View Full Version : Virtumonde got me
SageMaven
2008-12-14, 23:03
I have been infected with the virtumonde. Before I read these forums I ran spyBot and tried to run the fix. It said that the problems were fixed, however it's obviously a bigger issue than that. Here is my HJT log. This is the first time I've used these forums so let me know if there is anything else I need to post.
Thanks!
SageMaven
Logfile of HijackThis v1.99.1
Scan saved at 3:48:05 PM, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
J:\Program Files\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7036] command /c del "C:\WINDOWS\system32\dicymwsj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4213] cmd /c del "C:\WINDOWS\system32\dicymwsj.dll_old"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB713] command /c del "C:\WINDOWS\system32\dicymwsj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8114] cmd /c del "C:\WINDOWS\system32\dicymwsj.dll_old"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: euhmpy.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: VMware Converter Service (ufad-p2v) - Unknown owner - C:\Program Files\VMware\VMware Converter\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Converter\\" -s ufad-p2v.xml (file missing)
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.
If you still require help please do the following
Download and Run RSIT
Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
SageMaven
2008-12-22, 22:37
Thanks for the help! :)
Log.txt
Logfile of random's system information tool 1.05 (written by random/random)
Run by admin at 2008-12-22 15:33:50
Microsoft Windows XP Professional Service Pack 3
System drive C: has 47 GB (41%) free of 114 GB
Total RAM: 895 MB (15% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:34 PM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Vuze\Azureus.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trillian\trillian.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\admin\Desktop\RSIT.exe
C:\Program Files\trend micro\admin.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
O2 - BHO: {09767bae-fa7f-b05a-6e74-828ef3ab1543} - {3451ba3f-e828-47e6-a50b-f7afeab76790} - C:\WINDOWS\system32\cqxxha.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {98CEB1DB-A64D-4B89-8E01-FD39912A4C46} - C:\WINDOWS\system32\vtUolLff.dll (file missing)
O2 - BHO: (no name) - {A7198A1A-B105-423E-8170-48E3FDE549BA} - C:\WINDOWS\system32\rqRKEurr.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: (no name) - {DD153FDB-E2FB-40D2-8E36-F21C36B51DAD} - C:\WINDOWS\system32\ssqNfdeC.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: cqxxha.dll
O20 - Winlogon Notify: ssqNfdeC - C:\WINDOWS\SYSTEM32\ssqNfdeC.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: VMware Converter Service (ufad-p2v) - Unknown owner - C:\Program Files\VMware\VMware Converter\vmware-ufad.exe (file missing)
--
End of file - 7372 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\GoogleUpdateTaskUser.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3451ba3f-e828-47e6-a50b-f7afeab76790}]
C:\WINDOWS\system32\cqxxha.dll [2008-12-22 103936]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98CEB1DB-A64D-4B89-8E01-FD39912A4C46}]
C:\WINDOWS\system32\vtUolLff.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7198A1A-B105-423E-8170-48E3FDE549BA}]
C:\WINDOWS\system32\rqRKEurr.dll [2008-12-09 240128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll [2008-10-06 652784]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DD153FDB-E2FB-40D2-8E36-F21C36B51DAD}]
C:\WINDOWS\system32\ssqNfdeC.dll [2008-11-30 33280]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - Veoh Web Player Video Finder - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll [2008-10-09 463872]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-22 86016]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-09-23 21755688]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-11 133104]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TLogonPath]
