View Full Version : rundll.exe (prob fake?) is infected by worm.vb.fi
Hello, before I post the HJT log, I think I should describe the problem (as much as I know about it anyway)...
Yesterday I opened my photocamera for the first time since I took it to china (let some shop have the mem card to get pics), suddenly it showed a write error. I connected the camera with the usb to the comp and after scanning the card with AVG, this rundll.exe file was a worm.VB.fi trojan... however AVG could not delete or quarantine it...
Not having double clicked this rundll.exe file, I thought my comp would have no problems because of it, since it's just on the mem card. However, afterwards I could no longer get into my drives/partitions on my computer by doubleclicking... it would give me a ''rundll.exe has encountered a problem and needs to close'' error and when I rightclick on the drives, I see ''??(o)'' at the rightclick options where it should say ''open'' and ''?????(x)'' for ''explore''. I can still enter my drives by inputting the drive locations in the address bar though.
Also my computer would suddenly not respond/lag during specific actions (like when I first try to open firefox after reboot, need to doubleclick it 2-3 times before it opens... otherwise it just does not respond... windows loads everything slow as hell as well after reboot). Sometimes I get this error message with unreadable symbols.
After scanning with AVG and Malwarebytes, they found the threats: rundll.exe is now also on my C: and going by the date it was created at the same time I connected my pc to the mem card last night! Also a few other extra threats (explorer.exe seems also infected) that are probably connected with it since I just scanned a few days before and had no threats. Trojanremover/malwarebytes/avg can not remove most of these threats though and I am not sure whether I should rempve rundll.exe manually or whether that would help since there are other problems now as well.
Hopefully someone on here can help me - my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:43:48, on 29/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\problemen.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Thunder] "C:\Program Files\Thunder Network\Thunder\Thunder.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [Rundll] C:\WINDOWS\system32\rundll.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [wsctf.exe] wsctf.exe
O4 - HKCU\..\Run: [EXPLORER.EXE] EXPLORER.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: PowerWord 2002.lnk = C:\Program my\Kingsoft\XDict\XDICT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: ʹÓÃѸÀ×ÏÂÔØ - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: ʹÓÃѸÀ×ÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: Æô¶¯Ñ¸À×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: Æô¶¯Ñ¸À×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-f97d314b4a8411d1.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 7171 bytes
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.
If you still require help please do the following
Download and Run RSIT
Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
Thanks for your reply and yes it seems far more busy than when I first came here!
I won't run any scans now that you're helping me, but I did run a scan with malwarebytes again after I posted, since I had to try SOMETHING (with little success... but when I let my computer idle and suddenly come back to see that there is a 'data execution prevention' message from windows telling me windows has to do something because of security reasons... looks very suspicious).
Here are the logs, they're from the past month as set by default on rsi:
log.txt:
Logfile of random's system information tool 1.04 (written by random/random)
Run by Administrator at 2008-12-04 13:53:30
Microsoft Windows XP Professional Service Pack 2
System drive C: has 717 MB (2%) free of 35 GB
Total RAM: 510 MB (21% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:53:40, on 04/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program my\BitComet\BitComet.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Thunder Network\Thunder\Components\InMedia\ThunderMinisite.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Thunder] "C:\Program Files\Thunder Network\Thunder\Thunder.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: PowerWord 2002.lnk = C:\Program my\Kingsoft\XDict\XDICT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: ʹÓÃѸÀ×ÏÂÔØ - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: ʹÓÃѸÀ×ÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: Æô¶¯Ñ¸À×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: Æô¶¯Ñ¸À×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-f97d314b4a8411d1.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 7151 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233}]
ThunderAtOnce Class - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll [2008-06-13 177616]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283}]
Thunder Browser Helper - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll [2008-06-13 198096]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9394EDE7-C8B5-483E-8773-474BF36AF6E4}]
ST - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [2004-08-13 155648]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
MSNToolBandBHO - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll [2006-01-17 282624]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll [2006-01-17 282624]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"PHIME2002ASync"=C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE [2002-08-28 455168]
"PHIME2002A"=C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE [2002-08-28 455168]
"DAEMON Tools-1033"=C:\Program Files\D-Tools\daemon.exe [2004-08-22 81920]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2004-12-10 180269]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-11-02 32768]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-09-20 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-09-20 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-09-20 114688]
"Media Codec Update Service"=C:\Program Files\Essentials Codec Pack\update.exe [2007-04-08 303104]
"Thunder"=C:\Program Files\Thunder Network\Thunder\Thunder.exe [2008-08-12 45056]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-09-08 289576]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
"msnmsgr"=C:\Program Files\MSN Messenger\msnmsgr.exe [2007-01-19 5674352]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
PowerWord 2002.lnk - C:\Program my\Kingsoft\XDict\XDICT.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-09-20 135168]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"=C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [2007-07-07 79408]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoToolbarCustomize"=0
"NoBandCustomize"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoToolbarCustomize"=
"NoBandCustomize"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\BitTornado\btdownloadgui.exe"="C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\Program my\BitComet\BitComet.exe"="C:\Program my\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\games\Call of Duty\CoDMP.exe"="C:\games\Call of Duty\CoDMP.exe:*:Enabled:CoDMP"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Kingsoft\PowerWord 2005\XDICT.EXE"="C:\Program Files\Kingsoft\PowerWord 2005\XDICT.EXE:*:Enabled:Kingsoft PowerWord 2005"
"C:\Program Files\ABC\abc.exe"="C:\Program Files\ABC\abc.exe:*:Enabled:abc"
"C:\PROGRA~1\pcast\PODCAS~1\PODCAS~1.EXE"="C:\PROGRA~1\pcast\PODCAS~1\PODCAS~1.EXE:*:Enabled:Share Streaming"
"C:\Program Files\PPLive\PPlive.exe"="C:\Program Files\PPLive\PPlive.exe:*:Enabled:PPLive"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe"="C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe:*:Enabled:Thunder"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
shell\AutoRun\command - C:\rundll.exe
shell\explore\command - C:\rundll.exe
shell\open\command - C:\rundll.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - D:\rundll.exe
shell\explore\command - D:\rundll.exe
shell\open\command - D:\rundll.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5e6aee2-778d-11dc-ad17-0011112d53e7}]
shell\AutoRun\command - G:\rundll.exe
shell\explore\command - G:\rundll.exe
shell\open\command - G:\rundll.exe
======File associations======
.scr - open - "%1" %*
======List of files/folders created in the last 1 months======
2008-12-04 13:53:30 ----D---- C:\rsit
2008-11-29 11:01:30 ----D---- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-11-29 11:01:27 ----D---- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-11-29 11:01:26 ----D---- C:\Program Files\Spyware Terminator
2008-11-29 09:40:10 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-11-29 09:39:18 ----A---- C:\WINDOWS\system32\ztvunrar36.dll
2008-11-29 09:39:18 ----A---- C:\WINDOWS\system32\ztvunace26.dll
2008-11-29 09:39:18 ----A---- C:\WINDOWS\system32\ztvcabinet.dll
2008-11-29 09:39:18 ----A---- C:\WINDOWS\system32\UNRAR3.dll
2008-11-29 09:39:18 ----A---- C:\WINDOWS\system32\unacev2.dll
2008-11-29 09:39:16 ----D---- C:\Program Files\Trojan Remover
2008-11-29 09:39:16 ----D---- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-11-29 09:39:16 ----D---- C:\Documents and Settings\Administrator\Application Data\Simply Super Software
2008-11-28 23:13:48 ----ASH---- C:\WINDOWS\system32\ul.dll
2008-11-28 23:13:48 ----ASH---- C:\WINDOWS\system32\og.dll
2008-11-28 23:13:47 ----A---- C:\WINDOWS\system32\XP-3EC8D8CF.EXE.vir
2008-11-28 23:12:24 ----SH---- C:\rundll.exe
2008-11-23 17:10:01 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-13 03:02:27 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-13 03:01:50 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
======List of files/folders modified in the last 1 months======
2008-12-04 00:50:06 ----SHD---- C:\WINDOWS\Installer
2008-12-04 00:49:12 ----D---- C:\Program Files
2008-12-03 22:54:26 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-03 22:54:21 ----HD---- C:\Program Files\Windows Media Player
2008-12-03 22:54:13 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-03 21:04:21 ----D---- C:\Program Files\SopCast
2008-12-03 18:22:45 ----D---- C:\Program Files\Mozilla Firefox
2008-12-03 18:03:08 ----D---- C:\WINDOWS\system32\drivers
2008-12-03 18:03:08 ----D---- C:\WINDOWS\system32
2008-11-29 12:30:29 ----HD---- C:\WINDOWS
2008-11-29 10:02:33 ----D---- C:\WINDOWS\Temp
2008-11-29 04:24:53 ----AC---- C:\WINDOWS\ntbtlog.txt
2008-11-27 11:43:11 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-25 14:35:29 ----HD---- C:\WINDOWS\inf
2008-11-25 00:06:11 ----HD---- C:\WINDOWS\Help
