022328.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Documents and Settings\nancy\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\nancy.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = cobra
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {05EEDBFD-EA8F-4995-A928-6B421DFB172B} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - (no file)
O2 - BHO: bambanner browser enhancer - {20b06176-3681-dc3c-476e-239617fb5aba} - C:\WINDOWS\system32\brqoqoomirrfxziva.dll
O2 - BHO: (no name) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {5D55FE1E-83E5-4DCC-8275-93E02E921A33} - C:\WINDOWS\system32\urqPfGAp.dll
O2 - BHO: OIN Analytics - {6B221E01-F517-4959-8C41-81948E7F2F17} - C:\Program Files\OINAnalytics\OINAnalytics.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7F86C548-8046-4A4D-BB63-73DD15868F4A} - (no file)
O2 - BHO: (no name) - {9579D574-D4D8-4335-9560-FE8641A013BD} - (no file)
O2 - BHO: (no name) - {B40FDC41-705E-4522-A804-FEB9DBB123A3} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: {5377365d-4e3c-c368-2274-5263ed76b8bc} - {cb8b67de-3625-4722-863c-c3e4d5637735} - C:\WINDOWS\system32\bmqbnd.dll
O2 - BHO: (no name) - {DA2E0515-F0D5-4773-8191-400CCD50783B} - C:\WINDOWS\system32\ddCSMDtR.dll
O2 - BHO: (no name) - {DD6962B9-D871-4AC5-B2F6-06CD654A360D} - (no file)
O2 - BHO: (no name) - {E586C5FF-E734-4984-95FF-92BC87AC75EF} - (no file)
O2 - BHO: (no name) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - (no file)
O2 - BHO: (no name) - {EBDD2E69-2FB9-4B0D-AC49-D63883857DFA} - (no file)
O2 - BHO: (no name) - {EF8DFF1A-05E9-456F-9387-4EDE47EDFEA5} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll (file missing)
O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: (no name) - {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} - (no file)
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [VolControl] C:\Program Files\Volume Control\Volume Control.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKLM\..\Run: [flockbox] F:\My Lockbox\flockbox.exe /a
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\nancy\lsass.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{52bbc8da-ec77-26b2-4e49-c97178c95e6a}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\brqoqoomirrfxziva.dll" DllStub
O4 - HKLM\..\Run: [BMa7a59ede] Rundll32.exe "C:\WINDOWS\system32\mvdwvnow.dll",s
O4 - HKCU\..\Run: [uTorrent] "C:\Documents and Settings\nancy\Desktop\utorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Twain] C:\Program Files\Twain\Twain.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FreshDownload - {9F9E33E8-0F27-4A98-9C61-940FDFE31DC2} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://free-game-downloads.mosw.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219878245281
O17 - HKLM\System\CCS\Services\Tcpip\..\{5381478A-BFC0-4AAF-9FBC-EE4FE4B8714B}: NameServer = 207.69.188.185 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{5381478A-BFC0-4AAF-9FBC-EE4FE4B8714B}: NameServer = 207.69.188.185 207.69.188.186
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL ednwqa.dll nijfhj.dll bmqbnd.dll
O20 - Winlogon Notify: ddCSMDtR - C:\WINDOWS\SYSTEM32\ddCSMDtR.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 10797 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{05EEDBFD-EA8F-4995-A928-6B421DFB172B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15F4D456-5BAA-4076-8486-EECB38CD3E57}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{206E52E0-D52E-11D4-AD54-0000E86C26F6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{20b06176-3681-dc3c-476e-239617fb5aba}]
bambanner browser enhancer - C:\WINDOWS\system32\brqoqoomirrfxziva.dll [2008-08-29 166400]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{512ACF1B-64D9-4928-B382-A80556F28DB4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5D55FE1E-83E5-4DCC-8275-93E02E921A33}]
C:\WINDOWS\system32\urqPfGAp.dll [2008-09-22 284672]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6B221E01-F517-4959-8C41-81948E7F2F17}]
OIN Analytics - C:\Program Files\OINAnalytics\OINAnalytics.dll [2008-09-12 229376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll [2007-07-12 501136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F86C548-8046-4A4D-BB63-73DD15868F4A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9579D574-D4D8-4335-9560-FE8641A013BD}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B40FDC41-705E-4522-A804-FEB9DBB123A3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cb8b67de-3625-4722-863c-c3e4d5637735}]
C:\WINDOWS\system32\bmqbnd.dll [2008-09-27 115200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DA2E0515-F0D5-4773-8191-400CCD50783B}]
C:\WINDOWS\system32\ddCSMDtR.dll [2008-09-18 34816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DD6962B9-D871-4AC5-B2F6-06CD654A360D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E586C5FF-E734-4984-95FF-92BC87AC75EF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E713904C-DF05-4C79-BBAD-02DB923253BE}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBDD2E69-2FB9-4B0D-AC49-D63883857DFA}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF8DFF1A-05E9-456F-9387-4EDE47EDFEA5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BA52B914-B692-46c4-B683-905236F6F655}
{C7768536-96F8-4001-B1A2-90EE21279187} - EarthLink Toolbar - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll [2005-03-03 173136]
{ED0E8CA5-42FB-4B18-997B-769E0408E79D} - FreshDownload Bar - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll []
{9FB3908C-6565-4CB0-95F8-E9F85258723C}
{014DA6C9-189F-421a-88CD-07CFE51CFF10}
{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A960"=C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe [2003-09-21 270336]
"VolControl"=C:\Program Files\Volume Control\Volume Control.exe [2007-01-24 102400]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2004-10-14 1404928]
"CyberLat Ram Cleaner"=C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1 []
"flockbox"=F:\My Lockbox\flockbox.exe /a []
"MRT"=C:\WINDOWS\system32\MRT.exe [2008-08-05 15888504]
"LSA Shellu"=C:\Documents and Settings\nancy\lsass.exe [2008-06-15 52224]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2005-10-19 155648]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"{52bbc8da-ec77-26b2-4e49-c97178c95e6a}"=C:\WINDOWS\system32\brqoqoomirrfxziva.dll [2008-08-29 166400]
"BMa7a59ede"=C:\WINDOWS\system32\mvdwvnow.dll [2008-09-27 105984]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"=C:\Documents and Settings\nancy\Desktop\utorrent.exe [2008-08-13 267056]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-08-08 490952]
"Twain"=C:\Program Files\Twain\Twain.exe [2008-09-19 60928]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk.disabled - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL ednwqa.dll nijfhj.dll bmqbnd.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddCSMDtR]
C:\WINDOWS\system32\ddCSMDtR.dll [2008-09-18 34816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-10-19 348160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll []
"{DA2E0515-F0D5-4773-8191-400CCD50783B}"=C:\WINDOWS\system32\ddCSMDtR.dll [2008-09-18 34816]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\urqPfGAp
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"AllowLegacyWebView"=
"AllowUnhashedWebView"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Common Files\PocketSoft\RTPatch\AutoRTP\artpschd.exe"="C:\Program Files\Common Files\PocketSoft\RTPatch\AutoRTP\artpschd.exe:*:Enabled:artpschd"
"C:\WINDOWS\system32\LEXPPS.EXE"="C:\WINDOWS\system32\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe"="C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\Program Files\K1RFD\EchoLink\EchoLink.exe"="C:\Program Files\K1RFD\EchoLink\EchoLink.exe:*:Enabled:EchoLink"
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:TaskPanl"
"C:\Program Files\Sierra\FEAR\FEAR.exe"="C:\Program Files\Sierra\FEAR\FEAR.exe:*:Enabled:FEAR"
"C:\Program Files\2K Games\Firaxis Games\Sid Meier's Railroads!\RailRoads.exe"="C:\Program Files\2K Games\Firaxis Games\Sid Meier's Railroads!\RailRoads.exe:*:Enabled:Sid Meier's Railroads!"
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe"="C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe"="C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\Program Files\Freeciv-2.0.9-gtk2\civserver.exe"="C:\Program Files\Freeciv-2.0.9-gtk2\civserver.exe:*:Enabled:civserver"
"C:\Documents and Settings\Nancy_2\Desktop\Freeciv-2.0.9-gtk2\civserver.exe"="C:\Documents and Settings\Nancy_2\Desktop\Freeciv-2.0.9-gtk2\civserver.exe:*:Disabled:civserver"
"C:\Documents and Settings\nancy\Desktop\Freeciv-2.0.9-gtk2\civserver.exe"="C:\Documents and Settings\nancy\Desktop\Freeciv-2.0.9-gtk2\civserver.exe:*:Enabled:civserver"
"C:\Program Files\Java\jre1.6.0_02\bin\javaw.exe"="C:\Program Files\Java\jre1.6.0_02\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\WinMX Music\WinMX Music.exe"="C:\Program Files\WinMX Music\WinMX Music.exe:*:Enabled:WinMX Music"
"C:\ClonkPlanet\clonk.c4x"="C:\ClonkPlanet\clonk.c4x:*:Enabled:Clonk Engine"
"C:\Program Files\Globulation_2\glob2.exe"="C:\Program Files\Globulation_2\glob2.exe:*:Enabled:glob2"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"F:\Freeciv-2.1.4-gtk2\civserver.exe"="F:\Freeciv-2.1.4-gtk2\civserver.exe:*:Enabled:civserver"
"C:\Documents and Settings\nancy\Desktop\utorrent.exe"="C:\Documents and Settings\nancy\Desktop\utorrent.exe:*:Enabled:µTorrent"
"C:\Documents and Settings\nancy\Desktop\KMIVBR2\KMI.Cstore.exe"="C:\Documents and Settings\nancy\Desktop\KMIVBR2\KMI.Cstore.exe:*:Enabled: "
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
======List of files/folders created in the last 1 months======
2008-09-27 20:04:33 ----D---- C:\rsit
2008-09-27 18:25:22 ----SH---- C:\WINDOWS\system32\blvxsasx.ini
2008-09-27 18:24:12 ----A---- C:\WINDOWS\system32\xsasxvlb.dll
2008-09-27 18:23:09 ----A---- C:\WINDOWS\system32\bmqbnd.dll
2008-09-27 18:22:25 ----A---- C:\WINDOWS\system32\mxovlqmp.dll
2008-09-27 18:21:00 ----A---- C:\WINDOWS\system32\mvdwvnow.dll
2008-09-27 17:19:56 ----A---- C:\WINDOWS\system32\vtULcbaY.dll
2008-09-27 17:19:56 ----A---- C:\WINDOWS\system32\byXOefgh.dll
2008-09-27 17:16:24 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-09-27 16:11:07 ----A---- C:\WINDOWS\ntbtlog.txt
2008-09-26 19:33:58 ----A---- C:\WINDOWS\system32\cpfitt.dll
2008-09-26 19:32:35 ----A---- C:\WINDOWS\system32\enyauakw.dll
2008-09-26 19:31:39 ----SH---- C:\WINDOWS\system32\kihvhbxk.ini
2008-09-26 19:28:27 ----A---- C:\WINDOWS\system32\wjlojfjv.dll
2008-09-25 20:22:49 ----SH---- C:\WINDOWS\system32\kycnkbuh.ini
2008-09-25 20:21:22 ----A---- C:\WINDOWS\system32\wvznag.dll
2008-09-25 20:20:12 ----A---- C:\WINDOWS\system32\wixyfius.dll
2008-09-25 20:19:02 ----A---- C:\WINDOWS\system32\ieqrjoxu.dll
2008-09-25 20:14:59 ----ASH---- C:\WINDOWS\system32\pAGfPqru.ini2
2008-09-25 20:14:58 ----ASH---- C:\WINDOWS\system32\pAGfPqru.ini
2008-09-24 22:41:43 ----A---- C:\WINDOWS\system32\tsggzi.dll
2008-09-24 22:41:42 ----A---- C:\WINDOWS\system32\tqmcwvhn.dll
2008-09-24 22:41:41 ----SH---- C:\WINDOWS\system32\wavuosre.ini
2008-09-24 20:57:25 ----SH---- C:\WINDOWS\system32\pxnhabof.ini
2008-09-24 20:57:04 ----A---- C:\WINDOWS\system32\fobahnxp.dll
2008-09-24 20:55:52 ----A---- C:\WINDOWS\system32\kjxmibsl.dll
2008-09-24 18:55:29 ----A---- C:\WINDOWS\system32\nijfhj.dll
2008-09-24 18:55:28 ----A---- C:\WINDOWS\system32\wsfxdmda.dll
2008-09-24 18:53:06 ----SH---- C:\WINDOWS\system32\jkloietj.ini
2008-09-23 21:37:04 ----A---- C:\WINDOWS\system32\brndrybe.dll
2008-09-22 20:34:14 ----A---- C:\WINDOWS\system32\ednwqa.dll
2008-09-22 20:33:27 ----SH---- C:\WINDOWS\system32\cwbxtlmj.ini
2008-09-22 20:33:23 ----A---- C:\WINDOWS\system32\yvtwntxn.dll
2008-09-22 20:32:31 ----A---- C:\WINDOWS\system32\jmltxbwc.dll
2008-09-22 20:30:08 ----A---- C:\WINDOWS\system32\iwrmjrjj.dll
2008-09-22 18:30:05 ----SH---- C:\WINDOWS\system32\raebthhb.ini
2008-09-22 18:29:36 ----N---- C:\WINDOWS\system32\bhhtbear.dll
2008-09-22 18:27:01 ----A---- C:\WINDOWS\system32\oztfvh.dll
2008-09-22 18:26:35 ----A---- C:\WINDOWS\system32\lccncmoj.dll
2008-09-22 18:24:24 ----A---- C:\WINDOWS\system32\qsrfloyf.dll
2008-09-22 18:22:02 ----N---- C:\WINDOWS\system32\urqPfGAp.dll
2008-09-22 18:07:05 ----A---- C:\WINDOWS\system32\tmp.txt
2008-09-22 18:06:20 ----A---- C:\rapport.txt
2008-09-21 18:52:15 ----SH---- C:\WINDOWS\system32\uDeLlnpo.ini
2008-09-21 18:51:53 ----A---- C:\WINDOWS\system32\ssqNEvtu.dll
2008-09-21 18:50:52 ----A---- C:\WINDOWS\system32\etlxsoup.dll
2008-09-21 18:50:33 ----A---- C:\WINDOWS\system32\goojpq.dll
2008-09-21 18:49:48 ----A---- C:\WINDOWS\system32\vxogrlwk.dll
2008-09-21 18:47:36 ----A---- C:\WINDOWS\system32\mvvehpph.dll
2008-09-21 00:02:12 ----A---- C:\WINDOWS\system32\rqRHyvSI.dll
2008-09-21 00:02:11 ----A---- C:\WINDOWS\system32\byXPJbyv.dll
2008-09-20 18:06:25 ----D---- C:\Program Files\Trend Micro