C:\Program Files\Timbuktu Pro\\minitb2.exe [2006-10-24 1028096]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^Bitcomet Ultra Accelerator.lnk]
C:\PROGRA~1\BITCOM~1\BITCOM~1.EXE []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2005-12-15 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe [2005-12-15 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="cqxxha.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqNfdeC]
C:\WINDOWS\system32\ssqNfdeC.dll [2008-11-30 33280]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Timbuktu Pro]
C:\Program Files\Timbuktu Pro\Hook32.dll [2006-10-24 81920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{DD153FDB-E2FB-40D2-8E36-F21C36B51DAD}"=C:\WINDOWS\system32\ssqNfdeC.dll [2008-11-30 33280]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\rqRKEurr
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\setup\HPZNET01.EXE"="E:\setup\HPZNET01.EXE:*:Enabled:hpznet01.exe"
"E:\setup\HPONICIFS01.EXE"="E:\setup\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\Program Files\Timbuktu Pro\tb2pro.exe"="C:\Program Files\Timbuktu Pro\tb2pro.exe:*:Enabled:Timbuktu Pro"
"C:\Program Files\Timbuktu Pro\MiniTB2.exe"="C:\Program Files\Timbuktu Pro\MiniTB2.exe:*:Enabled:MiniTB2"
"C:\Program Files\Timbuktu Pro\TB2Scan.exe"="C:\Program Files\Timbuktu Pro\TB2Scan.exe:*:Enabled:Timbuktu Pro Scanner"
"C:\Program Files\BitComet\BitComet.exe"="C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Vuze\Azureus.exe"="C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus"
"C:\Program Files\Trillian\trillian.exe"="C:\Program Files\Trillian\trillian.exe:*:Enabled:Trillian"
"C:\Program Files\QuickTime\QuickTimePlayer.exe"="C:\Program Files\QuickTime\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"="C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Enabled:Veoh Web Player "
"C:\Program Files\Dune\DUNE2000.DAT"="C:\Program Files\Dune\DUNE2000.DAT:*:Enabled:Dune2000"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
======File associations======
.js - edit - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1"
======List of files/folders created in the last 1 months======
2008-12-22 15:33:50 ----D---- C:\rsit
2008-12-22 15:33:50 ----D---- C:\Program Files\trend micro
2008-12-22 08:38:07 ----A---- C:\WINDOWS\system32\cqxxha.dll
2008-12-22 08:38:02 ----A---- C:\WINDOWS\system32\tggaowqu.dll
2008-12-21 08:38:05 ----SH---- C:\WINDOWS\system32\oldvxcpj.ini
2008-12-21 08:38:02 ----A---- C:\WINDOWS\system32\jpcxvdlo.dll
2008-12-21 08:35:06 ----A---- C:\WINDOWS\system32\qsgaxw.dll
2008-12-21 08:35:01 ----A---- C:\WINDOWS\system32\bpomlsqo.dll
2008-12-20 08:41:00 ----SH---- C:\WINDOWS\system32\tromdslc.ini
2008-12-20 08:40:59 ----N---- C:\WINDOWS\system32\clsdmort.dll
2008-12-20 08:38:00 ----A---- C:\WINDOWS\system32\gmwcvp.dll
2008-12-20 08:37:59 ----A---- C:\WINDOWS\system32\fhvltgvy.dll
2008-12-19 08:38:00 ----SH---- C:\WINDOWS\system32\qbilwiue.ini
2008-12-19 08:37:59 ----N---- C:\WINDOWS\system32\euiwlibq.dll
2008-12-19 08:35:00 ----A---- C:\WINDOWS\system32\pgawla.dll
2008-12-19 08:34:59 ----A---- C:\WINDOWS\system32\tcotkwfu.dll
2008-12-18 08:40:58 ----A---- C:\WINDOWS\system32\qacoyo.dll
2008-12-18 08:40:57 ----A---- C:\WINDOWS\system32\ipglevfg.dll
2008-12-18 08:34:58 ----SH---- C:\WINDOWS\system32\qvloyjew.ini
2008-12-18 08:34:57 ----N---- C:\WINDOWS\system32\wejyolvq.dll
2008-12-17 08:35:02 ----A---- C:\WINDOWS\system32\yujyaa.dll
2008-12-17 08:34:59 ----A---- C:\WINDOWS\system32\bonhqmwl.dll
2008-12-17 08:32:09 ----SH---- C:\WINDOWS\system32\pgvaiund.ini
2008-12-17 08:32:06 ----N---- C:\WINDOWS\system32\dnuiavgp.dll
2008-12-16 08:34:58 ----A---- C:\WINDOWS\system32\ayolin.dll
2008-12-16 08:34:57 ----A---- C:\WINDOWS\system32\ietasmdb.dll
2008-12-16 08:31:58 ----SH---- C:\WINDOWS\system32\grfcfdbx.ini
2008-12-16 08:31:58 ----N---- C:\WINDOWS\system32\xbdfcfrg.dll
2008-12-15 02:30:57 ----SH---- C:\WINDOWS\system32\fkldliad.ini
2008-12-15 02:30:54 ----N---- C:\WINDOWS\system32\daildlkf.dll
2008-12-15 02:27:58 ----A---- C:\WINDOWS\system32\zravdb.dll