2008-11-23 15:34:35 ----D---- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-11-23 15:34:34 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-23 13:30:29 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-15 01:58:59 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-11-15 01:58:59 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-13 03:02:24 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-13 03:02:15 ----A---- C:\WINDOWS\imsins.BAK
2008-11-13 03:00:49 ----D---- C:\WINDOWS\WinSxS
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver; \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys []
R1 AvgAsCln;AVG Anti-Spyware Clean Driver; C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys [2006-09-05 3968]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2004-02-10 154112]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-09-20 1302332]
R3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2008-01-05 47360]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-10-01 9856]
R3 RT73;Sitecom RT73 Wireless Driver; C:\WINDOWS\system32\DRIVERS\rt73.sys [2008-01-15 459520]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-04-09 612352]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2007-07-27 70001]
S3 SE26bus;Sony Ericsson Device 038 Driver driver (WDM); C:\WINDOWS\system32\DRIVERS\SE26bus.sys [2006-05-01 61600]
S3 SE26mdfl;Sony Ericsson Device 038 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\SE26mdfl.sys [2006-05-01 9360]
S3 SE26mdm;Sony Ericsson Device 038 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\SE26mdm.sys [2006-05-01 97184]
S3 SE26mgmt;Sony Ericsson Device 038 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\SE26mgmt.sys [2006-05-01 88688]
S3 SE26obex;Sony Ericsson Device 038 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\SE26obex.sys [2006-05-01 86560]
S3 se26unic;Sony Ericsson Device 038 USB Ethernet Emulation SEMC38 (WDM); C:\WINDOWS\system32\DRIVERS\se26unic.sys [2006-05-01 90768]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-09-05 36864]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-09-05 116040]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard; C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [2007-07-07 312880]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\Program Files\Spyware Terminator\sp_rsser.exe [2008-11-29 539136]
R2 spkrmon;spkrmon; C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe [2003-08-28 61440]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-09-08 536872]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
-----------------EOF-----------------
Info.txt:
info.txt logfile of random's system information tool 1.04 2008-12-04 13:53:46
======Uninstall list======
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.57-->"C:\Program Files\7-Zip\Uninstall.exe"
AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe
Adobe Download Manager 2.0 (Remove Only)-->"C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop Album 2.0 Starter Edition-->MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Reader Chinese Traditional Fonts-->MsiExec.exe /I{AC76BA86-7AD7-2448-5A64-7E8A45000001}
Amadis Video Converter Suite V3.5.3-->"C:\Program Files\Amadis Software\Amadis Video Converter Suite\unins000.exe"
Apple Mobile Device Support-->MsiExec.exe /I{C7C895CA-331B-4D7D-A0FB-D3BC637949F9}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ArcSoft Camera Suite 1.3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD13BFB0-FDD2-4AFA-A8AF-9F4A950D56B7}\setup.exe" -l0x9
AVG Anti-Spyware 7.5-->C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe"
BitComet 0.70-->C:\Program my\BitComet\uninst.exe
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
BSPlayer-->"C:\Program Files\Webteh\BSplayer\uninstall.exe"
Call of Duty-->C:\games\CALLOF~1\Uninstall\Unwise.exe /u C:\games\CALLOF~1\Uninstall\Install.log
Canon Camera Support Core Library-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91F1A0D6-23AD-49FE-8D4E-379485652214} /l1033
Canon Camera Window DS for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}
Canon Camera Window DVC for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4C96958A-6562-4143-B820-FF4890D3B734}
Canon Camera Window for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{C7281207-4AA4-425E-B57A-0E9EF8445635}
Canon MovieEdit Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}
Canon PhotoRecord-->MsiExec.exe /X{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}
Canon RAW Image Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{45EF4EE3-F591-4B74-A477-0CAE12934CE7}
Canon RemoteCapture Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA}
Canon Utilities PhotoStitch 3.1-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA}
Canon ZoomBrowser EX-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
Cucusoft Ultimate DVD + Video Converter Suite 7.7.7.6-->"C:\Program Files\Cucusoft\Ultimate-Converter\unins000.exe"
DAEMON Tools-->MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Disc2Phone-->MsiExec.exe /I{6E65247F-58F9-41CA-BE69-0316F7907170}
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader-->C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
ffdshow [rev 1335] [2007-07-06]-->"C:\Program Files\Matroska Pack\ffdshow\unins000.exe"
greedland (remove only)-->C:\Program Files\greedland\register\Uninstall.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Indeo® Software-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IndeoLigos\Indeo\Uninst.isu" -c"C:\Program Files\IndeoLigos\Indeo\Indeo System Files\indounin.dll"
Intel(R) Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel(R) PRO Network Adapters and Drivers-->Prounstl.exe
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
iTunes-->MsiExec.exe /I{EA418519-2160-43A0-AABD-6608DDD8D87F}
Kaspersky Online Scanner-->C:\WINDOWS\system32\KASPER~1\KASPER~1\kavuninstall.exe
KuGoo¿á¹·-->C:\PROGRA~1\KuGoo2\UNWISE.EXE C:\PROGRA~1\KuGoo2\INSTALL.LOG
LiveUpdate 2.0 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Matroska Pack (remove only)-->C:\Program Files\Matroska Pack\Uninstall.exe
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Office 2000 SR-1 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIRC-->"C:\Program Files\mIRC\mirc.exe" -uninstall
Monkey Audio Source Filter (remove only)-->"C:\Program Files\Monkey Audio Source Filter\uninstall.exe"
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Toolbar-->C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\mtbs.exe c
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
ѸÀ×5-->"C:\Program Files\Thunder Network\Thunder\unins000.exe"
oggcodecs 0.71.0946-->C:\Program Files\illiminable\oggcodecs\uninst.exe
Penguin MSN Skin-->C:\Program Files\MSN Messenger\UninstPenguinMSN.exe
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PowerWord 2002 Share-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31AF29E0-F254-440B-9EB0-0A7AE5A73B51}\setup.exe"
Powerword 2005-->MsiExec.exe /I{5071F84A-FF33-4D2D-BD96-FCF45A201FF4}
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine-->MsiExec.exe /I{8A62A068-3FD6-495A-9F66-26FE94F32EC9}
ryu-ga-gotoku2007?????????-->C:\WINDOWS\ryu-ga-gotoku2007.scr /u
Samsung Music Studio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EC4CE9D-EAEE-4DA1-AB8D-9E6B7FED6742}\Setup.exe" -l0x9
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB883939)-->"C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896688)-->"C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899588)-->"C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901190)-->"C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB903235)-->"C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928090)-->"C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929969)-->"C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931768)-->"C:\WINDOWS\$NtUninstallKB931768$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933566)-->"C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937143)-->"C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB939653)-->"C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB942615)-->"C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338)-->"C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944533)-->"C:\WINDOWS\$NtUninstallKB944533$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB947864)-->"C:\WINDOWS\$NtUninstallKB947864$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
SopCast 2.0.4-->C:\Program Files\SopCast\uninst.exe
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Terminator-->"C:\Program Files\Spyware Terminator\unins000.exe"
SpywareBlaster v3.5.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
Trojan Remover 6.7.4-->"C:\Program Files\Trojan Remover\unins000.exe"
TVAnts 1.0-->C:\PROGRA~1\TVAnts\UNWISE.EXE C:\PROGRA~1\TVAnts\INSTALL.LOG
TVUPlayer 2.3.5.3-->C:\Program Files\TVUPlayer\uninst.exe
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB896727)-->"C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB929338)-->"C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB942840)-->"C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Update for Windows XP (KB946627)-->"C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
VideoLAN VLC media player 0.6.2-->"C:\Program my\VideoLAN\VLC\uninstall.exe"
VideoLAN VLC media player 0.8.6a-->C:\Program my\VideoLAN\VLC\uninstall.exe
Videora iPod touch Converter 3.07-->C:\Program Files\Red Kawa\Video Converter 3\uninstaller.exe
WinAce Archiver-->C:\Program my\WinAce\SXUNINST.EXE C:\Program my\WinAce\SXUNINST.INI
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Essentials Media Codec Pack 1.0-->C:\Program Files\Essentials Codec Pack\uninst.exe
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant-->MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB890923-->"C:\WINDOWS\$NtUninstallKB890923$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893066-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
=====HijackThis Backups=====
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Ãâ·Ñ¾«²ÊÊÓƵ³¬Á÷³©ÔÚÏß¹Û¿´ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - HKLM\..\Run: [lphcr6dj0er99] C:\WINDOWS\system32\lphcr6dj0er99.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra 'Tools' menuitem: ²¥°ÔµçÊÓ - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - http://ps.itv.mop.com/dn/files/pCastCtl_1.0.0.89_20060727.cab
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem ;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 3 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0304
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
-----------------EOF-----------------
Information
REMOVE P2P PROGRAMS
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
BitTornado
BitComet
ABC
uTorrent
KuGoo¿á¹·
Any Other P2P Program
Please read the Guidelines for P2P Programs (http://forums.spybot.info/showpost.php?p=218503&postcount=4) where we explain why it's not a good idea to have them.