2008-09-19 19:51:39 ----SH---- C:\Program Files\Common Files\Yazzle3050OinUninstaller.exe
2008-09-19 19:51:33 ----D---- C:\Documents and Settings\nancy\Application Data\F?nts
2008-09-19 19:51:05 ----D---- C:\Program Files\OINAnalytics
2008-09-19 19:39:19 ----D---- C:\Documents and Settings\nancy\Application Data\SpeedRunner
2008-09-19 19:34:17 ----D---- C:\Program Files\Twain
2008-09-19 19:29:17 ----D---- C:\Program Files\Webtools
2008-09-19 19:24:19 ----D---- C:\Program Files\Mjcore
2008-09-19 16:51:30 ----A---- C:\WINDOWS\system32\XIlorXyb.tmp
2008-09-19 16:50:24 ----A---- C:\WINDOWS\system32\rqRKARJC.dll
2008-09-19 16:50:24 ----A---- C:\WINDOWS\system32\jkkLBrsP.dll
2008-09-19 16:47:27 ----A---- C:\WINDOWS\system32\gatdyjty.dll
2008-09-19 16:46:53 ----A---- C:\WINDOWS\system32\wqpfyk.dll
2008-09-19 16:44:57 ----A---- C:\WINDOWS\system32\gofjimgd.dll
2008-09-19 16:44:15 ----A---- C:\WINDOWS\system32\hgGabBrQ.dll
2008-09-19 16:44:14 ----A---- C:\WINDOWS\system32\hgGabArr.dll
2008-09-19 16:36:49 ----A---- C:\WINDOWS\pskt.ini
2008-09-19 16:36:43 ----A---- C:\WINDOWS\BMa7a59ede.txt
2008-09-19 16:36:22 ----A---- C:\WINDOWS\system32\cnclcedk.dll
2008-09-18 22:11:20 ----ASH---- C:\WINDOWS\system32\dddJlRCf.ini
2008-09-18 20:41:44 ----A---- C:\WINDOWS\system32\mcrh.tmp
2008-09-18 19:25:34 ----A---- C:\WINDOWS\system32\vksify.dll
2008-09-18 19:22:19 ----A---- C:\WINDOWS\system32\suwdajlv.dll
2008-09-18 19:21:41 ----SH---- C:\WINDOWS\system32\XIlorXyb.ini
2008-09-18 19:21:13 ----N---- C:\WINDOWS\system32\byXrolIX.dll
2008-09-18 19:21:12 ----A---- C:\WINDOWS\system32\vtUljKEX.dll
2008-09-18 19:18:57 ----A---- C:\WINDOWS\system32\imomgreb.dll
2008-09-18 19:18:00 ----A---- C:\WINDOWS\system32\afb5693c-.txt
2008-09-18 19:10:42 ----A---- C:\WINDOWS\faceback.exe
2008-09-18 19:09:41 ----A---- C:\WINDOWS\system32\fdzcpfskzdlocog.exe
2008-09-18 19:09:14 ----D---- C:\WINDOWS\system32\winf
2008-09-18 19:09:14 ----D---- C:\WINDOWS\system32\UES
2008-09-18 19:09:14 ----D---- C:\WINDOWS\system32\p
2008-09-18 19:09:14 ----D---- C:\WINDOWS\system32\np5
2008-09-18 19:04:14 ----D---- C:\WINDOWS\system32\mC02
2008-09-18 19:03:40 ----A---- C:\WINDOWS\system32\vTLddcCu.dll
2008-09-18 19:03:40 ----A---- C:\WINDOWS\system32\ddCSMDtR.dll
2008-09-16 09:56:36 ----A---- C:\WINDOWS\b116.exe
2008-09-12 16:36:13 ----D---- C:\Program Files\Galactic Capitalism
2008-09-12 11:21:12 ----SH---- C:\Program Files\Common Files\Yazzle3050OinAdmin.exe
2008-09-12 08:57:28 ----A---- C:\WINDOWS\b157.exe
2008-09-12 08:37:42 ----A---- C:\WINDOWS\b104.exe
2008-09-12 08:36:52 ----A---- C:\WINDOWS\b103.exe
2008-09-11 06:02:46 ----A---- C:\WINDOWS\b161.exe
2008-09-10 18:27:33 ----D---- C:\SIMLIFE
2008-09-05 19:58:22 ----D---- C:\Program Files\Axon Data
2008-08-31 23:37:42 ----D---- C:\Program Files\Risk
2008-08-31 21:57:14 ----D---- C:\Program Files\Phun
2008-08-30 22:28:24 ----D---- C:\Program Files\Zombie Cow Studios
2008-08-30 20:13:37 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-08-29 08:11:50 ----A---- C:\WINDOWS\system32\brqoqoomirrfxziva.dll
2008-08-28 22:40:49 ----D---- C:\CAESAR
2008-08-28 20:25:34 ----D---- C:\Program Files\VDMSound
======List of files/folders modified in the last 1 months======
2008-09-27 20:04:45 ----A---- C:\WINDOWS\ModemLog_BCM V.92 56K Modem.txt
2008-09-27 20:04:20 ----D---- C:\Documents and Settings\nancy\Application Data\Free Download Manager
2008-09-27 19:58:43 ----D---- C:\Documents and Settings\nancy\Application Data\uTorrent
2008-09-27 18:39:12 ----D---- C:\WINDOWS\system32
2008-09-27 18:25:30 ----D---- C:\WINDOWS\Prefetch
2008-09-27 18:19:30 ----D---- C:\WINDOWS\Temp
2008-09-27 17:16:45 ----D---- C:\WINDOWS\system32\CatRoot2
2008-09-27 17:16:24 ----D---- C:\WINDOWS
2008-09-27 17:16:02 ----D---- C:\WINDOWS\system32\drivers
2008-09-27 12:29:13 ----D---- C:\WINDOWS\Help
2008-09-25 19:51:19 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-09-24 22:54:44 ----D---- C:\Documents and Settings\nancy\Application Data\OpenOffice.org2
2008-09-23 20:56:29 ----A---- C:\WINDOWS\dellstat.ini
2008-09-23 20:34:33 ----SHD---- C:\WINDOWS\Installer
2008-09-23 20:33:45 ----DC---- C:\Config.Msi
2008-09-23 20:30:22 ----AC---- C:\WINDOWS\AuthMgr.INI
2008-09-23 20:28:16 ----D---- C:\Program Files\EarthLink TotalAccess
2008-09-22 18:25:53 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-22 18:05:40 ----D---- C:\WINDOWS\Desktop
2008-09-21 15:50:58 ----D---- C:\Documents and Settings
2008-09-21 14:04:23 ----D---- C:\Program Files\Common Files\Symantec Shared
2008-09-20 23:38:33 ----HD---- C:\WINDOWS\inf
2008-09-20 23:38:25 ----D---- C:\WINDOWS\system32\CatRoot
2008-09-20 23:36:02 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-09-20 23:01:45 ----AC---- C:\WINDOWS\wininit.ini
2008-09-20 21:53:24 ----SHD---- C:\System Volume Information
2008-09-20 21:53:24 ----D---- C:\WINDOWS\system32\Restore
2008-09-20 18:06:25 ----D---- C:\Program Files
2008-09-19 19:51:39 ----D---- C:\Program Files\Common Files
2008-09-18 19:09:38 ----D---- C:\temp
2008-09-18 19:03:06 ----A---- C:\WINDOWS\system.ini
2008-09-07 16:33:08 ----D---- C:\WINDOWS\system32\NtmsData
2008-08-30 20:13:42 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-08-28 18:04:12 ----D---- C:\Program Files\DOSBox-0.72
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 a3033;a3033; C:\WINDOWS\System32\drivers\a3033.sys [2008-09-18 86144]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2005-04-05 267192]
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2003-07-16 9600]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-10-19 807998]
R3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-09-17 732928]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-01-27 260352]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-04 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
S3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver); C:\WINDOWS\system32\DRIVERS\ADSFilter.sys []
S3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys []
S3 apjxlbqm;apjxlbqm; C:\WINDOWS\system32\drivers\apjxlbqm.sys []
S3 bvrp_pci;bvrp_pci; \??\C:\WINDOWS\System32\drivers\bvrp_pci.sys []
S3 BW2NDIS5;BW2NDIS5; C:\WINDOWS\System32\Drivers\BW2NDIS5.sys [2004-11-01 17536]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 oflpydin;oflpydin; \??\C:\DOCUME~1\nancy\LOCALS~1\Temp\oflpydin.sys []
S3 SYMDNS;SYMDNS; C:\WINDOWS\System32\Drivers\SYMDNS.SYS [2005-04-05 11512]
S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
S3 SYMFW;SYMFW; C:\WINDOWS\System32\Drivers\SYMFW.SYS [2005-04-05 173208]
S3 SYMIDS;SYMIDS; C:\WINDOWS\System32\Drivers\SYMIDS.SYS [2005-04-05 36984]
S3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20050920.038\symidsco.sys []
S3 SYMNDIS;SYMNDIS; C:\WINDOWS\System32\Drivers\SYMNDIS.SYS [2005-04-05 47192]
S3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2005-04-05 17976]
S3 TIEHDUSB;TIEHDUSB; C:\WINDOWS\system32\drivers\tiehdusb.sys [2006-02-03 49536]
S3 VirtualFD;VirtualFD; \??\C:\Documents and Settings\nancy\Desktop\vfd21-050404\vfd.sys []
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2004-08-04 73472]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-07-16 12032]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 EarthLinkMonitor;EarthLink Monitor Service; C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe [2005-01-26 65604]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2003-08-29 307200]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2005-01-17 822424]
R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe []
S2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe []
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe []
S4 WinDefend;Windows Defender Service; C:\Program Files\Windows Defender\MsMpEng.exe []
-----------------EOF-----------------
next file
info.txt logfile of random's system information tool 1.02 2008-09-27 20:05:00
======Uninstall list======
1.0-->"C:\Program Files\Carbiz demo\Carbiz\unins000.exe"
AC Circuits Challenge V5-->MsiExec.exe /I{090CC7E3-7AAD-4A79-B9E3-EFC545138A7E}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.5 Language Support-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
AQUAZONE "Virtual Aquarium Collection"-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6A9D7C4-1E5B-42FD-98F5-E067A942AEE1}\Setup.exe" -l0x9
AxCrypt (Remove Only)-->"C:\Program Files\Axon Data\AxCrypt\AxCryptU.exe"
Battle For Troy-->C:\PROGRA~1\BATTLE~2\UNWISE.EXE C:\PROGRA~1\BATTLE~2\INSTALL.LOG
BCM V.92 56K Modem-->C:\WINDOWS\BCMSMU.exe quiet
Ben There, Dan That!-->MsiExec.exe /I{1E2D1B31-C0E0-4663-B50A-1C92F696A09F}
Caesar 1.0-->MsiExec.exe /I{ECAB24D0-E56A-46B1-94AD-40813CC308A6}
CC_ccStart-->MsiExec.exe /I{D6414CC7-F215-467F-88B1-546ED863F35B}
ccCommon-->MsiExec.exe /I{FF77A242-BC69-4A6D-ACE8-A1A2F2CD0824}
Cheat Engine 5.4-->"C:\Program Files\Cheat Engine\unins000.exe"
Clonk Planet-->C:\WINDOWS\system32\GKSUI18.EXE C:\ClonkPlanet\Uninstall4CAA.DAT
Conquest 3.1-->"C:\Program Files\Conquest\unins000.exe"
CyberLat RAM Cleaner 1.1.3-->"C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\unins000.exe"
DC Circuits Challenge V5-->C:\WINDOWS\uninst.exe -f"C:\Program Files\ETCAI Products\DC Circuits Challenge V5\DeIsL1.isu" -c"C:\Program Files\ETCAI Products\DC Circuits Challenge V5\_ISREG32.DLL"
Dell AIO Printer A960-->C:\WINDOWS\System32\spool\drivers\w32x86\3\DLBFUN5C.EXE -dDell AIO Printer A960
Dell Picture Studio - Dell Image Expert-->MsiExec.exe /I{151C555A-A9E7-4A2E-B6D7-165D04A3C956}
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
EarthLink Software-->"C:\Program Files\EarthLink TotalAccess\uninstll.exe" /W
EarthLink Toolbar-->MsiExec.exe /X{B8C2A83F-20B0-49D9-BA2B-6495DD8639ED}
Enhancement Browser Tools Bambanner-->C:\WINDOWS\system32\fdzcpfskzdlocog.exe
Free Download Manager 2.0-->"C:\Program Files\Free Download Manager\unins000.exe"
Freeciv 2.0.9 (GTK+ client)-->"C:\Program Files\Freeciv-2.0.9-gtk2\uninstall.exe"
F-Strippoker-->C:\Program Files\F-Strippoker\uninstall.exe
Galactic Capitalism-->C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\Galactic Capitalism\ST5UNST.LOG"
Galcon 1.0-->"C:\Program Files\Galcon\unins000.exe"
GameBiz 2 Uninstall-->"C:\Program Files\GameBiz2\unins000.exe"
Globulation 2-->C:\Program Files\Globulation_2\glob2win32-uninst.exe
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
GTK+ 2.8.18-1 runtime environment-->"C:\Program Files\Common Files\GTK\2.0\unins000.exe"
Guerrilla War-->C:\Program Files\Guerrilla War\uninstall.exe
Hallmark Card Studio Special Edition-->MsiExec.exe /I{563FE39E-B4D7-4DC0-B443-97313128AEC0}
HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344)-->"C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB896344)-->"C:\WINDOWS\$NtUninstallKB896344$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB928388)-->"C:\WINDOWS\$NtUninstallKB928388$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB929120)-->"C:\WINDOWS\$NtUninstallKB929120$\spuninst\spuninst.exe"
ieSpell-->"C:\Program Files\ieSpell\uninst.exe"
Intel(R) Extreme Graphics Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
J2SE Runtime Environment 5.0 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Lemonade Tycoon 2-->"C:\Program Files\Lemonade Tycoon 2\unins000.exe"
Macromedia Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Mall Tycoon-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Take2 Interactive\Mall Tycoon\Uninst.isu"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Flight Simulator for Windows 95-->"C:\Program Files\Microsoft Games\FS95\UNINSTAL.EXE" /runtemp
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Money 2004 System Pack-->MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Money 2004-->MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Publisher 2003-->MsiExec.exe /I{91190409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MSRedist-->MsiExec.exe /I{FC37ABD0-2108-4beb-B010-1254E0662B5A}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
Multisim 2001 Textbook Edition-->C:\WINDOWS\IsUninst.exe -fC:\Multisim\Uninst.isu
Multisim sample circuits-->C:\WINDOWS\IsUninst.exe -fC:\Multisim\Samples\Msmsamp.isu
Norton Internet Security-->MsiExec.exe /I{E47EE8FB-ACC0-4608-859C-4E2851B18A6A}
Nuclear Power 1.3-->C:\Program Files\Nuclear Power\uninst.exe
OIN Analytics-->C:\Program Files\OINAnalytics\Uninstall.exe
Omega M-17 Standard-->C:\PROGRA~1\M17\UNWISE.EXE C:\PROGRA~1\M17\INSTALL.LOG
OpenOffice.org 2.3-->MsiExec.exe /I{83C03FBE-4492-4133-BBAB-421CD88ADA32}
Paint.NET v3.10-->MsiExec.exe /X{5E749AEB-5A19-43BA-BB20-3CBB37539FE4}
Phun beta 4.22-->"C:\Program Files\Phun\unins000.exe"
Power Supply Challenge-->C:\WINDOWS\uninst.exe -f"C:\Program Files\ETCAI Products\Power Supply Challenge\DeIsL1.isu" -c"C:\Program Files\ETCAI Products\Power Supply Challenge\_ISREG32.DLL"
Print to Fax-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5BF2B19D-9C79-492A-8969-F059F06A627F}\setup.exe" -l0x9 ControlPanel