2008-12-15 02:27:54 ----A---- C:\WINDOWS\system32\lwqhesae.dll
2008-12-14 15:28:23 ----ASH---- C:\WINDOWS\system32\rruEKRqr.ini2
2008-12-14 02:34:01 ----SH---- C:\WINDOWS\system32\jswmycid.ini
2008-12-14 02:27:59 ----A---- C:\WINDOWS\system32\euhmpy.dll
2008-12-14 02:27:55 ----A---- C:\WINDOWS\system32\fidwtiyh.dll
2008-12-09 17:47:30 ----ASH---- C:\WINDOWS\system32\rruEKRqr.ini
2008-12-09 17:47:24 ----A---- C:\WINDOWS\system32\rqRKEurr.dll
2008-12-09 15:42:56 ----ASH---- C:\WINDOWS\system32\ffLloUtv.ini
2008-12-09 15:42:24 ----A---- C:\WINDOWS\wininit.ini
2008-12-05 19:31:31 ----D---- C:\Program Files\Common Files\Macromedia Shared
2008-12-05 19:18:08 ----D---- C:\Documents and Settings\All Users\Application Data\Macromedia
2008-12-05 19:16:07 ----D---- C:\Program Files\Common Files\Macromedia
2008-12-05 19:16:06 ----D---- C:\Program Files\Macromedia
2008-11-30 14:46:30 ----A---- C:\WINDOWS\system32\9700fa79-.txt
2008-11-30 14:41:25 ----D---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-11-30 14:41:06 ----D---- C:\Program Files\Common Files\SourceTec
2008-11-30 14:41:03 ----D---- C:\Program Files\SourceTec
2008-11-30 14:40:45 ----A---- C:\WINDOWS\system32\geBqRkkl.dll
2008-11-30 14:40:44 ----A---- C:\WINDOWS\system32\ssqNfdeC.dll
2008-11-29 11:31:19 ----D---- C:\Documents and Settings\admin\Application Data\vlc
======List of files/folders modified in the last 1 months======
2008-12-22 15:33:58 ----D---- C:\WINDOWS\Prefetch
2008-12-22 15:33:56 ----D---- C:\Documents and Settings\admin\Application Data\Azureus
2008-12-22 15:33:50 ----RD---- C:\Program Files
2008-12-22 14:44:00 ----D---- C:\Documents and Settings\admin\Application Data\Skype
2008-12-22 08:39:30 ----D---- C:\WINDOWS\system32
2008-12-22 08:35:24 ----D---- C:\WINDOWS\Temp
2008-12-21 13:42:02 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-12-20 18:21:07 ----D---- C:\Documents and Settings\admin\Application Data\gtk-2.0
2008-12-19 05:44:07 ----D---- C:\Documents and Settings\admin\Application Data\skypePM
2008-12-19 01:11:35 ----D---- C:\Program Files\Trillian
2008-12-16 19:48:51 ----D---- C:\Program Files\Mozilla Firefox
2008-12-15 08:41:17 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-09 15:46:44 ----HD---- C:\WINDOWS\inf
2008-12-09 15:46:37 ----D---- C:\WINDOWS
2008-12-08 13:35:15 ----SHD---- C:\WINDOWS\Installer
2008-12-08 13:34:25 ----HD---- C:\Config.Msi
2008-12-08 13:31:39 ----D---- C:\Program Files\Safari
2008-12-05 19:35:59 ----D---- C:\Documents and Settings\admin\Application Data\Macromedia
2008-12-05 19:31:31 ----D---- C:\Program Files\Common Files
2008-12-05 19:29:38 ----D---- C:\WINDOWS\Downloaded Installations
2008-12-05 19:24:19 ----SD---- C:\Documents and Settings\admin\Application Data\Microsoft
2008-11-23 22:40:17 ----D---- C:\SageMaven
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 aslm75;aslm75; \??\C:\WINDOWS\system32\drivers\aslm75.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 Tb2Device;TB2 Remote Control Driver; C:\WINDOWS\NetopiaRC\Tb2Device.sys [2006-08-23 7244]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver; C:\WINDOWS\NetopiaRC\Tb2MirrorSys.sys [2006-08-23 15439]
R2 vstor2-p2v30;Vstor2 P2V30 Virtual Storage Driver; \??\C:\Program Files\VMware\VMware Converter\vstor2-p2v30.sys []
R3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2004-02-23 400384]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-02-26 611820]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2004-08-19 189568]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 LCcfltr;Logitech USB Filter Driver; C:\WINDOWS\system32\drivers\lccfltr.sys [2004-03-03 14095]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 s616bus;Sony Ericsson Device 616 driver (WDM); C:\WINDOWS\system32\DRIVERS\s616bus.sys [2007-04-03 83208]
S3 s616mdfl;Sony Ericsson Device 616 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\s616mdfl.sys [2007-04-03 15112]
S3 s616mdm;Sony Ericsson Device 616 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\s616mdm.sys [2007-04-03 108680]