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.
I will be removing all related folders in the cleaning process.
----------------------------------------------------------- -----------------------------------------------------------
Please ensure that any USB/Flash/External drives are connected whilst we are cleaning your machine.
----------------------------------------------------------- -----------------------------------------------------------
Step 1
Flash Disinfector by sUBs
Please download Flash_Disinfector.exe (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe) by sUBs and save it to your desktop:
Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.
Please restart your computer.
----------------------------------------------------------- -----------------------------------------------------------
Step 2
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
----------------------------------------------------------- -----------------------------------------------------------
Step 3
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Combofix Log
How are things running now ?
----------------------------------------------------------- -----------------------------------------------------------
Additional Notes
Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 2.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended
There is a newer version of Adobe Acrobat Reader available.
Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
Click Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts
When the installation is complete go to Add/Remove Programs and uninstall all previous versions.
Information
REMOVE P2P PROGRAMS
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
BitTornado
BitComet
ABC
uTorrent
KuGoo¿á¹·
Any Other P2P Program
Please read the Guidelines for P2P Programs (http://forums.spybot.info/showpost.php?p=218503&postcount=4) where we explain why it's not a good idea to have them.
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.
I will be removing all related folders in the cleaning process.
ABC and Bittornado I downloaded and installed like years ago and uninstalled them also years ago... I don't see these programs showing in add/remove programs or in C: ... Must be some old traces??
I uninstalled utorrent, kugoo and bitcomet using your method... however, while bitcomet's uninstall was successful and I don't see its folder in program files or in add/remove programs anymore, I can somehow still open it using its shortcut? What to do now.
Don't worry, continue with Flash Disinfector and Combofix.
I will remove the leftovers next.
Alright, btw, should I connect my photocamera (with its memory card -> the culprit of the problems.. and it seems just connecting it will cause the problems to go to the comp, since I never touched the files on in the first place) to the computer when using flash disinfector or?
should I connect my photocamera
Yes please
Hey, sorry for the delay.
----------------------------------------------------------- -----------------------------------------------------------
Please ensure that any USB/Flash/External drives are connected whilst we are cleaning your machine.
----------------------------------------------------------- -----------------------------------------------------------
Step 1
Flash Disinfector by sUBs
Please download Flash_Disinfector.exe (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe) by sUBs and save it to your desktop:
Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.
Please restart your computer.
Ran the program with my camera and the culprit files on my memory card. I noticed that I can now enter my partitions/drives by doubleclicking them and the options ''explore'' and ''open'' are back again when I rightclick on the partitions on ''my computer''.
However, the files are still there (on the card as well as on my computer), I scanned it with AVG and that fake rundll.exe on my card and my computer is still there and infected with that worm.
Step 2
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
I tried to run combofix.exe from my desktop, but it won't load the dos window... after doubleclicking a little bar with combofix on it shows (giving the impression it's loading, but the white bar isn't filling up to show it's opening or doing something) and the mouse arrow is flickering every now and then... I waited about 10 minutes, nothing.
Please delete Combofix.exe and download a fresh copy.
Run ComboFix using these instructions:
Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.
"%userprofile%\desktop\combofix.exe" /killall
When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
I'm posting from another computer: my infected computer is still trying to run combofix following your instructions, but it's showing the same problems starting up as described in my previous post...
If it still isn't running, please post a fresh RSIT log
(I just checked in my folders and DO have a combofix.exe I downloaded+ran a year or so ago when that was requested on here by your fellow helper. I tried doubleclicking it and it does immediately give me that dos window, so it should run. Shall I use this one then?)
Ran RSIT, there is no info.txt this time. The log.txt:
Logfile of random's system information tool 1.04 (written by random/random)
Run by Administrator at 2008-12-07 23:45:03
Microsoft Windows XP Professional Service Pack 2
System drive C: has 731 MB (2%) free of 35 GB
Total RAM: 510 MB (50% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:45, on 08-12-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Thunder] "C:\Program Files\Thunder Network\Thunder\Thunder.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: PowerWord 2002.lnk = C:\Program my\Kingsoft\XDict\XDICT.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: ʹÓÃѸÀ×ÏÂÔØ - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: ʹÓÃѸÀ×ÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: Æô¶¯Ñ¸À×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: Æô¶¯Ñ¸À×5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-f97d314b4a8411d1.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 6888 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233}]
ThunderAtOnce Class - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll [2008-06-13 177616]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283}]
Thunder Browser Helper - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll [2008-06-13 198096]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9394EDE7-C8B5-483E-8773-474BF36AF6E4}]
ST - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [2004-08-13 155648]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
MSNToolBandBHO - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll [2006-01-17 282624]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll [2006-01-17 282624]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"PHIME2002ASync"=C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE [2002-08-28 455168]
"PHIME2002A"=C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE [2002-08-28 455168]
"DAEMON Tools-1033"=C:\Program Files\D-Tools\daemon.exe [2004-08-22 81920]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2004-12-10 180269]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-11-02 32768]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-09-20 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-09-20 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-09-20 114688]
"Media Codec Update Service"=C:\Program Files\Essentials Codec Pack\update.exe [2007-04-08 303104]
"Thunder"=C:\Program Files\Thunder Network\Thunder\Thunder.exe [2008-08-12 45056]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-09-08 289576]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
"msnmsgr"=C:\Program Files\MSN Messenger\msnmsgr.exe [2007-01-19 5674352]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
PowerWord 2002.lnk - C:\Program my\Kingsoft\XDict\XDICT.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-09-20 135168]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"=C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [2007-07-07 79408]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoToolbarCustomize"=0
"NoBandCustomize"=0
"NoDriveAutoRun"=FFFFFFFF
"NoDriveTypeAutoRun"=36
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoToolbarCustomize"=
"NoBandCustomize"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\BitTornado\btdownloadgui.exe"="C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\Program my\BitComet\BitComet.exe"="C:\Program my\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\games\Call of Duty\CoDMP.exe"="C:\games\Call of Duty\CoDMP.exe:*:Enabled:CoDMP"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Kingsoft\PowerWord 2005\XDICT.EXE"="C:\Program Files\Kingsoft\PowerWord 2005\XDICT.EXE:*:Enabled:Kingsoft PowerWord 2005"