Prison Tycoon-->C:\Program Files\Prison Tycoon\data\gvnUninstaller.exe
RunAlyzer-->"C:\Program Files\Safer Networking\RunAlyzer\unins000.exe"
Salient: Supply & Command-->F:\Salient\Uninstall.exe
School Tycoon-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7CFFE053-748A-44DC-A248-06EA38E4BC03}\setup.exe"
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows XP (KB883939)-->"C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896688)-->"C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899588)-->"C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB903235)-->"C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926247)-->"C:\WINDOWS\$NtUninstallKB926247$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
SimCity 2000-->MsiExec.exe /I{8D52E0F9-17A0-493B-8692-937381DDB62B}
Sk8Park-->C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\Sk8Park\ST5UNST.LOG"
Sk8park2-->C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\Sk8park2\ST5UNST.LOG"
Solar Wars v1.40-->C:\WINDOWS\st6unst.exe -n "C:\Program Files\Solar Wars\ST6UNST.LOG"
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Space MAX 1.0-->"C:\Program Files\SpaceMAX\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
T.H.U.G.S.-->"C:\Program Files\T.H.U.G.S.\unins000.exe"
Tabloid Tycoon (remove only)-->"C:\Program Files\Valusoft\Tabloid Tycoon\Uninstall.exe"
The lost Castle-->C:\The lost Castle\Uninstal.exe
The Tower of Babel-->MsiExec.exe /I{F5C8A97C-CAB7-45BD-8791-3B7CA70A67C7}
The Ur-Quan Masters 0.6.2-->C:\Program Files\The Ur-Quan Masters\uninst.exe
TV Manager (Demo)-->"C:\Program Files\TV Manager Demo\unins000.exe"
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB896727)-->"C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB900930)-->"C:\WINDOWS\$NtUninstallKB900930$\spuninst\spuninst.exe"
Update for Windows XP (KB904942)-->"C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB912945)-->"C:\WINDOWS\$NtUninstallKB912945$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920342)-->"C:\WINDOWS\$NtUninstallKB920342$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB925876)-->"C:\WINDOWS\$NtUninstallKB925876$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB932823-v3)-->"C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
VDMSound-->C:\Program Files\VDMSound\uninst.exe
Virtual U-->"C:\Program Files\Virtual U\setup\UNWISE.EXE" "C:\PROGRA~1\VIRTUA~1\INSTALL.LOG"
Volume Control-->MsiExec.exe /I{C937244C-5CD1-4567-92CD-38E7E966B894}
VSP-Poker-->C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\VSP-Poker\ST5UNST.LOG"
Widelands Build11-->"C:\Program Files\Widelands\unins000.exe"
Windows Defender Signatures-->MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Defender-->MsiExec.exe /I{B2D7CE29-614A-4ACC-8BFE-009EB3A244C9}
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Installer Clean Up-->MsiExec.exe /I{121634B0-2F4A-11D3-ADA3-00C04F52DD53}
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Connect-->"C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Rights Management Client Backwards Compatibility SP2-->MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2-->MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
Windows XP Hotfix - KB834707-->C:\WINDOWS\$NtUninstallKB834707$\spuninst\spuninst.exe
Windows XP Hotfix - KB867282-->C:\WINDOWS\$NtUninstallKB867282$\spuninst\spuninst.exe
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB887797-->C:\WINDOWS\$NtUninstallKB887797$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890047-->C:\WINDOWS\$NtUninstallKB890047$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB890923-->"C:\WINDOWS\$NtUninstallKB890923$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893066-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WordPerfect Office 11-->MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921}
======Hosts File======
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com
======Security center information======
AV: Authentium Antivirus (outdated)
FW: Authentium Firewall (disabled)
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=1
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\VDMSound
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=0209
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"LANG"=C
"VDMSPath"=C:\Program Files\VDMSound
-----------------EOF-----------------
Sorry for delay, I have missed your reply.
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
uTorrent
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Delete these afterwards:
C:\Documents and Settings\nancy\Desktop\utorrent.exe
C:\Program Files\uTorrent
C:\Documents and Settings\nancy\Application Data\uTorrent
Delete info.txt in RSIT folder
Please run a new RSIT scan when finished and post logs back here.
i deleted utorent
Logfile of random's system information tool 1.02 (written by random/random)
Run by nancy at 2008-10-02 19:53:01
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 54 GB (70%) free of 76 GB
Total RAM: 247 MB (44% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:19 PM, on 10/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Volume Control\Volume Control.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Documents and Settings\nancy\lsass.exe
C:\Program Files\Twain\Twain.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nancy\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\nancy.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = cobra
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {05EEDBFD-EA8F-4995-A928-6B421DFB172B} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: (no name) - {1C85FC89-C3D5-4A63-B03F-A560A80B468B} - C:\WINDOWS\system32\urqPfGAp.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - (no file)
O2 - BHO: (no name) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: OIN Analytics - {6B221E01-F517-4959-8C41-81948E7F2F17} - C:\Program Files\OINAnalytics\OINAnalytics.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7F86C548-8046-4A4D-BB63-73DD15868F4A} - (no file)
O2 - BHO: {159d7cfe-1b67-e3fa-3ec4-bd85d01ddd19} - {91ddd10d-58db-4ce3-af3e-76b1efc7d951} - C:\WINDOWS\system32\ivnsya.dll
O2 - BHO: (no name) - {9579D574-D4D8-4335-9560-FE8641A013BD} - (no file)
O2 - BHO: (no name) - {B40FDC41-705E-4522-A804-FEB9DBB123A3} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {DA2E0515-F0D5-4773-8191-400CCD50783B} - C:\WINDOWS\system32\ddCSMDtR.dll
O2 - BHO: (no name) - {DD6962B9-D871-4AC5-B2F6-06CD654A360D} - (no file)
O2 - BHO: (no name) - {E586C5FF-E734-4984-95FF-92BC87AC75EF} - (no file)
O2 - BHO: (no name) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - (no file)
O2 - BHO: (no name) - {EBDD2E69-2FB9-4B0D-AC49-D63883857DFA} - (no file)
O2 - BHO: (no name) - {EF8DFF1A-05E9-456F-9387-4EDE47EDFEA5} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll (file missing)
O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: (no name) - {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} - (no file)
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [VolControl] C:\Program Files\Volume Control\Volume Control.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKLM\..\Run: [flockbox] F:\My Lockbox\flockbox.exe /a
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\nancy\lsass.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [BMa7a59ede] Rundll32.exe "C:\WINDOWS\system32\rvxwruli.dll",s
O4 - HKLM\..\Run: [a496ad42] rundll32.exe "C:\WINDOWS\system32\kiqlpyto.dll",b
O4 - HKCU\..\Run: [uTorrent] "C:\Documents and Settings\nancy\Desktop\utorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Twain] C:\Program Files\Twain\Twain.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FreshDownload - {9F9E33E8-0F27-4A98-9C61-940FDFE31DC2} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://free-game-downloads.mosw.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219878245281
O17 - HKLM\System\CCS\Services\Tcpip\..\{5381478A-BFC0-4AAF-9FBC-EE4FE4B8714B}: NameServer = 207.69.188.185 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{5381478A-BFC0-4AAF-9FBC-EE4FE4B8714B}: NameServer = 207.69.188.185 207.69.188.186
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL ednwqa.dll nijfhj.dll ivnsya.dll
O20 - Winlogon Notify: ddCSMDtR - C:\WINDOWS\SYSTEM32\ddCSMDtR.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 10260 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{05EEDBFD-EA8F-4995-A928-6B421DFB172B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15F4D456-5BAA-4076-8486-EECB38CD3E57}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1C85FC89-C3D5-4A63-B03F-A560A80B468B}]
C:\WINDOWS\system32\urqPfGAp.dll [2008-09-22 284672]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{206E52E0-D52E-11D4-AD54-0000E86C26F6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{512ACF1B-64D9-4928-B382-A80556F28DB4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6B221E01-F517-4959-8C41-81948E7F2F17}]
OIN Analytics - C:\Program Files\OINAnalytics\OINAnalytics.dll [2008-09-12 229376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll [2007-07-12 501136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F86C548-8046-4A4D-BB63-73DD15868F4A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{91ddd10d-58db-4ce3-af3e-76b1efc7d951}]
C:\WINDOWS\system32\ivnsya.dll [2008-10-02 114688]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9579D574-D4D8-4335-9560-FE8641A013BD}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B40FDC41-705E-4522-A804-FEB9DBB123A3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DA2E0515-F0D5-4773-8191-400CCD50783B}]
C:\WINDOWS\system32\ddCSMDtR.dll [2008-09-18 34816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DD6962B9-D871-4AC5-B2F6-06CD654A360D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E586C5FF-E734-4984-95FF-92BC87AC75EF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E713904C-DF05-4C79-BBAD-02DB923253BE}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBDD2E69-2FB9-4B0D-AC49-D63883857DFA}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF8DFF1A-05E9-456F-9387-4EDE47EDFEA5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BA52B914-B692-46c4-B683-905236F6F655}
{C7768536-96F8-4001-B1A2-90EE21279187} - EarthLink Toolbar - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll [2005-03-03 173136]
{ED0E8CA5-42FB-4B18-997B-769E0408E79D} - FreshDownload Bar - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll []
{9FB3908C-6565-4CB0-95F8-E9F85258723C}
{014DA6C9-189F-421a-88CD-07CFE51CFF10}
{6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16}
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A960"=C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe [2003-09-21 270336]
"VolControl"=C:\Program Files\Volume Control\Volume Control.exe [2007-01-24 102400]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2004-10-14 1404928]
"CyberLat Ram Cleaner"=C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1 []
"flockbox"=F:\My Lockbox\flockbox.exe /a []
"LSA Shellu"=C:\Documents and Settings\nancy\lsass.exe [2008-06-15 52224]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2005-10-19 155648]
"BMa7a59ede"=C:\WINDOWS\system32\rvxwruli.dll [2008-10-02 105472]
"a496ad42"=C:\WINDOWS\system32\kiqlpyto.dll [2008-10-02 73728]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"=C:\Documents and Settings\nancy\Desktop\utorrent.exe []
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-08-08 490952]
"Twain"=C:\Program Files\Twain\Twain.exe [2008-09-19 60928]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk.disabled - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL ednwqa.dll nijfhj.dll ivnsya.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddCSMDtR]
C:\WINDOWS\system32\ddCSMDtR.dll [2008-09-18 34816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-10-19 348160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll []
"{DA2E0515-F0D5-4773-8191-400CCD50783B}"=C:\WINDOWS\system32\ddCSMDtR.dll [2008-09-18 34816]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\urqPfGAp
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"AllowLegacyWebView"=
"AllowUnhashedWebView"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Common Files\PocketSoft\RTPatch\AutoRTP\artpschd.exe"="C:\Program Files\Common Files\PocketSoft\RTPatch\AutoRTP\artpschd.exe:*:Enabled:artpschd"
"C:\WINDOWS\system32\LEXPPS.EXE"="C:\WINDOWS\system32\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe"="C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\Program Files\K1RFD\EchoLink\EchoLink.exe"="C:\Program Files\K1RFD\EchoLink\EchoLink.exe:*:Enabled:EchoLink"
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:TaskPanl"
"C:\Program Files\Sierra\FEAR\FEAR.exe"="C:\Program Files\Sierra\FEAR\FEAR.exe:*:Enabled:FEAR"
"C:\Program Files\2K Games\Firaxis Games\Sid Meier's Railroads!\RailRoads.exe"="C:\Program Files\2K Games\Firaxis Games\Sid Meier's Railroads!\RailRoads.exe:*:Enabled:Sid Meier's Railroads!"