S3 s616mgmt;Sony Ericsson Device 616 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\s616mgmt.sys [2007-04-03 100360]
S3 s616nd5;Sony Ericsson Device 616 USB Ethernet Emulation SEMC616 (NDIS); C:\WINDOWS\system32\DRIVERS\s616nd5.sys [2007-04-03 23176]
S3 s616obex;Sony Ericsson Device 616 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\s616obex.sys [2007-04-03 98568]
S3 s616unic;Sony Ericsson Device 616 USB Ethernet Emulation SEMC616 (WDM); C:\WINDOWS\system32\DRIVERS\s616unic.sys [2007-04-03 99080]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SNDP202;Dual Mode Camera (8008 VGA); C:\WINDOWS\system32\DRIVERS\sndp202.sys [2003-03-26 228096]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-06 168432]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 159810]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2005-03-14 69632]
R2 StarWindService;StarWind iSCSI Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe [2005-04-02 217600]
R2 Tb2Launch;Tb2 Launch; C:\Program Files\Timbuktu Pro\tb2launch.exe [2006-10-24 126976]
S2 ufad-p2v;VMware Converter Service; C:\Program Files\VMware\VMware Converter\vmware-ufad.exe -d C:\Program Files\VMware\VMware Converter\\ -s ufad-p2v.xml []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
-----------------EOF-----------------
info.txt
info.txt logfile of random's system information tool 1.05 2008-12-22 15:34:41
======Uninstall list======
-->MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AbiWord 2.6.4-->C:\Program Files\AbiSuite2\UninstallAbiWord2.exe
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
AnalogX NetStat Live-->C:\Program Files\AnalogX\NetStat Live\nslu.exe
Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Avanquest update-->C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\setup.exe -runfromtemp -l0x0009 -removeonly
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Command & Conquer-->C:\Program\EA GAMES\Uninstal.exe
Driver Detective-->C:\Program Files\InstallShield Installation Information\{621C02EA-AAFF-4026-A903-165D59529A16}\setup.exe -runfromtemp -l0x0409
Dual Mode Camera (8008 VGA)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E85397AD-D60E-4141-82E6-FAA312A09271}\Setup.exe" -l0x9
Gimp 2.6.2-->"C:\Program Files\Gimp-2.0\setup\unins000.exe"
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Document Viewer 6.1-->C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Extended Capabilities 6.1-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Imaging Device Functions 6.1-->C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Premier Software 6.1-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 6.1.A-->"C:\Program Files\HP\Digital Imaging\{E5A8DDAB-AE80-48C6-A75B-D0FAB83B299D}\setup\hpzscr01.exe" -datfile hposcr08.dat
HP Solution Center and Imaging Support Tools 6.1-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
Macromedia Contribute 3.11-->MsiExec.exe /I{4B9535BF-CC90-4158-AF32-CAF57A8820CA}
Macromedia Dreamweaver 8-->MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager-->MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks 8-->MsiExec.exe /I{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}
Macromedia Flash 8 Video Encoder-->MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash 8-->MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash Player 8-->MsiExec.exe /X{885A63EA-382B-4DD4-A755-14809B8557D6}
Marvell Miniport Driver-->MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003-->MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MobileMe Control Panel-->MsiExec.exe /I{924EB80F-C2BB-4B9F-8412-88BBA937393F}
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PhotoSuite 4 (Remove Only)-->"C:\Program Files\Roxio\PhotoSuite 4\System\MGIUninstall.exe" C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Roxio\PhotoSuite 4\Uninst.isu" -c"C:\Program Files\Roxio\PhotoSuite 4\System\CustomUninstall.dll"
Photosynth 2.0.1403.12-->MsiExec.exe /X{556EEE74-6788-4292-8252-8B17E2C7952A}