"C:\Program Files\ABC\abc.exe"="C:\Program Files\ABC\abc.exe:*:Enabled:abc"
"C:\PROGRA~1\pcast\PODCAS~1\PODCAS~1.EXE"="C:\PROGRA~1\pcast\PODCAS~1\PODCAS~1.EXE:*:Enabled:Share Streaming"
"C:\Program Files\PPLive\PPlive.exe"="C:\Program Files\PPLive\PPlive.exe:*:Enabled:PPLive"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe"="C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe:*:Enabled:Thunder"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
shell\AutoRun\command - C:\rundll.exe
shell\explore\command - C:\rundll.exe
shell\open\command - C:\rundll.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - D:\rundll.exe
shell\explore\command - D:\rundll.exe
shell\open\command - D:\rundll.exe
======File associations======
.scr - open - "%1" %*
======List of files/folders created in the last 1 months======
2008-12-07 23:43:24 ----D---- C:\sUBs
2008-12-04 13:53:30 ----D---- C:\rsit
2008-11-29 11:01:30 ----D---- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-11-29 11:01:27 ----D---- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-11-29 11:01:26 ----D---- C:\Program Files\Spyware Terminator
2008-11-29 09:40:10 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-11-29 09:39:18 ----A---- C:\WINDOWS\system32\ztvunrar36.dll
2008-11-29 09:39:18 ----A---- C:\WINDOWS\system32\ztvunace26.dll
2008-11-29 09:39:18 ----A---- C:\WINDOWS\system32\ztvcabinet.dll
2008-11-29 09:39:18 ----A---- C:\WINDOWS\system32\UNRAR3.dll
2008-11-29 09:39:18 ----A---- C:\WINDOWS\system32\unacev2.dll
2008-11-29 09:39:16 ----D---- C:\Program Files\Trojan Remover
2008-11-29 09:39:16 ----D---- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-11-29 09:39:16 ----D---- C:\Documents and Settings\Administrator\Application Data\Simply Super Software
2008-11-28 23:13:48 ----ASH---- C:\WINDOWS\system32\ul.dll
2008-11-28 23:13:48 ----ASH---- C:\WINDOWS\system32\og.dll
2008-11-28 23:13:47 ----A---- C:\WINDOWS\system32\XP-3EC8D8CF.EXE.vir
2008-11-28 23:12:24 ----SH---- C:\rundll.exe
2008-11-23 17:10:01 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-13 03:02:27 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-13 03:01:50 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
======List of files/folders modified in the last 1 months======
2008-12-07 23:44:07 ----D---- C:\Program Files\Mozilla Firefox
2008-12-07 23:15:03 ----D---- C:\Program Files
2008-12-07 11:46:27 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-07 11:46:22 ----HD---- C:\Program Files\Windows Media Player
2008-12-07 01:12:55 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-06 17:50:04 ----D---- C:\WINDOWS\Temp
2008-12-04 00:50:06 ----SHD---- C:\WINDOWS\Installer
2008-12-03 21:04:21 ----D---- C:\Program Files\SopCast
2008-12-03 18:03:08 ----D---- C:\WINDOWS\system32\drivers
2008-12-03 18:03:08 ----D---- C:\WINDOWS\system32
2008-11-29 12:30:29 ----HD---- C:\WINDOWS
2008-11-29 04:24:53 ----AC---- C:\WINDOWS\ntbtlog.txt
2008-11-27 11:43:11 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-25 14:35:29 ----HD---- C:\WINDOWS\inf
2008-11-25 00:06:11 ----HD---- C:\WINDOWS\Help
2008-11-23 15:34:35 ----D---- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-11-23 15:34:34 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-23 13:30:29 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-15 01:58:59 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-11-15 01:58:59 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-13 03:02:24 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-13 03:02:15 ----A---- C:\WINDOWS\imsins.BAK
2008-11-13 03:00:49 ----D---- C:\WINDOWS\WinSxS
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver; \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys []
R1 AvgAsCln;AVG Anti-Spyware Clean Driver; C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys [2006-09-05 3968]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2004-02-10 154112]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-09-20 1302332]
R3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2008-01-05 47360]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-10-01 9856]
R3 RT73;Sitecom RT73 Wireless Driver; C:\WINDOWS\system32\DRIVERS\rt73.sys [2008-01-15 459520]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-04-09 612352]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2007-07-27 70001]
S3 SE26bus;Sony Ericsson Device 038 Driver driver (WDM); C:\WINDOWS\system32\DRIVERS\SE26bus.sys [2006-05-01 61600]
S3 SE26mdfl;Sony Ericsson Device 038 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\SE26mdfl.sys [2006-05-01 9360]
S3 SE26mdm;Sony Ericsson Device 038 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\SE26mdm.sys [2006-05-01 97184]
S3 SE26mgmt;Sony Ericsson Device 038 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\SE26mgmt.sys [2006-05-01 88688]
S3 SE26obex;Sony Ericsson Device 038 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\SE26obex.sys [2006-05-01 86560]
S3 se26unic;Sony Ericsson Device 038 USB Ethernet Emulation SEMC38 (WDM); C:\WINDOWS\system32\DRIVERS\se26unic.sys [2006-05-01 90768]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-09-05 36864]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-09-05 116040]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard; C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [2007-07-07 312880]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\Program Files\Spyware Terminator\sp_rsser.exe [2008-11-29 539136]
R2 spkrmon;spkrmon; C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe [2003-08-28 61440]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-09-08 536872]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
-----------------EOF-----------------
Not sure if it could help or is the reason, but I noticed a new thing happening a few days ago, this desktop.ini file automatically opens whenever I reboot and it's in the favorites of explorer. Its text:
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
(I just checked in my folders and DO have a combofix.exe I downloaded+ran a year or so ago when that was requested on here by your fellow helper. I tried doubleclicking it and it does immediately give me that dos window, so it should run. Shall I use this one then?)
Under no circumstances must you use that old version of Combofix.
You should delete it immediately.
OTMoveIt
Please download OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe) and save it to your desktop
Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Reg )
:Processes
:Services
:Reg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTornado\btdownloadgui.exe"=-
"C:\Program my\BitComet\BitComet.exe"=-
"C:\Program Files\ABC\abc.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
:Files
C:\WINDOWS\system32\ul.dll
C:\WINDOWS\system32\og.dll
C:\WINDOWS\system32\XP-3EC8D8CF.EXE.vir
C:\rundll.exe
D:\rundll.exe
:Commands
[Purity]
[EmptyTemp]
Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Please reboot and try running the newest combofix
Ran OTmoveIT3:
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Program Files\BitTornado\btdownloadgui.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Program my\BitComet\BitComet.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Program Files\ABC\abc.exe deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D\\ deleted successfully.
========== FILES ==========
LoadLibrary failed for C:\WINDOWS\system32\ul.dll
C:\WINDOWS\system32\ul.dll NOT unregistered.
C:\WINDOWS\system32\ul.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\og.dll
C:\WINDOWS\system32\og.dll NOT unregistered.
C:\WINDOWS\system32\og.dll moved successfully.
C:\WINDOWS\system32\XP-3EC8D8CF.EXE.vir moved successfully.
C:\rundll.exe moved successfully.
D:\rundll.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_gyJVUa4fCc3FKD1TKHDM scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VGod.DLL scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12082008_130400
Files moved on Reboot...
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_gyJVUa4fCc3FKD1TKHDM not found!
DllUnregisterServer procedure not found in C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VGod.DLL
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VGod.DLL NOT unregistered.
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VGod.DLL moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\XUL.mfl moved successfully.
-------------------
Had two error messages saying:
The app or DLL C:\WINDOWS\system32\ul.dll and C:\WINDOWS\system32\og.dll are no valid windows images.
Oh and still had the same problem running combofix.