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe"="C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe"="C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\Program Files\Freeciv-2.0.9-gtk2\civserver.exe"="C:\Program Files\Freeciv-2.0.9-gtk2\civserver.exe:*:Enabled:civserver"
"C:\Documents and Settings\Nancy_2\Desktop\Freeciv-2.0.9-gtk2\civserver.exe"="C:\Documents and Settings\Nancy_2\Desktop\Freeciv-2.0.9-gtk2\civserver.exe:*:Disabled:civserver"
"C:\Documents and Settings\nancy\Desktop\Freeciv-2.0.9-gtk2\civserver.exe"="C:\Documents and Settings\nancy\Desktop\Freeciv-2.0.9-gtk2\civserver.exe:*:Enabled:civserver"
"C:\Program Files\Java\jre1.6.0_02\bin\javaw.exe"="C:\Program Files\Java\jre1.6.0_02\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\WinMX Music\WinMX Music.exe"="C:\Program Files\WinMX Music\WinMX Music.exe:*:Enabled:WinMX Music"
"C:\ClonkPlanet\clonk.c4x"="C:\ClonkPlanet\clonk.c4x:*:Enabled:Clonk Engine"
"C:\Program Files\Globulation_2\glob2.exe"="C:\Program Files\Globulation_2\glob2.exe:*:Enabled:glob2"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"F:\Freeciv-2.1.4-gtk2\civserver.exe"="F:\Freeciv-2.1.4-gtk2\civserver.exe:*:Enabled:civserver"
"C:\Documents and Settings\nancy\Desktop\utorrent.exe"="C:\Documents and Settings\nancy\Desktop\utorrent.exe:*:Enabled:µTorrent"
"C:\Documents and Settings\nancy\Desktop\KMIVBR2\KMI.Cstore.exe"="C:\Documents and Settings\nancy\Desktop\KMIVBR2\KMI.Cstore.exe:*:Enabled: "
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0349ac28-2945-11dd-ad90-e1fb8d0daab6}]
shell\Auto\command - F:\Start.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
======List of files/folders created in the last 1 months======
2008-10-02 19:26:58 ----D---- C:\Documents and Settings\nancy\Application Data\uTorrent
2008-10-02 19:14:31 ----SH---- C:\WINDOWS\system32\otyplqik.ini2
2008-10-02 19:14:22 ----ASH---- C:\WINDOWS\system32\otyplqik.tmp
2008-10-02 19:14:04 ----N---- C:\WINDOWS\system32\kiqlpyto.dll
2008-10-02 19:13:41 ----A---- C:\WINDOWS\system32\ivnsya.dll
2008-10-02 19:13:19 ----A---- C:\WINDOWS\system32\esbowfsn.dll
2008-10-02 19:11:39 ----A---- C:\WINDOWS\system32\rvxwruli.dll
2008-10-02 18:55:18 ----A---- C:\WINDOWS\system32\yvuool.dll
2008-10-02 18:54:57 ----A---- C:\WINDOWS\system32\rpgnsmdl.dll
2008-10-02 18:52:13 ----SH---- C:\WINDOWS\system32\lorcadnf.ini
2008-10-02 18:51:57 ----N---- C:\WINDOWS\system32\fndacrol.dll
2008-10-02 18:49:44 ----A---- C:\WINDOWS\system32\hodppveo.dll
2008-10-01 20:56:13 ----SH---- C:\WINDOWS\system32\gteyosve.ini
2008-10-01 18:49:59 ----A---- C:\WINDOWS\system32\mbnbdf.dll
2008-10-01 18:49:31 ----A---- C:\WINDOWS\system32\whmeujrt.dll
2008-10-01 18:47:27 ----A---- C:\WINDOWS\system32\yfddxgbd.dll
2008-09-30 18:54:18 ----A---- C:\WINDOWS\system32\sfyoyt.dll
2008-09-30 18:53:47 ----A---- C:\WINDOWS\system32\nxjxvhbg.dll
2008-09-30 18:51:57 ----SH---- C:\WINDOWS\system32\rctcmkoq.ini
2008-09-30 18:50:41 ----A---- C:\WINDOWS\system32\souxomxp.dll
2008-09-30 18:48:11 ----A---- C:\WINDOWS\system32\katxfm.dll
2008-09-30 18:47:45 ----A---- C:\WINDOWS\system32\rwtvjiqk.dll
2008-09-30 18:45:54 ----SH---- C:\WINDOWS\system32\poedytwm.ini
2008-09-30 18:45:23 ----A---- C:\WINDOWS\system32\tuvTjHAp.dll
2008-09-30 18:45:23 ----A---- C:\WINDOWS\system32\opnoLDWm.dll
2008-09-30 18:42:08 ----A---- C:\WINDOWS\system32\ymvnkxtd.dll
2008-09-29 17:36:59 ----SH---- C:\WINDOWS\system32\femmierk.ini
2008-09-29 17:36:13 ----A---- C:\WINDOWS\system32\fsobtpwt.dll
2008-09-29 17:04:48 ----A---- C:\WINDOWS\system32\uoffks.dll
2008-09-29 17:04:26 ----A---- C:\WINDOWS\system32\kvaaqfxg.dll
2008-09-29 17:03:44 ----SH---- C:\WINDOWS\system32\etwwagyc.ini
2008-09-29 17:01:30 ----A---- C:\WINDOWS\system32\kxhycuoy.dll
2008-09-29 16:56:37 ----SH---- C:\WINDOWS\system32\xouyerfk.ini
2008-09-29 16:55:37 ----N---- C:\WINDOWS\system32\kfreyuox.dll
2008-09-29 16:54:59 ----D---- C:\WINDOWS\system32\EV02
2008-09-29 16:53:57 ----A---- C:\WINDOWS\system32\ivxtws.dll
2008-09-29 16:53:35 ----A---- C:\WINDOWS\system32\urqRLBUM.dll
2008-09-29 16:53:35 ----A---- C:\WINDOWS\system32\rqRJDwXP.dll
2008-09-29 16:53:06 ----A---- C:\WINDOWS\system32\pbhsbcvi.dll
2008-09-29 16:50:18 ----A---- C:\WINDOWS\system32\cqaitvkv.dll
2008-09-28 16:33:42 ----A---- C:\WINDOWS\system32\lqdcdl.dll
2008-09-28 16:33:42 ----A---- C:\WINDOWS\system32\bbjtrlcv.dll
2008-09-28 16:31:07 ----SH---- C:\WINDOWS\system32\bwwctmqe.ini
2008-09-28 16:30:58 ----A---- C:\WINDOWS\system32\dnvnrgdg.dll
2008-09-28 09:27:03 ----ASH---- C:\WINDOWS\system32\pAGfPqru.ini2
2008-09-27 20:04:33 ----D---- C:\rsit
2008-09-27 18:25:22 ----SH---- C:\WINDOWS\system32\blvxsasx.ini
2008-09-27 18:24:12 ----A---- C:\WINDOWS\system32\xsasxvlb.dll
2008-09-27 18:23:09 ----A---- C:\WINDOWS\system32\bmqbnd.dll
2008-09-27 18:22:25 ----A---- C:\WINDOWS\system32\mxovlqmp.dll
2008-09-27 18:21:00 ----A---- C:\WINDOWS\system32\mvdwvnow.dll
2008-09-27 17:19:56 ----A---- C:\WINDOWS\system32\vtULcbaY.dll
2008-09-27 17:19:56 ----A---- C:\WINDOWS\system32\byXOefgh.dll
2008-09-27 17:16:24 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-09-27 16:11:07 ----A---- C:\WINDOWS\ntbtlog.txt
2008-09-26 19:33:58 ----A---- C:\WINDOWS\system32\cpfitt.dll
2008-09-26 19:32:35 ----A---- C:\WINDOWS\system32\enyauakw.dll
2008-09-26 19:31:39 ----SH---- C:\WINDOWS\system32\kihvhbxk.ini
2008-09-26 19:28:27 ----A---- C:\WINDOWS\system32\wjlojfjv.dll
2008-09-25 20:22:49 ----SH---- C:\WINDOWS\system32\kycnkbuh.ini
2008-09-25 20:21:22 ----A---- C:\WINDOWS\system32\wvznag.dll
2008-09-25 20:20:12 ----A---- C:\WINDOWS\system32\wixyfius.dll
2008-09-25 20:19:02 ----A---- C:\WINDOWS\system32\ieqrjoxu.dll
2008-09-25 20:14:58 ----ASH---- C:\WINDOWS\system32\pAGfPqru.ini
2008-09-24 22:41:43 ----A---- C:\WINDOWS\system32\tsggzi.dll
2008-09-24 22:41:42 ----A---- C:\WINDOWS\system32\tqmcwvhn.dll
2008-09-24 22:41:41 ----SH---- C:\WINDOWS\system32\wavuosre.ini
2008-09-24 20:57:25 ----SH---- C:\WINDOWS\system32\pxnhabof.ini
2008-09-24 20:57:04 ----A---- C:\WINDOWS\system32\fobahnxp.dll
2008-09-24 20:55:52 ----A---- C:\WINDOWS\system32\kjxmibsl.dll
2008-09-24 18:55:29 ----A---- C:\WINDOWS\system32\nijfhj.dll
2008-09-24 18:55:28 ----A---- C:\WINDOWS\system32\wsfxdmda.dll
2008-09-24 18:53:06 ----SH---- C:\WINDOWS\system32\jkloietj.ini
2008-09-23 21:37:04 ----A---- C:\WINDOWS\system32\brndrybe.dll
2008-09-22 20:34:14 ----A---- C:\WINDOWS\system32\ednwqa.dll
2008-09-22 20:33:27 ----SH---- C:\WINDOWS\system32\cwbxtlmj.ini
2008-09-22 20:33:23 ----A---- C:\WINDOWS\system32\yvtwntxn.dll
2008-09-22 20:32:31 ----A---- C:\WINDOWS\system32\jmltxbwc.dll
2008-09-22 20:30:08 ----A---- C:\WINDOWS\system32\iwrmjrjj.dll
2008-09-22 18:30:05 ----SH---- C:\WINDOWS\system32\raebthhb.ini
2008-09-22 18:29:36 ----N---- C:\WINDOWS\system32\bhhtbear.dll
2008-09-22 18:27:01 ----A---- C:\WINDOWS\system32\oztfvh.dll
2008-09-22 18:26:35 ----A---- C:\WINDOWS\system32\lccncmoj.dll
2008-09-22 18:24:24 ----A---- C:\WINDOWS\system32\qsrfloyf.dll
2008-09-22 18:22:02 ----N---- C:\WINDOWS\system32\urqPfGAp.dll
2008-09-22 18:07:05 ----A---- C:\WINDOWS\system32\tmp.txt
2008-09-22 18:06:20 ----A---- C:\rapport.txt
2008-09-21 18:52:15 ----SH---- C:\WINDOWS\system32\uDeLlnpo.ini
2008-09-21 18:51:53 ----A---- C:\WINDOWS\system32\ssqNEvtu.dll
2008-09-21 18:50:52 ----A---- C:\WINDOWS\system32\etlxsoup.dll
2008-09-21 18:50:33 ----A---- C:\WINDOWS\system32\goojpq.dll
2008-09-21 18:49:48 ----A---- C:\WINDOWS\system32\vxogrlwk.dll
2008-09-21 18:47:36 ----A---- C:\WINDOWS\system32\mvvehpph.dll
2008-09-21 00:02:12 ----A---- C:\WINDOWS\system32\rqRHyvSI.dll
2008-09-21 00:02:11 ----A---- C:\WINDOWS\system32\byXPJbyv.dll
2008-09-20 18:06:25 ----D---- C:\Program Files\Trend Micro
2008-09-19 19:51:39 ----SH---- C:\Program Files\Common Files\Yazzle3050OinUninstaller.exe
2008-09-19 19:51:33 ----D---- C:\Documents and Settings\nancy\Application Data\F?nts
2008-09-19 19:51:05 ----D---- C:\Program Files\OINAnalytics
2008-09-19 19:39:19 ----D---- C:\Documents and Settings\nancy\Application Data\SpeedRunner
2008-09-19 19:34:17 ----D---- C:\Program Files\Twain
2008-09-19 19:29:17 ----D---- C:\Program Files\Webtools
2008-09-19 19:24:19 ----D---- C:\Program Files\Mjcore
2008-09-19 16:51:30 ----A---- C:\WINDOWS\system32\XIlorXyb.tmp
2008-09-19 16:50:24 ----A---- C:\WINDOWS\system32\rqRKARJC.dll
2008-09-19 16:50:24 ----A---- C:\WINDOWS\system32\jkkLBrsP.dll
2008-09-19 16:47:27 ----A---- C:\WINDOWS\system32\gatdyjty.dll
2008-09-19 16:46:53 ----A---- C:\WINDOWS\system32\wqpfyk.dll
2008-09-19 16:44:57 ----A---- C:\WINDOWS\system32\gofjimgd.dll
2008-09-19 16:44:15 ----A---- C:\WINDOWS\system32\hgGabBrQ.dll
2008-09-19 16:44:14 ----A---- C:\WINDOWS\system32\hgGabArr.dll
2008-09-19 16:36:49 ----A---- C:\WINDOWS\pskt.ini
2008-09-19 16:36:43 ----A---- C:\WINDOWS\BMa7a59ede.txt
2008-09-19 16:36:22 ----A---- C:\WINDOWS\system32\cnclcedk.dll
2008-09-18 22:11:20 ----ASH---- C:\WINDOWS\system32\dddJlRCf.ini
2008-09-18 20:41:44 ----A---- C:\WINDOWS\system32\mcrh.tmp
2008-09-18 19:25:34 ----A---- C:\WINDOWS\system32\vksify.dll
2008-09-18 19:22:19 ----A---- C:\WINDOWS\system32\suwdajlv.dll
2008-09-18 19:21:41 ----SH---- C:\WINDOWS\system32\XIlorXyb.ini
2008-09-18 19:21:13 ----N---- C:\WINDOWS\system32\byXrolIX.dll
2008-09-18 19:21:12 ----A---- C:\WINDOWS\system32\vtUljKEX.dll
2008-09-18 19:18:57 ----A---- C:\WINDOWS\system32\imomgreb.dll
2008-09-18 19:18:00 ----A---- C:\WINDOWS\system32\afb5693c-.txt
2008-09-18 19:10:42 ----A---- C:\WINDOWS\faceback.exe
2008-09-18 19:09:14 ----D---- C:\WINDOWS\system32\winf
2008-09-18 19:09:14 ----D---- C:\WINDOWS\system32\UES
2008-09-18 19:09:14 ----D---- C:\WINDOWS\system32\p
2008-09-18 19:09:14 ----D---- C:\WINDOWS\system32\np5
2008-09-18 19:04:14 ----D---- C:\WINDOWS\system32\mC02
2008-09-18 19:03:40 ----A---- C:\WINDOWS\system32\vTLddcCu.dll
2008-09-18 19:03:40 ----A---- C:\WINDOWS\system32\ddCSMDtR.dll
2008-09-16 09:56:36 ----A---- C:\WINDOWS\b116.exe
2008-09-12 16:36:13 ----D---- C:\Program Files\Galactic Capitalism
2008-09-12 11:21:12 ----SH---- C:\Program Files\Common Files\Yazzle3050OinAdmin.exe
2008-09-12 08:57:28 ----A---- C:\WINDOWS\b157.exe
2008-09-12 08:37:42 ----A---- C:\WINDOWS\b104.exe
2008-09-12 08:36:52 ----A---- C:\WINDOWS\b103.exe
2008-09-11 06:02:46 ----A---- C:\WINDOWS\b161.exe
2008-09-10 18:27:33 ----D---- C:\SIMLIFE
2008-09-05 19:58:22 ----D---- C:\Program Files\Axon Data
======List of files/folders modified in the last 1 months======
2008-10-02 19:52:29 ----A---- C:\WINDOWS\ModemLog_BCM V.92 56K Modem.txt
2008-10-02 19:20:41 ----D---- C:\WINDOWS\system32
2008-10-02 19:18:59 ----D---- C:\WINDOWS\Temp
2008-10-02 19:14:35 ----D---- C:\Program Files
2008-10-01 21:29:38 ----D---- C:\WINDOWS\Prefetch
2008-10-01 20:32:25 ----D---- C:\Program Files\The Tower of Babel
2008-10-01 19:15:34 ----D---- C:\WINDOWS
2008-10-01 18:38:36 ----D---- C:\WINDOWS\system32\CatRoot2
2008-09-29 16:59:01 ----D---- C:\temp
2008-09-28 23:19:21 ----D---- C:\Documents and Settings\nancy\Application Data\Free Download Manager
2008-09-28 22:52:30 ----D---- C:\WINDOWS\Desktop
2008-09-27 17:16:02 ----D---- C:\WINDOWS\system32\drivers
2008-09-27 12:29:13 ----D---- C:\WINDOWS\Help
2008-09-25 19:51:19 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-09-24 22:54:44 ----D---- C:\Documents and Settings\nancy\Application Data\OpenOffice.org2
2008-09-23 20:56:29 ----A---- C:\WINDOWS\dellstat.ini
2008-09-23 20:34:33 ----SHD---- C:\WINDOWS\Installer
2008-09-23 20:33:45 ----DC---- C:\Config.Msi
2008-09-23 20:30:22 ----AC---- C:\WINDOWS\AuthMgr.INI
2008-09-23 20:28:16 ----D---- C:\Program Files\EarthLink TotalAccess
2008-09-22 18:25:53 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-21 15:50:58 ----D---- C:\Documents and Settings
2008-09-21 14:04:23 ----D---- C:\Program Files\Common Files\Symantec Shared
2008-09-20 23:38:33 ----HD---- C:\WINDOWS\inf
2008-09-20 23:38:25 ----D---- C:\WINDOWS\system32\CatRoot
2008-09-20 23:36:02 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-09-20 23:01:45 ----AC---- C:\WINDOWS\wininit.ini
2008-09-20 21:53:24 ----SHD---- C:\System Volume Information
2008-09-20 21:53:24 ----D---- C:\WINDOWS\system32\Restore
2008-09-20 12:40:37 ----D---- C:\Program Files\Phun
2008-09-19 19:51:39 ----D---- C:\Program Files\Common Files
2008-09-18 19:03:06 ----A---- C:\WINDOWS\system.ini