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Safari-->MsiExec.exe /I{582D2A53-F426-4C5E-A2E6-43C1AB36B907}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sony Ericsson PC Suite 3.209.00-->C:\Program Files\InstallShield Installation Information\{2FFE93F0-BB72-4E52-8761-354D1AAA9387}\Setup.exe -runfromtemp -l0x0009 -removeonly
Sothink SWF Decompiler-->"C:\Program Files\SourceTec\Sothink SWF Decompiler\unins000.exe"
Spybot - Search & Destroy 1.5.2.20-->"C:\WINDOWS\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
SpywareBlaster v3.5.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
Timbuktu Pro-->MsiExec.exe /X{4EB28000-AC5E-4527-88EE-DD8A04483810}
Trillian-->C:\Program Files\Trillian\trillian.exe /uninstall
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Veoh Web Player Beta-->"C:\Program Files\Veoh Networks\VeohWebPlayer\uninst.exe"
Virtual Cable Tester-->MsiExec.exe /X{3D654496-9C3D-4565-858C-3E551ECDA4E2}
VLC media player 0.9.6-->C:\Program Files\VideoLAN\VLC\uninstall.exe
VMware Converter-->MsiExec.exe /I{E2FB450C-E0F1-466E-8D73-7CC010841DF8}
Vuze-->C:\Program Files\Vuze\uninstall.exe
Westwood Shared Internet Components-->C:\Westwood\Internet\UNINSTAP.EXE
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
xVideoServiceThief-->MsiExec.exe /I{CE27EACD-B61A-4E4B-8D61-25BF51D40007}
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
======Hosts File======
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
System event log
Computer Name: WINDOZESCHOOL
Event Code: 7036
Message: The Pml Driver HPZ12 service entered the stopped state.
Record Number: 3056
Source Name: Service Control Manager
Time Written: 20080902163019.000000-300
Event Type: information
User:
Computer Name: WINDOZESCHOOL
Event Code: 7036
Message: The Remote Access Connection Manager service entered the running state.
Record Number: 3055
Source Name: Service Control Manager
Time Written: 20080902162956.000000-300
Event Type: information
User:
Computer Name: WINDOZESCHOOL
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the stopped state.
Record Number: 3054
Source Name: Service Control Manager
Time Written: 20080902162954.000000-300
Event Type: information
User:
Computer Name: WINDOZESCHOOL
Event Code: 7036
Message: The Computer Browser service entered the stopped state.
Record Number: 3053
Source Name: Service Control Manager
Time Written: 20080902162952.000000-300
Event Type: information
User:
Computer Name: WINDOZESCHOOL
Event Code: 7036
Message: The Application Layer Gateway Service service entered the running state.
Record Number: 3052
Source Name: Service Control Manager
Time Written: 20080902162950.000000-300
Event Type: information
User:
Application event log
Computer Name: WINDOZESCHOOL
Event Code: 0
Message:
Record Number: 1406
Source Name: iPod Service
Time Written: 20081101155505.000000-300
Event Type: information
User:
Computer Name: WINDOZESCHOOL
Event Code: 11728
Message: Product: WebFldrs XP -- Configuration completed successfully.
Record Number: 1405
Source Name: MsiInstaller
Time Written: 20081101155452.000000-300
Event Type: information
User: WINDOZESCHOOL\White
Computer Name: WINDOZESCHOOL
Event Code: 15505
Message: Wired 802.1X Authentication succeeded.
Network Adapter: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller - Packet Scheduler Miniport
Interface GUID: {2e2a6f4f-70fb-41ab-b4b4-027b1f4e8937}
Peer Address: 000000000000
Local Address: 0011D884F796
Connection ID: 0x00000001
Identity: -
User: -
Domain: -
Reason: 458755
Reason Text:
Error Code: 0
Record Number: 1404
Source Name: Dot3Svc
Time Written: 20081101155443.000000-300
Event Type: information
User:
Computer Name: WINDOZESCHOOL
Event Code: 15504
Message: Wired 802.1X Authentication was restarted.
Network Adapter: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller - Packet Scheduler Miniport
Interface GUID: {2e2a6f4f-70fb-41ab-b4b4-027b1f4e8937}
Connection ID: 0x00000001
Restart Reason: Onex User Changed
Record Number: 1403
Source Name: Dot3Svc
Time Written: 20081101155428.000000-300
Event Type: information
User:
Computer Name: WINDOZESCHOOL
Event Code: 15504
Message: Wired 802.1X Authentication was restarted.