Let's see if an online scan will show us what the problem is
Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan (http://www.pandasecurity.com/activescan/index/) << LINK
Click the Scan Now button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small export to notepad button and save the report to your desktop.
Please post the report in your reply.
C&P'ing it on here makes it look messed up, but I also couldn't upload it in one file as it exceeded the limit for txts on here. I made two parts of it, first one attached in this post, second one in the post after.
Second part.
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-12-09 19:56:22
PROTECTIONS: 0
MALWARE: 11
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\IJL11.DLL
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Program my\VideoLAN\VLC\vlc.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Program my\Kingsoft\XDict\XDICT.EXE
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\checkfw.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsq234.tmp\PCloser.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsq234.tmp\System.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Spyware\lsse.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\AVPFPI0.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\avpproxy.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\DFFPI.DLL
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fm4av.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fpinor.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsbl.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsbld.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgkiapi.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\FSHKE.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\FSLFPI.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssubmit.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\lsse.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\Nse_w32.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ywiseext.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_uninstop.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\fsauc.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\pcast.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\pCastCtl.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\webscan.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4}\kssetting.exe_8BCAA7D371F34097857E7B78CBAEF505.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4}\NewShortcut13_5071F84AFF334D2DBD96FCF45A201FF4_1.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4}\NewShortcut4_5071F84AFF334D2DBD96FCF45A201FF4.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4}\NewShortcut6_5071F84AFF334D2DBD96FCF45A201FF4.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4}\XDict.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4}\XDict1.exe_8BCAA7D371F34097857E7B78CBAEF505.EXE
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Real\Update\setup\data\inst_config\compat.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Program my\BitComet\BitComet.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\gmer\gmer.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\MP3 cutter\mp3cutter.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\Extract\KSEngine.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\Extract\KSVoice.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\Extract\XDPopWnd.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\KSG\ace.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\KSG\AuxProcess.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\KSG\bootupdate.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\KSG\client.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\Microsoft Shared\Speech\SAPI.DLL
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\SpeechEngines\Microsoft\spcommon.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\SpeechEngines\Microsoft\TTS\1033\SPTTSENG.DLL
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Program Files\TVAnts\UNWISE.EXE
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\Cjktl32.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\Cjktl95.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\DBCore10.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\DicMngr.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\doshow.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\RemoveVideoActiveXObject.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\ITextOut.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\ITTSEngine.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\KPic10.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\KSSetting.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\NEWWORD.DLL
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\NewWord.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\NormGrab.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\RegDict.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\ScrollWord.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\toTTSEngine50.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\XdictGrb.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\XFavHist.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005\XFILE.DLL
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\setup.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System\msxml4.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System\msxml4a.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System\msxml4r.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32\Decdnet.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32\Pncrt.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32\Pnen3230.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32\Pnui3230.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32\Ra3214_4.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32\Ra3228_8.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32\Ra32dnet.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32\Redist\MS\System\msvcp60.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32\Redist\MS\System\msvcrt.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32\SHFOLDER.DLL
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32\VOCTL32.DLL
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32\WMV9VCM.dll
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\shortcuts\i_view32.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\iview397.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\mirc616.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0\Linezer0\keygen.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.Keygen.Only-Lz0\lz0nem01\keygen.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Documents and Settings\Administrator\Desktop\OTMoveIt3.exe
00040405 W32/Bacalid.A Virus No 0 Yes No C:\Program Files\TVAnts\Tvants.exe
00047257 vbs/psyme.gen Virus/Trojan No 0 Yes No c:\program files\windows media player\wmplayer.exe.tmp
00186187 adware/dudu Adware No 0 Yes No hkey_current_user\software\dudu
00217459 adware/dollarrevenue Adware No 1 Yes No c:\windows\keyboard1.dat
00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe[C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe][nircmd.exe]
00366244 Application/NirCmd.A HackTools No 0 Yes No C:\sUBs\TSF\nircmd.exe
00520578 Trj/Lineage.DDZ Virus/Trojan No 0 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\VGod.DLL
00520578 Trj/Lineage.DDZ Virus/Trojan No 0 Yes No C:\_OTMoveIt\MovedFiles\12082008_130400\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VGod.DLL
00520578 Trj/Lineage.DDZ Virus/Trojan No 0 Yes No C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VGod.DLL
01471929 W32/Patchlog.L Virus No 0 Yes No C:\_OTMoveIt\MovedFiles\12082008_130400\rundll.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\shell.fne
03487350 Adware/AccesMembre Adware No 0 Yes No C:\_OTMoveIt\MovedFiles\12082008_130400\WINDOWS\system32\XP-3EC8D8CF.EXE.vir
03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Administrator\Desktop\SDFix.exe[C:\Documents and Settings\Administrator\Desktop\SDFix.exe][SDFix\apps\Cghtme.exe]
03738686 Generic Malware Virus/Trojan No 0 Yes No C:\SDFix\apps\Cghtme.exe
03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Administrator\Desktop\SDFix.exe[C:\Documents and Settings\Administrator\Desktop\SDFix.exe][SDFix\catchme.exe]
03738686 Generic Malware Virus/Trojan No 0 Yes No C:\SDFix\catchme.exe
04128671 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Powerword 2005.msi[unk_0034]
04128671 Generic Malware Virus/Trojan No 0 Yes No C:\WINDOWS\Installer\835db16.msi[unk_0049]
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Football\TvantsSetup.EXE
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;======================================
You are heavily infected with a very old file infector,
I saw Symantec in a previous log, and assumed that you had it installed as your AntiVirus.
Looking back over your logs, I can't see any sign of an active antivirus, and that is what has caused your problems.
Let's see if we can save your machine.
Download Dr. Web CureIt (ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe) and save it to your desktop.
Double click on cureit.exe to run it.
Click on Start to start the scan.
Dr Web CureIt will prompt you. Click OK.
This will start an express scan. It shouldn't take too long.
When done, click on Options > Change settings.
Select the Scan tab. Uncheck (untick) Heuristics analysis box.
Select the Log file tab. Uncheck (untick) Maximum log file size box.
Click OK to apply the settings.
Select the Complete scan radio button, then click on the green triangle button on the right hand side.
It will start scanning. Please be patient as this scan can be long.
During the scan, if it finds any infected items, it will prompt you. Click Yes to all to cure the files.
Click on File > Save report list. Save this report to a convenient location.
Scan took 8 hours!