2008-09-07 16:33:08 ----D---- C:\WINDOWS\system32\NtmsData
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 a3033;a3033; C:\WINDOWS\System32\drivers\a3033.sys [2008-09-18 86144]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2005-04-05 267192]
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2003-07-16 9600]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-10-19 807998]
R3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-09-17 732928]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-01-27 260352]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-04 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
S3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
S3 aci5oqw2;aci5oqw2; C:\WINDOWS\system32\drivers\aci5oqw2.sys []
S3 ADSFilter;ADSFilter - (Aluria Filter Driver); C:\WINDOWS\system32\DRIVERS\ADSFilter.sys []
S3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys []
S3 bvrp_pci;bvrp_pci; \??\C:\WINDOWS\System32\drivers\bvrp_pci.sys []
S3 BW2NDIS5;BW2NDIS5; C:\WINDOWS\System32\Drivers\BW2NDIS5.sys [2004-11-01 17536]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 oflpydin;oflpydin; \??\C:\DOCUME~1\nancy\LOCALS~1\Temp\oflpydin.sys []
S3 SYMDNS;SYMDNS; C:\WINDOWS\System32\Drivers\SYMDNS.SYS [2005-04-05 11512]
S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
S3 SYMFW;SYMFW; C:\WINDOWS\System32\Drivers\SYMFW.SYS [2005-04-05 173208]
S3 SYMIDS;SYMIDS; C:\WINDOWS\System32\Drivers\SYMIDS.SYS [2005-04-05 36984]
S3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20050920.038\symidsco.sys []
S3 SYMNDIS;SYMNDIS; C:\WINDOWS\System32\Drivers\SYMNDIS.SYS [2005-04-05 47192]
S3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2005-04-05 17976]
S3 TIEHDUSB;TIEHDUSB; C:\WINDOWS\system32\drivers\tiehdusb.sys [2006-02-03 49536]
S3 VirtualFD;VirtualFD; \??\C:\Documents and Settings\nancy\Desktop\vfd21-050404\vfd.sys []
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2004-08-04 73472]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-07-16 12032]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 EarthLinkMonitor;EarthLink Monitor Service; C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe [2005-01-26 65604]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2003-08-29 307200]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2005-01-17 822424]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe []
S2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe []
S2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe []
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe []
S4 WinDefend;Windows Defender Service; C:\Program Files\Windows Defender\MsMpEng.exe []
-----------------EOF-----------------
apparently together they make too long of a post
info.txt logfile of random's system information tool 1.02 2008-10-02 19:53:27
======Uninstall list======
1.0-->"C:\Program Files\Carbiz demo\Carbiz\unins000.exe"
AC Circuits Challenge V5-->MsiExec.exe /I{090CC7E3-7AAD-4A79-B9E3-EFC545138A7E}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.5 Language Support-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
AQUAZONE "Virtual Aquarium Collection"-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6A9D7C4-1E5B-42FD-98F5-E067A942AEE1}\Setup.exe" -l0x9
AxCrypt (Remove Only)-->"C:\Program Files\Axon Data\AxCrypt\AxCryptU.exe"
Battle For Troy-->C:\PROGRA~1\BATTLE~2\UNWISE.EXE C:\PROGRA~1\BATTLE~2\INSTALL.LOG
BCM V.92 56K Modem-->C:\WINDOWS\BCMSMU.exe quiet
Ben There, Dan That!-->MsiExec.exe /I{1E2D1B31-C0E0-4663-B50A-1C92F696A09F}
Caesar 1.0-->MsiExec.exe /I{ECAB24D0-E56A-46B1-94AD-40813CC308A6}
CC_ccStart-->MsiExec.exe /I{D6414CC7-F215-467F-88B1-546ED863F35B}
ccCommon-->MsiExec.exe /I{FF77A242-BC69-4A6D-ACE8-A1A2F2CD0824}
Cheat Engine 5.4-->"C:\Program Files\Cheat Engine\unins000.exe"
Clonk Planet-->C:\WINDOWS\system32\GKSUI18.EXE C:\ClonkPlanet\Uninstall4CAA.DAT
Conquest 3.1-->"C:\Program Files\Conquest\unins000.exe"
CyberLat RAM Cleaner 1.1.3-->"C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\unins000.exe"
DC Circuits Challenge V5-->C:\WINDOWS\uninst.exe -f"C:\Program Files\ETCAI Products\DC Circuits Challenge V5\DeIsL1.isu" -c"C:\Program Files\ETCAI Products\DC Circuits Challenge V5\_ISREG32.DLL"
Dell AIO Printer A960-->C:\WINDOWS\System32\spool\drivers\w32x86\3\DLBFUN5C.EXE -dDell AIO Printer A960
Dell Picture Studio - Dell Image Expert-->MsiExec.exe /I{151C555A-A9E7-4A2E-B6D7-165D04A3C956}
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
EarthLink Software-->"C:\Program Files\EarthLink TotalAccess\uninstll.exe" /W
EarthLink Toolbar-->MsiExec.exe /X{B8C2A83F-20B0-49D9-BA2B-6495DD8639ED}
Free Download Manager 2.0-->"C:\Program Files\Free Download Manager\unins000.exe"
Freeciv 2.0.9 (GTK+ client)-->"C:\Program Files\Freeciv-2.0.9-gtk2\uninstall.exe"
F-Strippoker-->C:\Program Files\F-Strippoker\uninstall.exe
Galactic Capitalism-->C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\Galactic Capitalism\ST5UNST.LOG"
Galcon 1.0-->"C:\Program Files\Galcon\unins000.exe"
GameBiz 2 Uninstall-->"C:\Program Files\GameBiz2\unins000.exe"
Globulation 2-->C:\Program Files\Globulation_2\glob2win32-uninst.exe
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
GTK+ 2.8.18-1 runtime environment-->"C:\Program Files\Common Files\GTK\2.0\unins000.exe"
Guerrilla War-->C:\Program Files\Guerrilla War\uninstall.exe
Hallmark Card Studio Special Edition-->MsiExec.exe /I{563FE39E-B4D7-4DC0-B443-97313128AEC0}
HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344)-->"C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB896344)-->"C:\WINDOWS\$NtUninstallKB896344$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB928388)-->"C:\WINDOWS\$NtUninstallKB928388$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB929120)-->"C:\WINDOWS\$NtUninstallKB929120$\spuninst\spuninst.exe"
ieSpell-->"C:\Program Files\ieSpell\uninst.exe"
Intel(R) Extreme Graphics Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
J2SE Runtime Environment 5.0 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Lemonade Tycoon 2-->"C:\Program Files\Lemonade Tycoon 2\unins000.exe"
Macromedia Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Mall Tycoon-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Take2 Interactive\Mall Tycoon\Uninst.isu"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Flight Simulator for Windows 95-->"C:\Program Files\Microsoft Games\FS95\UNINSTAL.EXE" /runtemp
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Money 2004 System Pack-->MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Money 2004-->MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Publisher 2003-->MsiExec.exe /I{91190409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MSRedist-->MsiExec.exe /I{FC37ABD0-2108-4beb-B010-1254E0662B5A}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
Multisim 2001 Textbook Edition-->C:\WINDOWS\IsUninst.exe -fC:\Multisim\Uninst.isu
Multisim sample circuits-->C:\WINDOWS\IsUninst.exe -fC:\Multisim\Samples\Msmsamp.isu
Norton Internet Security-->MsiExec.exe /I{E47EE8FB-ACC0-4608-859C-4E2851B18A6A}
Nuclear Power 1.3-->C:\Program Files\Nuclear Power\uninst.exe
OIN Analytics-->C:\Program Files\OINAnalytics\Uninstall.exe
Omega M-17 Standard-->C:\PROGRA~1\M17\UNWISE.EXE C:\PROGRA~1\M17\INSTALL.LOG
OpenOffice.org 2.3-->MsiExec.exe /I{83C03FBE-4492-4133-BBAB-421CD88ADA32}
Paint.NET v3.10-->MsiExec.exe /X{5E749AEB-5A19-43BA-BB20-3CBB37539FE4}
Phun beta 4.22-->"C:\Program Files\Phun\unins000.exe"
Power Supply Challenge-->C:\WINDOWS\uninst.exe -f"C:\Program Files\ETCAI Products\Power Supply Challenge\DeIsL1.isu" -c"C:\Program Files\ETCAI Products\Power Supply Challenge\_ISREG32.DLL"
Print to Fax-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5BF2B19D-9C79-492A-8969-F059F06A627F}\setup.exe" -l0x9 ControlPanel
Prison Tycoon-->C:\Program Files\Prison Tycoon\data\gvnUninstaller.exe
RunAlyzer-->"C:\Program Files\Safer Networking\RunAlyzer\unins000.exe"
Salient: Supply & Command-->F:\Salient\Uninstall.exe
School Tycoon-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7CFFE053-748A-44DC-A248-06EA38E4BC03}\setup.exe"
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows XP (KB883939)-->"C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896688)-->"C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899588)-->"C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB903235)-->"C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926247)-->"C:\WINDOWS\$NtUninstallKB926247$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
SimCity 2000-->MsiExec.exe /I{8D52E0F9-17A0-493B-8692-937381DDB62B}
Sk8Park-->C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\Sk8Park\ST5UNST.LOG"
Sk8park2-->C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\Sk8park2\ST5UNST.LOG"
Solar Wars v1.40-->C:\WINDOWS\st6unst.exe -n "C:\Program Files\Solar Wars\ST6UNST.LOG"
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Space MAX 1.0-->"C:\Program Files\SpaceMAX\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
T.H.U.G.S.-->"C:\Program Files\T.H.U.G.S.\unins000.exe"
Tabloid Tycoon (remove only)-->"C:\Program Files\Valusoft\Tabloid Tycoon\Uninstall.exe"
The lost Castle-->C:\The lost Castle\Uninstal.exe
The Tower of Babel-->MsiExec.exe /I{F5C8A97C-CAB7-45BD-8791-3B7CA70A67C7}
The Ur-Quan Masters 0.6.2-->C:\Program Files\The Ur-Quan Masters\uninst.exe
TV Manager (Demo)-->"C:\Program Files\TV Manager Demo\unins000.exe"
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB896727)-->"C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB900930)-->"C:\WINDOWS\$NtUninstallKB900930$\spuninst\spuninst.exe"
Update for Windows XP (KB904942)-->"C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB912945)-->"C:\WINDOWS\$NtUninstallKB912945$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920342)-->"C:\WINDOWS\$NtUninstallKB920342$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB925876)-->"C:\WINDOWS\$NtUninstallKB925876$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB932823-v3)-->"C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
VDMSound-->C:\Program Files\VDMSound\uninst.exe
Virtual U-->"C:\Program Files\Virtual U\setup\UNWISE.EXE" "C:\PROGRA~1\VIRTUA~1\INSTALL.LOG"
Volume Control-->MsiExec.exe /I{C937244C-5CD1-4567-92CD-38E7E966B894}
VSP-Poker-->C:\WINDOWS\ST5UNST.EXE -n "C:\Program Files\VSP-Poker\ST5UNST.LOG"
Widelands Build11-->"C:\Program Files\Widelands\unins000.exe"
Windows Defender Signatures-->MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Defender-->MsiExec.exe /I{B2D7CE29-614A-4ACC-8BFE-009EB3A244C9}
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Installer Clean Up-->MsiExec.exe /I{121634B0-2F4A-11D3-ADA3-00C04F52DD53}
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Connect-->"C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Rights Management Client Backwards Compatibility SP2-->MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2-->MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
Windows XP Hotfix - KB834707-->C:\WINDOWS\$NtUninstallKB834707$\spuninst\spuninst.exe
Windows XP Hotfix - KB867282-->C:\WINDOWS\$NtUninstallKB867282$\spuninst\spuninst.exe
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB887797-->C:\WINDOWS\$NtUninstallKB887797$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890047-->C:\WINDOWS\$NtUninstallKB890047$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB890923-->"C:\WINDOWS\$NtUninstallKB890923$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893066-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WordPerfect Office 11-->MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921}
======Hosts File======
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com
======Security center information======
AV: Authentium Antivirus (outdated)
FW: Authentium Firewall (disabled)
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=1
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\VDMSound
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=0209
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"LANG"=C
"VDMSPath"=C:\Program Files\VDMSound
-----------------EOF-----------------
Is Authentium Antivirus up-to-date?
i have never heard of authentium before all this happened
So then you don't have antivirus active at all.