Network Adapter: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller - Packet Scheduler Miniport
Interface GUID: {2e2a6f4f-70fb-41ab-b4b4-027b1f4e8937}
Connection ID: 0x00000001
Restart Reason: Onex User Changed
Record Number: 1402
Source Name: Dot3Svc
Time Written: 20081101155414.000000-300
Event Type: information
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
-----------------EOF-----------------
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
MalwareBytes Log
Combofix Log
How are things running now ?
SageMaven
2008-12-23, 02:23
Malwarebytes' Anti-Malware 1.31
Database version: 1533
Windows 5.1.2600 Service Pack 3
12/22/2008 6:52:05 PM
mbam-log-2008-12-22 (18-52-05).txt
Scan type: Full Scan (C:\|J:\|)
Objects scanned: 295028
Time elapsed: 2 hour(s), 11 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 13
Registry Keys Infected: 16
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 42
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\jpcxvdlo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rqRKEurr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\zravdb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ssqNfdeC.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bonhqmwl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ipglevfg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tcotkwfu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fhvltgvy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gmwcvp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bpomlsqo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tggaowqu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cqxxha.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qacoyo.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3451ba3f-e828-47e6-a50b-f7afeab76790} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3451ba3f-e828-47e6-a50b-f7afeab76790} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a7198a1a-b105-423e-8170-48e3fde549ba} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a7198a1a-b105-423e-8170-48e3fde549ba} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dd153fdb-e2fb-40d2-8e36-f21c36b51dad} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqnfdec (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{dd153fdb-e2fb-40d2-8e36-f21c36b51dad} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{dd153fdb-e2fb-40d2-8e36-f21c36b51dad} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a7198a1a-b105-423e-8170-48e3fde549ba} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3451ba3f-e828-47e6-a50b-f7afeab76790} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{dd153fdb-e2fb-40d2-8e36-f21c36b51dad} (Trojan.Vundo) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\rqrkeurr -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrkeurr -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\cqxxha.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rqRKEurr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rruEKRqr.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rruEKRqr.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqNfdeC.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\clsdmort.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tromdslc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\daildlkf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fkldliad.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dnuiavgp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pgvaiund.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\euiwlibq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qbilwiue.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jpcxvdlo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\oldvxcpj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wejyolvq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qvloyjew.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xbdfcfrg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\grfcfdbx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zravdb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bonhqmwl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ipglevfg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tcotkwfu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fhvltgvy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gmwcvp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bpomlsqo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tggaowqu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qacoyo.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\03BVIK9L\kb600179[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\SXGDI7OD\CAXK6L5R (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\SXGDI7OD\CA9WG3T1 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\VNLF7H44\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{632CB6C6-B18F-40A4-9B87-E2E5C9C069FF}\RP362\A0043155.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fidwtiyh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geBqRkkl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pgawla.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\euhmpy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lwqhesae.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yujyaa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qsgaxw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
J:\Program Files\Now Software\Now Contact\_uninst.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
J:\Program Files\Now Software\Now Up-to-Date\_uninst.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
ComboFix 08-12-21.04 - admin 2008-12-22 19:10:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.613 [GMT -6:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\ayolin.dll
c:\windows\system32\ffLloUtv.ini
c:\windows\system32\ietasmdb.dll
c:\windows\system32\jswmycid.ini
.
((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.
2008-12-22 16:31 . 2008-12-22 16:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-22 16:31 . 2008-12-22 16:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-22 16:31 . 2008-12-22 16:31 <DIR> d-------- c:\documents and settings\admin\Application Data\Malwarebytes
2008-12-22 16:31 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-22 16:31 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-22 15:33 . 2008-12-22 15:34 <DIR> d-------- C:\rsit
2008-12-22 15:33 . 2008-12-22 15:34 <DIR> d-------- c:\program files\trend micro
2008-12-09 17:25 . 2008-12-09 17:25 32 --a------ c:\documents and settings\All Users\Application Data\ezsid.dat
2008-12-09 15:42 . 2008-12-14 15:27 153 --a------ c:\windows\wininit.ini
2008-12-05 19:31 . 2008-12-05 19:31 <DIR> d-------- c:\program files\Common Files\Macromedia Shared
2008-12-05 19:16 . 2008-12-05 19:31 <DIR> d-------- c:\program files\Macromedia
2008-12-05 19:16 . 2008-12-05 19:22 <DIR> d-------- c:\program files\Common Files\Macromedia
2008-11-30 14:41 . 2008-11-30 14:41 <DIR> d-------- c:\program files\SourceTec
2008-11-30 14:41 . 2008-11-30 14:41 <DIR> d-------- c:\program files\Common Files\SourceTec
2008-11-30 14:41 . 2008-11-30 14:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-11-29 11:31 . 2008-11-29 13:22 <DIR> d-------- c:\documents and settings\admin\Application Data\vlc
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 00:56 --------- d-----w c:\documents and settings\admin\Application Data\skypePM
2008-12-23 00:56 --------- d-----w c:\documents and settings\admin\Application Data\Skype
2008-12-22 21:39 --------- d-----w c:\documents and settings\admin\Application Data\Azureus
2008-12-22 21:38 --------- d-----w c:\program files\Trillian
2008-12-22 20:42 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-21 00:21 --------- d-----w c:\documents and settings\admin\Application Data\gtk-2.0
2008-12-08 19:31 --------- d-----w c:\program files\Safari
2008-11-21 07:38 --------- d-----w c:\program files\Vuze
2008-11-20 21:35 --------- d-----w c:\program files\Yahoo!