autorun.inf;d:;Corrupt autorun file;Moved.;
vgod.dll;c:\documents and settings\administrator\local settings\temp;Win32.Besso;Deleted.;
xdict.exe;c:\program my\kingsoft\xdict;Win32.Besso;Cured.;
checkfw.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp;Win32.Besso;Cured.;
ywiseext.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp;Win32.Besso;Cured.;
_uninstop.exe;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp;Win32.Besso;Cured.;
PCloser.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsq234.tmp;Win32.Besso;Cured.;
System.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsq234.tmp;Win32.Besso;Cured.;
lsse.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Spyware;Win32.Besso;Cured.;
AVPFPI0.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
avpproxy.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
DFFPI.DLL;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
fm4av.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
fpinor.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
fsbl.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
fsbld.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
fsgk32.exe;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
fsgkiapi.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
FSHKE.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
FSLFPI.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
fssm32.exe;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
fssubmit.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
lsse.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
Nse_w32.dll;C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus;Win32.Besso;Cured.;
arclib.dll;C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files;Win32.Besso;Cured.;
fsauc.dll;C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files;Win32.Besso;Cured.;
pcast.dll;C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files;Win32.Besso;Cured.;
pCastCtl.dll;C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files;Win32.Besso;Cured.;
webscan.dll;C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files;Win32.Besso;Cured.;
ezpinst.exe;C:\Documents and Settings\Administrator\Application Data;Win32.Besso;Cured.;
kssetting.exe_8BCAA7D371F34097857E7B78CBAEF505.exe;C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4};Win32.Besso;Cured.;
NewShortcut13_5071F84AFF334D2DBD96FCF45A201FF4_1.exe;C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4};Win32.Besso;Cured.;
NewShortcut4_5071F84AFF334D2DBD96FCF45A201FF4.exe;C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4};Win32.Besso;Cured.;
NewShortcut6_5071F84AFF334D2DBD96FCF45A201FF4.exe;C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4};Win32.Besso;Cured.;
XDict.exe;C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4};Win32.Besso;Cured.;
XDict1.exe_8BCAA7D371F34097857E7B78CBAEF505.EXE;C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{5071F84A-FF33-4D2D-BD96-FCF45A201FF4};Win32.Besso;Cured.;
compat.dll;C:\Documents and Settings\Administrator\Application Data\Real\Update\setup\data\inst_config;Win32.Besso;Cured.;
ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Administrator\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Administrator\Desktop;Archive contains infected objects;Moved.;
OTMoveIt3.exe;C:\Documents and Settings\Administrator\Desktop;Win32.Besso;Cured.;
RemoveVideoActiveXObject.exe;C:\Documents and Settings\Administrator\Desktop;Win32.Besso;Cured.;
RemoveVideoActiveXObject.exe\RVAXO3;C:\Documents and Settings\Administrator\Desktop\RemoveVideoActiveXObject.exe;Trojan.Shutdown.134;;
RemoveVideoActiveXObject.exe;C:\Documents and Settings\Administrator\Desktop;Archive contains infected objects;Moved.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Administrator\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Administrator\Desktop;Archive contains infected objects;Moved.;
gmer.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\gmer;Win32.Besso;Cured.;
mp3cutter.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\MP3 cutter;Win32.Besso;Cured.;
setup.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005;Win32.Besso;Cured.;
KSEngine.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\Extract;Win32.Besso;Cured.;
KSVoice.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\Extract;Win32.Besso;Cured.;
XDPopWnd.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\Extract;Win32.Besso;Cured.;
ace.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\KSG;Win32.Besso;Cured.;
AuxProcess.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\KSG;Win32.Besso;Cured.;
bootupdate.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\KSG;Win32.Besso;Cured.;
client.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\kingsoft\KSG;Win32.Besso;Cured.;
SAPI.DLL;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\Microsoft Shared\Speech;Win32.Besso;Cured.;
spcommon.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\SpeechEngines\Microsoft;Win32.Besso;Cured.;
SPTTSENG.DLL;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\Common\SpeechEngines\Microsoft\TTS\1033;Win32.Besso;Cured.;
Cjktl32.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
Cjktl95.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
DBCore10.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
DicMngr.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
doshow.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
IJL11.DLL;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
ITextOut.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
ITTSEngine.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
KPic10.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
KSSetting.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
NEWWORD.DLL;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
NewWord.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
NormGrab.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
RegDict.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
ScrollWord.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
toTTSEngine50.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
XdictGrb.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
XFavHist.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
XFILE.DLL;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\program files\Kingsoft\PowerWord 2005;Win32.Besso;Cured.;
msxml4.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System;Win32.Besso;Cured.;
msxml4a.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System;Win32.Besso;Cured.;
msxml4r.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System;Win32.Besso;Cured.;
Decdnet.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
Pncrt.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
Pnen3230.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
Pnui3230.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
Ra3214_4.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
Ra3228_8.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
Ra32dnet.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
SHFOLDER.DLL;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
VOCTL32.DLL;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
WMV9VCM.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32;Win32.Besso;Cured.;
msvcp60.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32\Redist\MS\System;Win32.Besso;Cured.;
msvcrt.dll;C:\Documents and Settings\Administrator\Desktop\Low Gong\powerword2005\System32\Redist\MS\System;Win32.Besso;Cured.;
i_view32.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\shortcuts;Win32.Besso;Cured.;
iview397.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\Software;Win32.Besso;Cured.;
mirc616.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\Software;Win32.Besso;Cured.;
mirc621.exe\data009;C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\mirc621.exe;Program.mIRC.621;;
mirc621.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\Software;Archive contains infected objects;Moved.;
boba_super_setup.exe\data007;C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Football\boba_super_setup.exe;Adware.Baidu.324;;
boba_super_setup.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Football;Archive contains infected objects;Moved.;
keygen.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-;Win32.Besso;Cured.;
keygen.exe;C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-;Win32.Besso;Cured.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.621;;
Tvants.exe;C:\Program Files\TVAnts;Win32.Besso;Cured.;
UNWISE.EXE;C:\Program Files\TVAnts;Win32.Besso;Cured.;
wmplayer.exe.tmp;C:\Program Files\Windows Media Player;Win32.Besso;Cured.;
BitComet.exe;C:\Program my\BitComet;Win32.Besso;Cured.;
vlc.exe;C:\Program my\VideoLAN\VLC;Win32.Besso;Cured.;
RVAXO3;C:\RVAXO;Trojan.Shutdown.134;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
rundll.exe;C:\_OTMoveIt\MovedFiles\12082008_130400;Win32.HLLW.Unjap;Deleted.;
VGod.DLL;C:\_OTMoveIt\MovedFiles\12082008_130400\DOCUME~1\ADMINI~1\LOCALS~1\Temp;Win32.Besso;Deleted.;
XP-3EC8D8CF.EXE.vir;C:\_OTMoveIt\MovedFiles\12082008_130400\WINDOWS\system32;Win32.HLLW.Autoruner.2665;Incurable.Moved.;
Scan took 8 hours!
That's what happens when you have no Antivirus installed, use multiple P2P programs and then use Keygens.
Cracks, Keygens and Warez
In doing the crack, the 'cracker' has broken the 'End User Licence Agreement' (EULA) of the product.
The distribution and use of cracked copies is illegal in almost every developed country.
They are also one of the biggest causes of infection.
This applies to Cracks, Keygens and Warez
In the future I strongly suggest you stay away from using cracks and/or Keygens.
Right, let's see if we can get things moving now
Step 1
OTMoveIt
Please download OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe) and save it to your desktop
Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Reg )
:Reg
[-hkey_current_user\software\dudu]
:Files
C:\Deckard
C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe
C:\Documents and Settings\Administrator\Desktop\Low Gong\gmer\gmer.exe
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM
C:\Documents and Settings\Administrator\Desktop\SDFix.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\*.*
C:\Program my\BitComet
C:\SDFix
C:\sUBs
C:\WINDOWS\Installer\835db16.msi
c:\windows\keyboard1.dat
C:\WINDOWS\system32\shell.fne
:Commands
[Purity]
[EmptyTemp]
Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
----------------------------------------------------------- -----------------------------------------------------------
Step 2
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post the log from ComboFix when you've accomplished that.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
----------------------------------------------------------- -----------------------------------------------------------
Step 3
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
OTMI Log
Combofix Log
How are things running now ?
Thanks for the warning about the p2p/cracks/keygens, I will follow your advice.
When the computer rebooted, on request of OTMoveIT3, there was this windows prompt telling me something along the lines of ''This system has recovered from a serious error. A log of this was created.'' A good omen?
OTMoveIT log:
========== REGISTRY ==========
Registry key hkey_current_user\software\dudu\\ not found.
========== FILES ==========
C:\Deckard\System Scanner\backup\WINDOWS\temp\Temporary Internet Files\Content.IE5\KHQNOFGP moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\Temporary Internet Files\Content.IE5\EXJAR0S3 moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\Temporary Internet Files\Content.IE5\EJXLGXNS moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\Temporary Internet Files\Content.IE5\0PIVGP0D moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\Temporary Internet Files\Content.IE5 moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\Temporary Internet Files moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\History\History.IE5 moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\History moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp\Cookies moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\temp moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files moved successfully.
C:\Deckard\System Scanner\backup\WINDOWS moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~nsu.tmp moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Word8.0 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VBE moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp-8 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp-7 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp-6 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp-5 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp-4 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp-3 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp-2 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp-1 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Spyware moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsq234.tmp moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msoclip1\01 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msoclip1 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MessengerCache moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FrontPageTempDir moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\F-Secure\Anti-Virus moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\F-Secure moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bc_cache moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobe\Acrobat\7.0 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobe\Acrobat moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Adobe moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1 moved successfully.