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.
You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.
After that:
We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
yeah it must have been a bug in the forum i will start downloading one of the programs although it make take a while (dialup)
No hurry, take your time :)
to use the downloaded version of the recovery console i need a floppy drive and mine doesn't work
You don't need a floppy drive :)
There are stand-alone downloads in Microsoft web site.
Download correct version for your operating system & service pack and drag & drop it into combofix.exe, please.
ok i have windows recovery console installed but it will take a day or two to run another virus check and combofix
ok combofix seems to have removed it
ComboFix 08-10-12.01 - nancy 2008-10-15 20:40:45.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.53 [GMT -4:00]
Running from: C:\Documents and Settings\nancy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\nancy\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-09-16 to 2008-10-16 )))))))))))))))))))))))))))))))
.
2008-10-12 01:13 . 2008-10-12 01:13 <DIR> d-------- C:\695d627f403feaa5dbe1
2008-10-11 22:36 . 2008-10-11 22:36 86,016 --a------ C:\WINDOWS\system32\evcjargp.exe
2008-10-11 00:17 . 2004-08-04 01:59 36,352 --a------ C:\WINDOWS\system32\drivers\disk.sys
2008-10-11 00:17 . 2004-08-04 01:59 36,352 --a--c--- C:\WINDOWS\system32\dllcache\disk.sys
2008-10-09 23:02 . 2008-10-09 23:02 <DIR> d-------- C:\Program Files\Avira
2008-10-09 23:02 . 2008-10-09 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-10-09 18:51 . 2008-10-09 18:51 73,728 --a------ C:\WINDOWS\system32\fmpifcfs.exe
2008-10-07 18:58 . 2008-10-09 19:10 8,704 --a------ C:\WINDOWS\system32\smwin32.dll
2008-10-05 19:18 . 2008-10-05 19:18 121 --ahs---- C:\WINDOWS\system32\wkldxmiv.ini
2008-10-05 16:32 . 2008-10-05 16:32 <DIR> d-------- C:\Program Files\hxdmjaf
2008-10-04 23:29 . 2008-10-04 23:33 122 --ahs---- C:\WINDOWS\system32\mdedmflg.ini
2008-10-04 16:44 . 2008-10-04 16:44 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-10-03 21:10 . 2008-10-03 21:10 <DIR> d-------- C:\Program Files\Applications
2008-10-03 20:04 . 2008-10-12 01:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\mbqhmbcv
2008-10-03 18:48 . 2004-08-04 03:56 24,576 --a------ C:\WINDOWS\system32\stus.exe
2008-10-02 19:26 . 2008-10-15 20:42 <DIR> d-------- C:\Documents and Settings\nancy\Application Data\uTorrent
2008-09-29 16:54 . 2008-10-10 20:24 <DIR> d-------- C:\WINDOWS\system32\EV02
2008-09-29 16:54 . 2008-09-29 16:59 <DIR> d-------- C:\temp\xp34
2008-09-28 16:31 . 2008-09-28 16:31 121 --ahs---- C:\WINDOWS\system32\bwwctmqe.ini
2008-09-27 20:04 . 2008-10-02 19:53 <DIR> d-------- C:\rsit
2008-09-26 19:31 . 2008-09-26 19:32 38,880 --ahs---- C:\WINDOWS\system32\kihvhbxk.ini
2008-09-25 20:22 . 2008-09-26 19:12 38,880 --ahs---- C:\WINDOWS\system32\kycnkbuh.ini
2008-09-24 22:41 . 2008-09-25 20:13 1,171 --ahs---- C:\WINDOWS\system32\wavuosre.ini
2008-09-24 20:57 . 2008-09-24 20:57 699 --ahs---- C:\WINDOWS\system32\pxnhabof.ini
2008-09-24 18:53 . 2008-09-24 20:36 527 --ahs---- C:\WINDOWS\system32\jkloietj.ini
2008-09-22 18:07 . 2008-09-22 18:07 3,752 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-21 23:21 . 2008-09-21 23:21 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-09-21 15:50 . 2008-09-21 15:51 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-20 18:06 . 2008-09-20 18:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-18 22:11 . 2008-09-22 17:54 345 --ahs---- C:\WINDOWS\system32\dddJlRCf.ini
2008-09-18 19:09 . 2008-10-10 20:27 <DIR> d-------- C:\WINDOWS\system32\winf
2008-09-18 19:09 . 2008-09-18 19:09 <DIR> d-------- C:\WINDOWS\system32\UES
2008-09-18 19:09 . 2008-10-10 15:08 <DIR> d-------- C:\WINDOWS\system32\p
2008-09-18 19:09 . 2008-10-10 20:24 <DIR> d-------- C:\WINDOWS\system32\np5
2008-09-18 19:04 . 2008-10-10 20:24 <DIR> d-------- C:\WINDOWS\system32\mC02
2008-09-18 19:04 . 2008-09-18 19:09 <DIR> d-------- C:\temp\mtc2
2008-09-18 19:03 . 2008-09-18 19:03 71 --a------ C:\Documents and Settings\nancy\3151.bat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-15 22:53 --------- d-----w C:\Program Files\GameBiz2
2008-10-15 00:45 21,504 ----a-w C:\Documents and Settings\nancy\39dll.dll
2008-10-15 00:45 157,696 ----a-w C:\Documents and Settings\nancy\supersound.dll
2008-10-14 02:27 --------- d-----w C:\Documents and Settings\nancy\Application Data\Free Download Manager
2008-10-03 04:17 --------- d-----w C:\Documents and Settings\nancy\Application Data\OpenOffice.org2
2008-10-02 00:32 --------- d-----w C:\Program Files\The Tower of Babel
2008-09-25 23:51 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-24 00:28 --------- d-----w C:\Program Files\EarthLink TotalAccess
2008-09-22 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-21 18:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-20 16:40 --------- d-----w C:\Program Files\Phun
2008-09-12 20:36 --------- d-----w C:\Program Files\Galactic Capitalism
2008-09-05 23:58 --------- d-----w C:\Program Files\Axon Data
2008-09-01 03:37 --------- d-----w C:\Program Files\Risk
2008-08-31 02:28 --------- d-----w C:\Program Files\Zombie Cow Studios
2008-08-29 18:26 8,992 ----a-w C:\Documents and Settings\nancy\Device.dat
2008-08-29 00:30 --------- d-----w C:\Program Files\VDMSound
2008-08-28 22:04 --------- d-----w C:\Program Files\DOSBox-0.72
2008-08-26 03:56 --------- d-----w C:\Program Files\Cheat Engine
2008-08-25 10:55 --------- d-----w C:\Program Files\Carbiz demo
2008-08-19 20:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 20:23 --------- d-----w C:\Program Files\Cat Daddy Games
2008-08-19 17:26 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-19 17:20 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-08-19 17:20 --------- d-----w C:\Documents and Settings\nancy\Application Data\DAEMON Tools
2008-08-17 23:39 --------- d-----w C:\Program Files\Guerrilla War
2008-08-17 23:38 --------- d--h--w C:\Program Files\InstallJammer Registry
2008-08-17 23:28 --------- d-----w C:\Program Files\Sk8Park
2008-08-17 03:17 --------- d-----w C:\Program Files\M17
2008-08-17 00:06 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-16 17:26 --------- d-----w C:\Program Files\Widelands
2008-03-31 00:17 336 ----a-w C:\Program Files\temp995.bat
2007-09-29 04:04 714,936 ----a-w C:\Documents and Settings\Guest\Application Data\New Compressed (zipped) Folder.zip
1987-09-18 16:31 26,785 ----a-w C:\Documents and Settings\nancy\ELECTION.EXE
1987-09-18 16:12 26,705 ----a-w C:\Documents and Settings\nancy\PE.EXE
1987-09-18 15:46 57,425 ----a-w C:\Documents and Settings\nancy\MAP.EXE
1987-09-18 04:59 51,185 ----a-w C:\Documents and Settings\nancy\CAMPAIGN.EXE
1987-09-18 02:26 26,689 ----a-w C:\Documents and Settings\nancy\DEBATE.EXE
1987-09-18 02:23 39,921 ----a-w C:\Documents and Settings\nancy\NOMINATE.EXE
1987-09-17 22:30 5,921 ----a-w C:\Documents and Settings\nancy\START.EXE
1987-04-07 15:48 70,680 ----a-w C:\Documents and Settings\nancy\BRUN30.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="C:\Documents and Settings\nancy\Desktop\utorrent.exe" [2008-08-13 267056]
"SetEn"="C:\WINDOWS\system32\fmpifcfs.exe" [2008-10-09 73728]
"StrUtil"="C:\WINDOWS\system32\evcjargp.exe" [2008-10-11 86016]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CyberLat Ram Cleaner"="C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1" [X]
"Dell AIO Printer A960"="C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe" [2003-09-21 270336]
"VolControl"="C:\Program Files\Volume Control\Volume Control.exe" [2007-01-24 102400]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-10-19 1757]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"genensh"= {11A78ACD-33E4-C376-034C-0BA3359F114C} - C:\Program Files\hxdmjaf\genensh.dll [2008-10-05 122880]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
"Twain"=C:\Program Files\Twain\Twain.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"PLNRNote"="C:\Program Files\SierraHome\Hallmark Card Studio Special Edition\Planner\PLNRNote.exe"
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"a496ad42"=rundll32.exe "C:\WINDOWS\system32\adwmjkpv.dll",b
"flockbox"=F:\My Lockbox\flockbox.exe /a
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\Program Files\\Freeciv-2.0.9-gtk2\\civserver.exe"=
"C:\\Documents and Settings\\Nancy_2\\Desktop\\Freeciv-2.0.9-gtk2\\civserver.exe"=
"C:\\Documents and Settings\\nancy\\Desktop\\Freeciv-2.0.9-gtk2\\civserver.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"C:\\Program Files\\Globulation_2\\glob2.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\nancy\\Desktop\\utorrent.exe"=
"C:\\Documents and Settings\\nancy\\Desktop\\KMIVBR2\\KMI.Cstore.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
R0 MPRIFL;MPRIFL;C:\WINDOWS\system32\DRIVERS\MPRIFL.SYS [2007-04-18 17264]
R2 EarthLinkMonitor;EarthLink Monitor Service;C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe [2005-01-26 65604]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys [ ]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys [2004-11-01 17536]
S3 oflpydin;oflpydin;C:\DOCUME~1\nancy\LOCALS~1\Temp\oflpydin.sys [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0349ac28-2945-11dd-ad90-e1fb8d0daab6}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\nancy\Application Data\Mozilla\Firefox\Profiles\bv0y59pm.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-15 20:44:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-10-15 20:52:21
ComboFix-quarantined-files.txt 2008-10-16 00:52:16
ComboFix2.txt 2008-10-16 00:16:34
Pre-Run: 56,019,890,176 bytes free
Post-Run: 55,987,298,304 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
184 --- E O F --- 2008-10-13 03:51:36
Please post also a fresh HijackThis log :)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:43 PM, on 10/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Volume Control\Volume Control.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\WINDOWS\system32\fmpifcfs.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - (no file)
O2 - BHO: (no name) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9579D574-D4D8-4335-9560-FE8641A013BD} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll (file missing)
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [VolControl] C:\Program Files\Volume Control\Volume Control.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKCU\..\Run: [SetEn] C:\WINDOWS\system32\fmpifcfs.exe
O4 - HKCU\..\Run: [StrUtil] C:\WINDOWS\system32\evcjargp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FreshDownload - {9F9E33E8-0F27-4A98-9C61-940FDFE31DC2} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://free-game-downloads.mosw.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219878245281
O17 - HKLM\System\CCS\Services\Tcpip\..\{5381478A-BFC0-4AAF-9FBC-EE4FE4B8714B}: NameServer = 207.69.188.185 207.69.188.186
O21 - SSODL: genensh - {11A78ACD-33E4-C376-034C-0BA3359F114C} - C:\Program Files\hxdmjaf\genensh.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 8059 bytes
Open notepad and copy/paste the text in the codebox below into it:
[code]File::
C:\WINDOWS\system32\mdedmflg.ini
C:\WINDOWS\system32\kihvhbxk.ini
C:\WINDOWS\system32\kycnkbuh.ini
C:\WINDOWS\system32\wavuosre.ini
C:\WINDOWS\system32\pxnhabof.ini
C:\WINDOWS\system32\jkloietj.ini
C:\WINDOWS\system32\stus.exe
C:\WINDOWS\system32\fmpifcfs.exe
C:\WINDOWS\system32\smwin32.dll
C:\WINDOWS\system32\wkldxmiv.ini
C:\Documents and Settings\nancy\3151.bat
C:\Documents and Settings\nancy\Desktop\utorrent.exe
Folder::
C:\WINDOWS\system32\winf
C:\WINDOWS\system32\UES
C:\WINDOWS\system32\p
C:\WINDOWS\system32\np5
C:\WINDOWS\system32\mC02
C:\temp\mtc2
C:\Program Files\hxdmjaf
C:\Program Files\Applications
C:\Documents and Settings\All Users\Application Data\mbqhmbcv
C:\Documents and Settings\nancy\Application Data\uTorrent
C:\WINDOWS\system32\EV02
C:\temp\xp34
Driver::
oflpydin
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"=-
"SetEn"=-
"StrUtil"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"genensh"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"a496ad42"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0349ac28-2945-11dd-ad90-e1fb8d0daab6}]
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
ComboFix 08-10-12.01 - nancy 2008-10-18 14:33:22.4 - NTFSx86
Running from: C:\Documents and Settings\nancy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\nancy\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\mbqhmbcv
C:\Program Files\Applications
C:\Program Files\hxdmjaf
C:\Program Files\hxdmjaf\genensh.dll
C:\temp\mtc2
C:\temp\mtc2\h5v.log
C:\temp\xp34
C:\temp\xp34\cPH.log
C:\WINDOWS\system32\EV02
C:\WINDOWS\system32\mC02
C:\WINDOWS\system32\np5
C:\WINDOWS\system32\p
C:\WINDOWS\system32\UES
C:\WINDOWS\system32\UES\dx6tb3.exe
C:\WINDOWS\system32\winf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_OFLPYDIN
-------\Service_oflpydin
((((((((((((((((((((((((( Files Created from 2008-09-18 to 2008-10-18 )))))))))))))))))))))))))))))))
.
2008-10-17 20:43 . 2008-10-17 20:43 53,248 --a------ C:\WINDOWS\system32\suppdll.dll
2008-10-17 20:43 . 2008-10-17 20:43 35,363 --a------ C:\WINDOWS\system32\windrvNT.sys
2008-10-12 01:13 . 2008-10-12 01:13 <DIR> d-------- C:\695d627f403feaa5dbe1
2008-10-11 22:36 . 2008-10-11 22:36 86,016 --a------ C:\WINDOWS\system32\evcjargp.exe
2008-10-11 00:17 . 2004-08-04 01:59 36,352 --a------ C:\WINDOWS\system32\drivers\disk.sys
2008-10-11 00:17 . 2004-08-04 01:59 36,352 --a--c--- C:\WINDOWS\system32\dllcache\disk.sys
2008-10-09 23:02 . 2008-10-09 23:02 <DIR> d-------- C:\Program Files\Avira
2008-10-09 23:02 . 2008-10-09 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-10-07 18:58 . 2008-10-09 19:10 8,704 --a------ C:\WINDOWS\system32\smwin32.dll
2008-10-05 19:18 . 2008-10-05 19:18 121 --ahs---- C:\WINDOWS\system32\wkldxmiv.ini
2008-10-04 23:29 . 2008-10-04 23:33 122 --ahs---- C:\WINDOWS\system32\mdedmflg.ini
2008-10-04 16:44 . 2008-10-04 16:44 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-10-03 18:48 . 2004-08-04 03:56 24,576 --a------ C:\WINDOWS\system32\stus.exe
2008-09-28 16:31 . 2008-09-28 16:31 121 --ahs---- C:\WINDOWS\system32\bwwctmqe.ini
2008-09-27 20:04 . 2008-10-02 19:53 <DIR> d-------- C:\rsit
2008-09-26 19:31 . 2008-09-26 19:32 38,880 --ahs---- C:\WINDOWS\system32\kihvhbxk.ini
2008-09-25 20:22 . 2008-09-26 19:12 38,880 --ahs---- C:\WINDOWS\system32\kycnkbuh.ini
2008-09-24 22:41 . 2008-09-25 20:13 1,171 --ahs---- C:\WINDOWS\system32\wavuosre.ini
2008-09-24 20:57 . 2008-09-24 20:57 699 --ahs---- C:\WINDOWS\system32\pxnhabof.ini
2008-09-24 18:53 . 2008-09-24 20:36 527 --ahs---- C:\WINDOWS\system32\jkloietj.ini
2008-09-22 18:07 . 2008-09-22 18:07 3,752 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-21 23:21 . 2008-09-21 23:21 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-09-21 15:50 . 2008-09-21 15:51 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-20 18:06 . 2008-09-20 18:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-18 22:11 . 2008-09-22 17:54 345 --ahs---- C:\WINDOWS\system32\dddJlRCf.ini
2008-09-18 19:03 . 2008-09-18 19:03 71 --a------ C:\Documents and Settings\nancy\3151.bat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-18 00:42 --------- d-----w C:\Documents and Settings\nancy\Application Data\OpenOffice.org2
2008-10-15 22:53 --------- d-----w C:\Program Files\GameBiz2
2008-10-15 00:45 21,504 ----a-w C:\Documents and Settings\nancy\39dll.dll
2008-10-15 00:45 157,696 ----a-w C:\Documents and Settings\nancy\supersound.dll
2008-10-14 02:27 --------- d-----w C:\Documents and Settings\nancy\Application Data\Free Download Manager
2008-10-02 00:32 --------- d-----w C:\Program Files\The Tower of Babel
2008-09-25 23:51 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-24 00:28 --------- d-----w C:\Program Files\EarthLink TotalAccess
2008-09-22 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-21 18:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-20 16:40 --------- d-----w C:\Program Files\Phun
2008-09-12 20:36 --------- d-----w C:\Program Files\Galactic Capitalism
2008-09-05 23:58 --------- d-----w C:\Program Files\Axon Data
2008-09-01 03:37 --------- d-----w C:\Program Files\Risk
2008-08-31 02:28 --------- d-----w C:\Program Files\Zombie Cow Studios
2008-08-29 18:26 8,992 ----a-w C:\Documents and Settings\nancy\Device.dat
2008-08-29 00:30 --------- d-----w C:\Program Files\VDMSound
2008-08-28 22:04 --------- d-----w C:\Program Files\DOSBox-0.72
2008-08-26 03:56 --------- d-----w C:\Program Files\Cheat Engine
2008-08-25 10:55 --------- d-----w C:\Program Files\Carbiz demo
2008-08-19 20:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 20:23 --------- d-----w C:\Program Files\Cat Daddy Games
2008-08-19 17:26 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-19 17:20 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-08-19 17:20 --------- d-----w C:\Documents and Settings\nancy\Application Data\DAEMON Tools
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-03-31 00:17 336 ----a-w C:\Program Files\temp995.bat
2007-09-29 04:04 714,936 ----a-w C:\Documents and Settings\Guest\Application Data\New Compressed (zipped) Folder.zip
1987-09-18 16:31 26,785 ----a-w C:\Documents and Settings\nancy\ELECTION.EXE
1987-09-18 16:12 26,705 ----a-w C:\Documents and Settings\nancy\PE.EXE
1987-09-18 15:46 57,425 ----a-w C:\Documents and Settings\nancy\MAP.EXE
1987-09-18 04:59 51,185 ----a-w C:\Documents and Settings\nancy\CAMPAIGN.EXE
1987-09-18 02:26 26,689 ----a-w C:\Documents and Settings\nancy\DEBATE.EXE
1987-09-18 02:23 39,921 ----a-w C:\Documents and Settings\nancy\NOMINATE.EXE
1987-09-17 22:30 5,921 ----a-w C:\Documents and Settings\nancy\START.EXE
1987-04-07 15:48 70,680 ----a-w C:\Documents and Settings\nancy\BRUN30.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CyberLat Ram Cleaner"="C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1" [X]
"Dell AIO Printer A960"="C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe" [2003-09-21 270336]
"VolControl"="C:\Program Files\Volume Control\Volume Control.exe" [2007-01-24 102400]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-10-19 1757]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
"Twain"=C:\Program Files\Twain\Twain.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"PLNRNote"="C:\Program Files\SierraHome\Hallmark Card Studio Special Edition\Planner\PLNRNote.exe"
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"flockbox"=F:\My Lockbox\flockbox.exe /a
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\Program Files\\Freeciv-2.0.9-gtk2\\civserver.exe"=
"C:\\Documents and Settings\\Nancy_2\\Desktop\\Freeciv-2.0.9-gtk2\\civserver.exe"=
"C:\\Documents and Settings\\nancy\\Desktop\\Freeciv-2.0.9-gtk2\\civserver.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"C:\\Program Files\\Globulation_2\\glob2.exe"=
"C:\\Documents and Settings\\nancy\\Desktop\\KMIVBR2\\KMI.Cstore.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
R0 MPRIFL;MPRIFL;C:\WINDOWS\system32\DRIVERS\MPRIFL.SYS [2007-04-18 17264]
R2 EarthLinkMonitor;EarthLink Monitor Service;C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe [2005-01-26 65604]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys [ ]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys [2004-11-01 17536]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-18 14:49:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\sccfg.sys 312 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
.
**************************************************************************
.
Completion time: 2008-10-18 14:57:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-18 18:57:07
ComboFix2.txt 2008-10-16 00:52:23
ComboFix3.txt 2008-10-16 00:16:34
Pre-Run: 55,853,699,072 bytes free
Post-Run: 55,849,873,408 bytes free
188 --- E O F --- 2008-10-13 03:51:36
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:58 PM, on 10/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Volume Control\Volume Control.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - (no file)
O2 - BHO: (no name) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9579D574-D4D8-4335-9560-FE8641A013BD} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll (file missing)
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [VolControl] C:\Program Files\Volume Control\Volume Control.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FreshDownload - {9F9E33E8-0F27-4A98-9C61-940FDFE31DC2} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://free-game-downloads.mosw.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219878245281
O17 - HKLM\System\CCS\Services\Tcpip\..\{5381478A-BFC0-4AAF-9FBC-EE4FE4B8714B}: NameServer = 207.69.188.185 207.69.188.186
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 7697 bytes
Do you recognize these?
1987-09-18 16:31 26,785 ----a-w C:\Documents and Settings\nancy\ELECTION.EXE
1987-09-18 16:12 26,705 ----a-w C:\Documents and Settings\nancy\PE.EXE
1987-09-18 15:46 57,425 ----a-w C:\Documents and Settings\nancy\MAP.EXE
1987-09-18 04:59 51,185 ----a-w C:\Documents and Settings\nancy\CAMPAIGN.EXE
1987-09-18 02:26 26,689 ----a-w C:\Documents and Settings\nancy\DEBATE.EXE
1987-09-18 02:23 39,921 ----a-w C:\Documents and Settings\nancy\NOMINATE.EXE
1987-09-17 22:30 5,921 ----a-w C:\Documents and Settings\nancy\START.EXE
1987-04-07 15:48 70,680 ----a-w C:\Documents and Settings\nancy\BRUN30.EXE
yeah there are just part of an old game that apparently did not get completely uninstalled
Thanks for information.
Please click this link-->Jotti (http://virusscan.jotti.org/)
Copy/paste file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).
C:\WINDOWS\system32\drivers\disk.sys
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
none of the scanners found anything
Thanks for information.
Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\evcjargp.exe
C:\WINDOWS\system32\wkldxmiv.ini
C:\WINDOWS\system32\mdedmflg.ini
C:\WINDOWS\system32\stus.exe
C:\WINDOWS\system32\bwwctmqe.ini
C:\WINDOWS\system32\kihvhbxk.ini
C:\WINDOWS\system32\kycnkbuh.ini
C:\WINDOWS\system32\wavuosre.ini
C:\WINDOWS\system32\pxnhabof.ini
C:\WINDOWS\system32\jkloietj.ini
C:\WINDOWS\system32\dddJlRCf.ini
C:\Documents and Settings\nancy\3151.bat
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
ComboFix 08-10-19.04 - nancy 2008-10-20 20:33:15.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.64 [GMT -4:00]
Running from: C:\Documents and Settings\nancy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\nancy\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\nancy\3151.bat
C:\WINDOWS\system32\bwwctmqe.ini
C:\WINDOWS\system32\dddJlRCf.ini
C:\WINDOWS\system32\evcjargp.exe
C:\WINDOWS\system32\jkloietj.ini
C:\WINDOWS\system32\kihvhbxk.ini
C:\WINDOWS\system32\kycnkbuh.ini
C:\WINDOWS\system32\mdedmflg.ini
C:\WINDOWS\system32\pxnhabof.ini
C:\WINDOWS\system32\stus.exe
C:\WINDOWS\system32\wavuosre.ini
C:\WINDOWS\system32\wkldxmiv.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\nancy\3151.bat
C:\WINDOWS\system32\bwwctmqe.ini
C:\WINDOWS\system32\dddJlRCf.ini
C:\WINDOWS\system32\evcjargp.exe
C:\WINDOWS\system32\jkloietj.ini
C:\WINDOWS\system32\kihvhbxk.ini
C:\WINDOWS\system32\kycnkbuh.ini
C:\WINDOWS\system32\mdedmflg.ini
C:\WINDOWS\system32\pxnhabof.ini
C:\WINDOWS\system32\smwin32.dll
C:\WINDOWS\system32\stus.exe
C:\WINDOWS\system32\wavuosre.ini
C:\WINDOWS\system32\wkldxmiv.ini
.
((((((((((((((((((((((((( Files Created from 2008-09-21 to 2008-10-21 )))))))))))))))))))))))))))))))
.