C:\Deckard\System Scanner\backup\DOCUME~1 moved successfully.
C:\Deckard\System Scanner\backup moved successfully.
C:\Deckard\System Scanner moved successfully.
C:\Deckard moved successfully.
File/Folder C:\Documents and Settings\Administrator\Desktop\ComboFix.exe not found.
C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\gmer\gmer.exe moved successfully.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.Video.to.Audio.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL scheduled to be moved on reboot.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.Video.to.Audio.Converter.v3.1.7.0616b.Keygen.Only-Lz0 moved successfully.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a\ethrc31 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL scheduled to be moved on reboot.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.Keygen.Only-Lz0\lz0nem01 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.MP4.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.MP4.Converter.v3.1.7.0616b.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.MOV.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.MOV.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL moved successfully.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0\Linezer0 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0 scheduled to be moved on reboot.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.WMV.Converter.v4.0.52.0616.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.WMV.Converter.v4.0.52.0616.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.PSP.Converter.v4.0.52.0616.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.PSP.Converter.v4.0.52.0616.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.MP4.Converter.v4.0.52.0616.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.MP4.Converter.v4.0.52.0616.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.iPod.Converter.v4.0.52.0616.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.iPod.Converter.v4.0.52.0616.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.DivX.Converter.v4.0.52.0616.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.DivX.Converter.v4.0.52.0616.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.3GP.Converter.v4.0.52.0616.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.to.3GP.Converter.v4.0.52.0616.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.Ripper.v4.0.52.0616.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.Ripper.v4.0.52.0616.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.Audio.Ripper.v4.0.52.0616.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.DVD.Audio.Ripper.v4.0.52.0616.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.CD.Ripper.v1.0.36.Incl.Keygen-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.AVI.MPEG.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.AVI.MPEG.Converter.v3.1.7.0616b.Keygen.Only-Lz0 moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.3GP.Video.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL moved successfully.
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.3GP.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0 moved successfully.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM scheduled to be moved on reboot.
File/Folder C:\Documents and Settings\Administrator\Desktop\SDFix.exe not found.
C:\Documents and Settings\Administrator\Local Settings\Temp\000041228122079599.wmv moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\000041228444212470.wmv moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\000041228450627967.wmv moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\30298776.torrent moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\3jLyThf4.torrent.part moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\AssLikeThat - Donna Red.mpg.torrent moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\AV Pics.torrent moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\Booty Full Babes 3.torrent moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ee366d2b2e4ede8287de879e85a0dcc2PSK_PLUGINS_2 moved successfully.
File move failed. C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_nRyWmQXEReVhdLGLk1en scheduled to be moved on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_XDs33n9W6B8zJ9OMW5nd moved successfully.
File move failed. C:\Documents and Settings\Administrator\Local Settings\Temp\flaEB.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Administrator\Local Settings\Temp\flaF7.tmp scheduled to be moved on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\Gccq6g0v.exe.part moved successfully.
DllUnregisterServer procedure not found in C:\Documents and Settings\Administrator\Local Settings\Temp\hGu8YnFX.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\hGu8YnFX.dll NOT unregistered.
C:\Documents and Settings\Administrator\Local Settings\Temp\hGu8YnFX.dll moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\Kiara Marie_Thick White Heart Butts .avi.torrent moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\Likem Low Lele.torrent moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_1e8.dat moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\PNX165.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\PSSysChk.log moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\Rar$LS17.77312 moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\Scrumpshuzzz_AtomicGdog.torrent moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\stadistic.log moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\steverock.torrent moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\thunder_vod_MjQxNTkxOTk1Nw==.rmvb moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF10EB.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF2199.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF21A6.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF8D21.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFC53.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFEAA.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFEB7.tmp moved successfully.
C:\Program my\BitComet\Torrents moved successfully.
C:\Program my\BitComet\rules moved successfully.
C:\Program my\BitComet\lang moved successfully.
C:\Program my\BitComet\fav\ad moved successfully.
C:\Program my\BitComet\fav moved successfully.
C:\Program my\BitComet\Downloads moved successfully.
C:\Program my\BitComet\codec moved successfully.
C:\Program my\BitComet moved successfully.
C:\SDFix\backups moved successfully.
C:\SDFix\apps\Replace\xp moved successfully.
C:\SDFix\apps\Replace\w2k moved successfully.
C:\SDFix\apps\Replace moved successfully.
C:\SDFix\apps moved successfully.
C:\SDFix moved successfully.
C:\sUBs\TSF moved successfully.
C:\sUBs moved successfully.
C:\WINDOWS\Installer\835db16.msi moved successfully.
c:\windows\keyboard1.dat moved successfully.
C:\WINDOWS\system32\shell.fne moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_nRyWmQXEReVhdLGLk1en scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flaEB.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flaF7.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12102008_151240
Files moved on Reboot...
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.Video.to.Audio.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a\ethrc31 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a\ethrc31 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a\ethrc31 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0\Linezer0 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0\Linezer0 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.Video.to.Audio.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a\ethrc31 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL\ethrc31a scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.RM.Converter.v3.1.7.0616b.WinAll.Regged-EiTheL scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0\Linezer0 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM\Xilisoft.iPod.Video.Converter.v3.1.7.0616b.Keygen.Only-Lz0 scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\Xilisoft.Complet-Pack.All.Video.Audio.Converters.Incl.Keygen-Lz0-EiTheL_ALLTEAM scheduled to be moved on reboot.
File C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_nRyWmQXEReVhdLGLk1en not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\flaEB.tmp not found!
File C:\Documents and Settings\Administrator\Local Settings\Temp\flaF7.tmp not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\etilqs_nRyWmQXEReVhdLGLk1en not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flaEB.tmp not found!
File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\flaF7.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\XUL.mfl moved successfully.
--------------------
Note: Combofix asked me to update when I ran it, but the update could not be retrieved and it continued with its current version. Also, I closed everything possible just as in the instructions, but it had to reboot the computer to finish and certain programs did load (in the background) after startup. Don't think it hindered combofix though. The log:
ComboFix 08-12-09.03 - Administrator 2008-12-10 16:02:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.296 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\IE4 Error Log.txt
c:\windows\system32\com.run
c:\windows\system32\dp1.fne
c:\windows\system32\eAPI.fne
c:\windows\system32\internet.fne
c:\windows\system32\og.edt
c:\windows\system32\RegEx.fnr
c:\windows\system32\spec.fne
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV
-------\Legacy_VFILT
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.