2008-10-19 22:12 . 2008-10-19 22:18 <DIR> d-------- C:\New Folder
2008-10-17 20:43 . 2008-10-17 20:43 53,248 --a------ C:\WINDOWS\system32\suppdll.dll
2008-10-17 20:43 . 2008-10-19 08:13 35,363 --a------ C:\WINDOWS\system32\windrvNT.sys
2008-10-12 01:13 . 2008-10-12 01:13 <DIR> d-------- C:\695d627f403feaa5dbe1
2008-10-11 00:17 . 2004-08-04 01:59 36,352 --a------ C:\WINDOWS\system32\drivers\disk.sys
2008-10-11 00:17 . 2004-08-04 01:59 36,352 --a--c--- C:\WINDOWS\system32\dllcache\disk.sys
2008-10-09 23:02 . 2008-10-09 23:02 <DIR> d-------- C:\Program Files\Avira
2008-10-09 23:02 . 2008-10-09 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-10-04 16:44 . 2008-10-04 16:44 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-09-27 20:04 . 2008-10-02 19:53 <DIR> d-------- C:\rsit
2008-09-22 18:07 . 2008-09-22 18:07 3,752 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-21 23:21 . 2008-09-21 23:21 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-09-21 15:50 . 2008-09-21 15:51 <DIR> d-------- C:\Documents and Settings\Administrator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 23:34 --------- d-----w C:\Documents and Settings\nancy\Application Data\OpenOffice.org2
2008-10-20 02:18 --------- d-----w C:\Program Files\DOSBox-0.72
2008-10-15 22:53 --------- d-----w C:\Program Files\GameBiz2
2008-10-15 00:45 21,504 ----a-w C:\Documents and Settings\nancy\39dll.dll
2008-10-15 00:45 157,696 ----a-w C:\Documents and Settings\nancy\supersound.dll
2008-10-14 02:27 --------- d-----w C:\Documents and Settings\nancy\Application Data\Free Download Manager
2008-10-02 00:32 --------- d-----w C:\Program Files\The Tower of Babel
2008-09-25 23:51 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-24 00:28 --------- d-----w C:\Program Files\EarthLink TotalAccess
2008-09-22 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-21 18:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-20 22:06 --------- d-----w C:\Program Files\Trend Micro
2008-09-20 16:40 --------- d-----w C:\Program Files\Phun
2008-09-12 20:36 --------- d-----w C:\Program Files\Galactic Capitalism
2008-09-05 23:58 --------- d-----w C:\Program Files\Axon Data
2008-09-01 03:37 --------- d-----w C:\Program Files\Risk
2008-08-31 02:28 --------- d-----w C:\Program Files\Zombie Cow Studios
2008-08-29 18:26 8,992 ----a-w C:\Documents and Settings\nancy\Device.dat
2008-08-29 00:30 --------- d-----w C:\Program Files\VDMSound
2008-08-26 03:56 --------- d-----w C:\Program Files\Cheat Engine
2008-08-25 10:55 --------- d-----w C:\Program Files\Carbiz demo
2008-03-31 00:17 336 ----a-w C:\Program Files\temp995.bat
2007-09-29 04:04 714,936 ----a-w C:\Documents and Settings\Guest\Application Data\New Compressed (zipped) Folder.zip
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CyberLat Ram Cleaner"="C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1" [X]
"Dell AIO Printer A960"="C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe" [2003-09-21 270336]
"VolControl"="C:\Program Files\Volume Control\Volume Control.exe" [2007-01-24 102400]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-10-19 1757]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
"Twain"=C:\Program Files\Twain\Twain.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"PLNRNote"="C:\Program Files\SierraHome\Hallmark Card Studio Special Edition\Planner\PLNRNote.exe"
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\Program Files\\Freeciv-2.0.9-gtk2\\civserver.exe"=
"C:\\Documents and Settings\\Nancy_2\\Desktop\\Freeciv-2.0.9-gtk2\\civserver.exe"=
"C:\\Documents and Settings\\nancy\\Desktop\\Freeciv-2.0.9-gtk2\\civserver.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"C:\\Program Files\\Globulation_2\\glob2.exe"=
"C:\\Documents and Settings\\nancy\\Desktop\\KMIVBR2\\KMI.Cstore.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
R0 MPRIFL;MPRIFL;C:\WINDOWS\system32\DRIVERS\MPRIFL.SYS [2007-04-18 17264]
R2 EarthLinkMonitor;EarthLink Monitor Service;C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe [2005-01-26 65604]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys [ ]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys [2004-11-01 17536]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-flockbox - F:\My Lockbox\flockbox.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-20 20:38:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\sccfg.sys 20 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
Completion time: 2008-10-20 20:45:17
ComboFix-quarantined-files.txt 2008-10-21 00:45:13
ComboFix2.txt 2008-10-18 18:57:18
ComboFix3.txt 2008-10-16 00:52:23
ComboFix4.txt 2008-10-16 00:16:34
Pre-Run: 55,748,247,552 bytes free
Post-Run: 55,748,382,720 bytes free
150 --- E O F --- 2008-10-13 03:51:36
Please post also a fresh HijackThis log :)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:28 PM, on 10/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Volume Control\Volume Control.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - (no file)
O2 - BHO: (no name) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9579D574-D4D8-4335-9560-FE8641A013BD} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll (file missing)
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [VolControl] C:\Program Files\Volume Control\Volume Control.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FreshDownload - {9F9E33E8-0F27-4A98-9C61-940FDFE31DC2} - C:\Program Files\FreshDevices\FreshDownload\fd.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://free-game-downloads.mosw.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219878245281
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 7722 bytes
Follow these (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=bar_sch_nam&docid=2004092711224136&nsf=nip.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=&seg=ag) instructions and post back a fresh HijackThis log afterwards, please.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:31 PM, on 10/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NtfsDriver\CSRSS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Volume Control\Volume Control.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\NtfsDriver\CSRSS.EXE,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - (no file)
O2 - BHO: (no name) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9579D574-D4D8-4335-9560-FE8641A013BD} - (no file)
O2 - BHO: (no name) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [VolControl] C:\Program Files\Volume Control\Volume Control.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://free-game-downloads.mosw.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219878245281
O17 - HKLM\System\CCS\Services\Tcpip\..\{5381478A-BFC0-4AAF-9FBC-EE4FE4B8714B}: NameServer = 207.69.188.185 207.69.188.186
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 7032 bytes
Please click this link-->Jotti (http://virusscan.jotti.org/)
Copy/paste file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).
C:\WINDOWS\system32\NtfsDriver\CSRSS.EXE
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
File CSRSS.EXE received on 09.22.2008 14:57:42 (CET)
Current status: finished
Result: 4/36 (11.11%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.9.19.2 2008.09.22 -
AntiVir 7.8.1.34 2008.09.22 -
Authentium 5.1.0.4 2008.09.22 W32/VB-Wird-based!Maximus
Avast 4.8.1195.0 2008.09.22 -
AVG 8.0.0.161 2008.09.22 -
BitDefender 7.2 2008.09.22 -
CAT-QuickHeal 9.50 2008.09.20 -
ClamAV 0.93.1 2008.09.22 -
DrWeb 4.44.0.09170 2008.09.22 -
eSafe 7.0.17.0 2008.09.21 -
eTrust-Vet 31.6.6099 2008.09.22 -
Ewido 4.0 2008.09.22 -
F-Prot 4.4.4.56 2008.09.21 W32/VB-Wird-based!Maximus
F-Secure 8.0.14332.0 2008.09.22 -
Fortinet 3.113.0.0 2008.09.22 -
GData 19 2008.09.22 -
Ikarus T3.1.1.34.0 2008.09.22 -
K7AntiVirus 7.10.467 2008.09.22 -
Kaspersky 7.0.0.125 2008.09.22 -
McAfee 5388 2008.09.19 -
Microsoft 1.3903 2008.09.22 -
NOD32v2 3459 2008.09.22 -
Norman 5.80.02 2008.09.19 -
Panda 9.0.0.4 2008.09.22 Suspicious file
PCTools 4.4.2.0 2008.09.21 -
Prevx1 V2 2008.09.22 Worm
Rising 20.63.02.00 2008.09.22 -
Sophos 4.33.0 2008.09.22 -
Sunbelt 3.1.1653.1 2008.09.20 -
Symantec 10 2008.09.22 -
TheHacker 6.3.0.9.090 2008.09.20 -
TrendMicro 8.700.0.1004 2008.09.22 -
VBA32 3.12.8.5 2008.09.22 -
ViRobot 2008.9.22.1387 2008.09.22 -
VirusBuster 4.5.11.0 2008.09.21 -
Webwasher-Gateway 6.6.2 2008.09.22 -
Additional information
File size: 122880 bytes
MD5...: ebcd8872fe683b1c6d2b0a0bfc8ca688
SHA1..: c9e92abf1a5b6b829b8eba607c7c2d45952adf1e
SHA256: da632aa3ef658c388e4eba8660e88321c2e460e0356cd4ed93953c77dcea4db8
SHA512: 2872e239f7c72dd5ebf0b4ad0d84c0f854ee524a4368d8b07be551c8369f5496
5f5da9b73284144dfad674f2139d25320a4b8e8ef50e2334aac0974765937fe0
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x40214c
timedatestamp.....: 0x46db5f74 (Mon Sep 03 01:12:20 2007)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1a1b4 0x1b000 5.86 1f397ec6d47133ba709d3891aca3e300
.data 0x1c000 0x1404 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x1e000 0x728 0x1000 1.82 33fa0e270af184eff5c8453c37db951d
( 1 imports )
> MSVBVM60.DLL: __vbaVarSub, __vbaStrI2, -, _CIcos, _adj_fptan, __vbaHresultCheck, __vbaStrI4, __vbaVarMove, __vbaVarVargNofree, __vbaAryMove, __vbaFreeVar, __vbaLineInputStr, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, -, __vbaFreeObjList, -, -, __vbaVarFix, __vbaStrErrVarCopy, _adj_fprem1, -, __vbaRecAnsiToUni, __vbaStrCat, __vbaLsetFixstr, __vbaRecDestruct, __vbaSetSystemError, __vbaLenBstrB, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaVarTstLe, __vbaAryDestruct, -, __vbaExitProc, __vbaI4Abs, -, __vbaObjSet, __vbaOnError, -, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, -, __vbaVarIndexLoad, -, __vbaStrFixstr, __vbaFPFix, __vbaFpR8, __vbaRefVarAry, __vbaVarTstLt, __vbaBoolVarNull, _CIsin, -, __vbaErase, -, -, __vbaVarZero, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, -, __vbaGenerateBoundsError, -, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, -, __vbaObjVar, -, __vbaI2I4, DllFunctionCall, __vbaVarOr, __vbaVarLateMemSt, __vbaFpUI1, -, __vbaLbound, __vbaRedimPreserve, _adj_fpatan, __vbaStrR8, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, -, -, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaExceptHandler, -, __vbaPrintFile, __vbaStrToUnicode, -, _adj_fprem, _adj_fdivr_m64, -, __vbaI2Str, __vbaVarDiv, -, -, __vbaFPException, -, __vbaInStrVar, __vbaStrVarVal, __vbaUbound, __vbaVarCat, -, __vbaI2Var, __vbaLsetFixstrFree, -, __vbaStopExe, -, _CIlog, __vbaErrorOverflow, __vbaFileOpen, -, __vbaVar2Vec, __vbaInStr, __vbaR8Str, __vbaNew2, -, _adj_fdiv_m32i, -, _adj_fdivr_m32i, -, __vbaStrCopy, -, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, __vbaR8Var, __vbaPowerR8, _adj_fdiv_r, -, -, -, __vbaI4Var, -, __vbaVarAdd, __vbaLateMemCall, __vbaAryLock, __vbaStrToAnsi, __vbaVarDup, -, __vbaFpI2, __vbaVarCopy, __vbaVarLateMemCallLd, __vbaFpI4, -, __vbaRecDestructAnsi, -, _CIatan, __vbaAryCopy, -, __vbaStrMove, -, __vbaStrVarCopy, -, _allmul, _CItan, -, __vbaFPInt, __vbaAryUnlock, _CIexp, __vbaI4ErrVar, -, __vbaFreeStr, __vbaFreeObj
( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=4787C730000EBE50E04101AD3AB36C00BA70B422
Do you recognize this file or folder where it is located?
C:\WINDOWS\system32\NtfsDriver\CSRSS.EXE
no i have never heard of it before
Open HijackThis, click do a system scan only and checkmark these:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\NtfsDriver\CSRSS.EXE,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - (no file)
O2 - BHO: (no name) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {9579D574-D4D8-4335-9560-FE8641A013BD} - (no file)
O2 - BHO: (no name) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
Close all windows including browser and press fix checked.
Reboot.
Delete this:
C:\WINDOWS\system32\NtfsDriver
Post back a fresh HijackThis log, please.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:57 PM, on 10/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Volume Control\Volume Control.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\Explorer.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [VolControl] C:\Program Files\Volume Control\Volume Control.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://free-game-downloads.mosw.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219878245281
O17 - HKLM\System\CCS\Services\Tcpip\..\{5381478A-BFC0-4AAF-9FBC-EE4FE4B8714B}: NameServer = 207.69.188.185 207.69.188.186
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 6678 bytes
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, October 28, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, October 28, 2008 20:12:53
Records in database: 1354650
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
G:\
Scan statistics:
Files scanned: 103291
Threat name: 20
Infected objects: 37
Suspicious objects: 0
Duration of the scan: 02:16:05
File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Program Files\hxdmjaf\genensh.dll.vir Infected: Trojan.Win32.Obfuscated.gx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\cpdhyyvw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alyi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\cpfitt.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.efv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\cqaitvkv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alub 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dnvnrgdg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alvi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\eibsrlmm.dll.vir Infected: Trojan-Downloader.Win32.Agent.ajts 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\enyauakw.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.efv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\esbowfsn.dll.vir Infected: Trojan.Win32.Monder.tdz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fsobtpwt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alub 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\getsn32.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.dha 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hodppveo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alwx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ivnsya.dll.vir Infected: Trojan.Win32.Monder.tdz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jnlgyafj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alzo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\katxfm.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.els 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kfreyuox.dll.vir Infected: Trojan.Win32.Monder.uci 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kxhycuoy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alub 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mvdwvnow.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alvi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nxjxvhbg.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.els 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pqumcfbq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alyi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rpgnsmdl.dll.vir Infected: Trojan.Win32.Monder.tdz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rvxwruli.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alwx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rwtvjiqk.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.els 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sfyoyt.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.els 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\smwin32.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.div 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\souxomxp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alvf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tcbjjhrv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alyd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\teyesb.dll.vir Infected: Trojan-Downloader.Win32.Agent.ajts 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UES\dx6tb3.exe.vir Infected: not-a-virus:AdWare.Win32.WebHancer.f 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UES\dx6tb3.exe.vir Infected: not-a-virus:AdWare.Win32.WebHancer.390 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vaexygpw.dll.vir Infected: Trojan-Downloader.Win32.Agent.ajts 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vkdibedf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alzo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wjlojfjv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alqn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yfddxgbd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alwt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yglujz.dll.vir Infected: Trojan-Downloader.Win32.Agent.ajts 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ymvnkxtd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.alvf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yvuool.dll.vir Infected: Trojan.Win32.Monder.tdz 1
C:\WINDOWS\Desktop\SmitfraudFix\IEDFix.C.exe Infected: Hoax.Win32.Renos.etc 1
The selected area was scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:45 PM, on 10/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Volume Control\Volume Control.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [VolControl] C:\Program Files\Volume Control\Volume Control.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CyberLat Ram Cleaner] C:\Program Files\CyberLat\CyberLat RAM Cleaner 1.1\CyberLat Ram Cleaner 1,1.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://free-game-downloads.mosw.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219878245281
O17 - HKLM\System\CCS\Services\Tcpip\..\{5381478A-BFC0-4AAF-9FBC-EE4FE4B8714B}: NameServer = 207.69.188.185 207.69.188.186
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 6688 bytes
Empty this folder:
C:\Qoobox\Quarantine
Empty Recycle Bin.
Still problems?
no problems
is my computer fixed
We can then assume so :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Please download JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and unzip it to your desktop.
***Please close any instances of Internet Explorer before continuing!***
Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.
Then download and install Java Runtime Environment (JRE) 6 Update 10 (http://java.sun.com/javase/downloads/index.jsp).
Looking over your log, it seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) Comodo (http://www.personalfirewall.comodo.com/download_firewall.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) PC Tools (http://www.pctools.com/firewall/download/)
4) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
You can delete rsit and c:\rsit folder
Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.
Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
Malwarebytes' Anti-Malware Setup Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1644)
Malwarebytes' Anti-Malware Scanning Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1645)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)
Happy surfing and stay clean! :bigthumb:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.