2008-12-10 02:13 . 2008-12-10 02:15 <DIR> d-------- c:\documents and settings\Administrator\DoctorWeb
2008-12-09 20:16 . 2008-12-09 20:16 <DIR> d---s---- c:\documents and settings\Administrator\UserData
2008-12-09 18:41 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-09 18:40 . 2008-12-09 18:40 <DIR> d-------- c:\program files\Panda Security
2008-12-08 13:04 . 2008-12-08 13:04 <DIR> d-------- C:\_OTMoveIt
2008-12-04 13:53 . 2008-12-04 13:53 <DIR> d-------- C:\rsit
2008-11-29 11:01 . 2008-12-03 09:57 <DIR> d-------- c:\program files\Spyware Terminator
2008-11-29 11:01 . 2008-12-03 18:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spyware Terminator
2008-11-29 11:01 . 2008-12-03 09:51 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2008-11-29 11:01 . 2008-11-29 11:01 142,592 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys
2008-11-29 09:40 . 2008-11-29 14:19 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 09:39 . 2008-11-29 09:39 <DIR> d-------- c:\program files\Trojan Remover
2008-11-29 09:39 . 2008-11-29 09:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2008-11-29 09:39 . 2008-11-29 09:39 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Simply Super Software
2008-11-29 09:39 . 2006-05-25 14:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2008-11-29 09:39 . 2003-02-02 19:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2008-11-29 09:39 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2008-11-29 09:39 . 2002-03-06 00:00 75,264 --a------ c:\windows\system32\unacev2.dll
2008-11-29 09:39 . 2006-06-19 12:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2008-11-28 23:11 . 2008-11-29 09:53 159 --------- C:\autorun.inf.vir
2008-11-23 17:10 . 2008-11-27 11:41 <DIR> d-------- c:\program files\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-10 10:30 --------- d-----w c:\program files\mIRC
2008-12-03 20:04 --------- d-----w c:\program files\SopCast
2008-11-27 10:43 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-23 14:34 --------- d-----w c:\documents and settings\Administrator\Application Data\Lavasoft
2008-11-23 12:30 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 15:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 15:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-01-05 02:22 81,920 ----a-w c:\documents and settings\Administrator\Application Data\ezpinst.exe
2008-01-05 02:22 47,360 ------w c:\documents and settings\Administrator\Application Data\pcouffin.sys
2004-03-28 17:46 1,340,416 -c-ha-w c:\program files\mplayerc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-12-10 180269]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"Thunder"="c:\program files\Thunder Network\Thunder\Thunder.exe" [2008-08-12 45056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-08 289576]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
PowerWord 2002.lnk - c:\program my\Kingsoft\XDict\XDICT.EXE [2004-11-21 749568]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"MSACM.MI-SC4"= MI-SC4.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kingsoft\\PowerWord 2005\\XDICT.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"25435:TCP"= 25435:TCP:BitComet 25435 TCP
"25435:UDP"= 25435:UDP:BitComet 25435 UDP
"49152:TCP"= 49152:TCP:BitComet 49152 TCP
"49152:UDP"= 49152:UDP:BitComet 49152 UDP
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-09 28544]
.
Contents of the 'Scheduled Tasks' folder
2008-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: ʹÓÃѸÀ×ÏÂÔØ - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: ʹÓÃѸÀ×ÏÂÔØÈ«²¿Á´½Ó - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe -
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\q38jz7xc.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.nl
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program my\VideoLAN\VLC\npvlc.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 16:06:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Analog Devices\SoundMAX\spkrmon.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WgaTray.exe
c:\program files\Thunder Network\Thunder\Program\Thunder5.exe
c:\windows\system32\notepad.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Thunder Network\Thunder\Components\InMedia\ThunderMinisite.exe
.
**************************************************************************
.
Completion time: 2008-12-10 16:11:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-10 15:10:01
Pre-Run: 1,094,266,880 bytes free
Post-Run: 1,027,620,864 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
172 --- E O F --- 2008-11-13 02:04:50
Malwarebytes' Anti-Malware
Start MalwareBytes AntiMalware
Update Malwarebytes' Anti-Malware
Select the Update tab
Click Update
When the update is complete, select the Scanner tab
Select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
Are there any problems now ?
MALWARE bYTES LOG:
Malwarebytes' Anti-Malware 1.31
Database version: 1483
Windows 5.1.2600 Service Pack 2
08-12-10 20:45:06
mbam-log-2008-12-10 (20-45-06).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 108916
Time elapsed: 1 hour(s), 9 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\NetworkService\Cookies\MM2048.DAT (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\MM256.DAT (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\bumo.reg (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\jababug.inf (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\uwux.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\jiceji._sy (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\esycire._dl (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Cookies\syssp.exe (Fake.Dropped.Malware) -> Delete on reboot.
=========================================
Kaspersky log ( OTMoveIT3 is a backdoor?):
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 10, 2008 22:20:53
Records in database: 1450451
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 80934
Threat name: 4
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:48:07
File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Desktop\Low Gong\Software\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\Documents and Settings\Administrator\Desktop\OTMoveIt3.exe Infected: Backdoor.Win32.SubSeven.asu 1
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\mirc621.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\XP-3EC8D8CF.EXE.vir Infected: Worm.Win32.AutoRun.sow 1
The selected area was scanned.
Kaspersky log ( OTMoveIT3 is a backdoor?):
I have reported it to Kaspersky as a False Positive :police:
OTMoveIt
Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Files )
:Files
C:\Program Files\BitTornado
C:\Program my\BitComet
C:\Program Files\ABC
C:\Program Files\uTorrent
C:\Program Files\KuGoo2
C:\autorun.inf.vir
C:\Documents and Settings\NetworkService\Cookies\*.*
:Reg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTornado\btdownloadgui.exe"=-
"C:\Program my\BitComet\BitComet.exe"=-
"C:\Program Files\ABC\abc.exe"=-
"C:\Program Files\uTorrent\uTorrent.exe"=-
Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Are there any problems now ?
========== FILES ==========
File/Folder C:\Program Files\BitTornado not found.
File/Folder C:\Program my\BitComet not found.
File/Folder C:\Program Files\ABC not found.
File/Folder C:\Program Files\uTorrent not found.
File/Folder C:\Program Files\KuGoo2 not found.
C:\autorun.inf.vir moved successfully.
File/Folder C:\Documents and Settings\NetworkService\Cookies\*.* not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Program Files\BitTornado\btdownloadgui.exe not found.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Program my\BitComet\BitComet.exe not found.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Program Files\ABC\abc.exe not found.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Program Files\uTorrent\uTorrent.exe not found.
OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12112008_201059
----------------------
To the question how everything is running now... the worm and the file itself, rundll.exe that was in C: , is gone and everything seems fine. I don't know which very old file(s) you meant though, when you said earlier in this thread that my comp was heavily infected by an old virus. That one has been fixed by the 8 hour scan by DR. CureIT?
If so, there is this autorun.inf file on D: that was detected by DR. CureIT is still there but is now renamed as autorun.inf.vir... has it been quarantined and if so, do I need (or is it possible) to delete the quarantined files by Dr CureIT?
I don't know which very old file(s) you meant though, when you said earlier in this thread that my comp was heavily infected by an old virus. That one has been fixed by the 8 hour scan by DR. CureIT?
Yes, that is an old infection. If you had an Antivirus installed you would not have had all this trouble.
You can delete
D:\autorun.inf.vir << file
C:\Documents and Settings\Administrator\DoctorWeb << folder
Congratulations your logs look clean :)
Let's see if I can help you keep it that way
First lets tidy up
Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.
Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Open OTMoveIt Click Cleanup,
it will now connect to the internet and get a list of files to delete.
When a box pops up click YES.
----------------------------------------------------------- -----------------------------------------------------------
The following is some info to help you stay safe and clean.
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details
AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections
Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available
Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
Hi, well I have cleaned up my computer using your methods (still have to take a closer look at your list of programs when I have a bit more time to sit behind my desktop, but I'm sure I'll find something useful, thanks) and everything seems fine. Thank you very much for your help. I have two more questions though:
About the desktop.ini thing (which I pointed out earlier in this thread) that starts itself and pops up in notepad whenever I have rebooted... it has the text:
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
This had started around the time I got infected and asked for help on here I think. I suddenly found ''desktop.ini'' when I go to ''start'' (it's above ''programs'' in a seperate section), it's also in my favorites list in explorer and I also find it when I go to ''start''->''programs'' at the end of the list of software. Is this in any way harmful and even not, how can I get it to stop from popping up after I start up my comp?
Also, one of your first instructions was that I should connect the culprit of the problems, the camera memorycard on which the worm/rundll.exe was present, to my computer and use flashdisinfector. As I remember, it did not get rid of the worm on my memory card and my computer either at that time. Now my computer is fixed, but this probably means my memory card with the photos can not be connected to this computer without infecting this system again = I should throw away and buy another mem card to put it bluntly? Or is there a way to save the card...
Thank you for your time.
everything seems fine
Sorry, I presumed that the "desktop.ini" problem had been sorted given the above statement.
You should be safe to connect your camera memorycard now, as the autorun file has been deleted.
I recomend that you format it to make sure that everything is cleaned.
Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it fix.bat Please save it on your desktop.
@echo off
for %%G in (
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs
C:\Documents and Settings\All Users\Start Menu
) DO (
if exist "%%G\desktop.ini" del /q "%%G\desktop.ini"
)
del /q %0
exit
Double click on fix.bat
Please be patient, as this will search the entire disc
Please reboot and see if the problem has stopped
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.