2008-11-20 06:18 --------- d-----w c:\program files\Gimp-2.0
2008-11-20 05:31 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-15 02:55 --------- d-----w c:\documents and settings\admin\Application Data\Yahoo!
2008-11-10 09:34 --------- d-----w c:\documents and settings\All Users\Application Data\PrettyMay
2008-10-24 18:32 --------- d-----w c:\program files\AbiSuite2
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2006-10-24 13:18 81920 c:\program files\timbuktu pro\HOOK32.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=cqxxha.dll
[HKLM\~\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^Bitcomet Ultra Accelerator.lnk]
path=c:\documents and settings\admin\Start Menu\Programs\Startup\Bitcomet Ultra Accelerator.lnk
backup=c:\windows\pss\Bitcomet Ultra Accelerator.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-11 19:09 133104 c:\documents and settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TLogonPath]
--a------ 2006-10-24 13:17 1028096 c:\program files\timbuktu pro\minitb2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMan"=SOUNDMAN.EXE
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Timbuktu Pro\\tb2pro.exe"=
"c:\\Program Files\\Timbuktu Pro\\MiniTB2.exe"=
"c:\\Program Files\\Timbuktu Pro\\TB2Scan.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8710:TCP"= 8710:TCP:BitComet 8710 TCP
"8710:UDP"= 8710:UDP:BitComet 8710 UDP
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys []
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys []
R2 vstor2-p2v30;Vstor2 P2V30 Virtual Storage Driver;\??\c:\program files\VMware\VMware Converter\vstor2-p2v30.sys [2008-04-29 19248]
S2 ufad-p2v;VMware Converter Service;"c:\program files\VMware\VMware Converter\vmware-ufad.exe" -d "c:\program files\VMware\VMware Converter\\" -s ufad-p2v.xml []
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\lccfltr.sys [2008-10-12 14095]
S3 SNDP202;Dual Mode Camera (8008 VGA);c:\windows\system32\DRIVERS\sndp202.sys [2007-09-07 228096]
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-12-23 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-11 19:09]
.
- - - - ORPHANS REMOVED - - - -
BHO-{98CEB1DB-A64D-4B89-8E01-FD39912A4C46} - c:\windows\system32\vtUolLff.dll
Notify-NavLogon - (no file)
MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\lfjj1cp1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\lfjj1cp1.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 19:11:55
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-22 19:13:17
ComboFix-quarantined-files.txt 2008-12-23 01:12:33
Pre-Run: 53,368,414,208 bytes free
Post-Run: 53,795,606,528 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
192 --- E O F --- 2008-11-14 05:54:52
Things look a little better. For the last 20 minutes at least there have been no annoying pop-ups, but it does still seem a little slow. (I'm possibly being paranoid)
Thank you times a thousand!
Do you know anything about Timbuktu Pro ?
Disable Teatimer
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
OTMoveIt
Please download OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe) and save it to your desktop
Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )
:Processes
explorer.exe
:Reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Vuze\\Azureus.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8710:TCP"=-
"8710:UDP"=-
:Files
c:\windows\wininit.ini
c:\documents and settings\admin\Application Data\Azureus
c:\Program Files\Vuze
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan (http://www.pandasecurity.com/activescan/index/) << LINK
Click the Scan Now button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small export to notepad button and save the report to your desktop.
Please post the report in your reply.
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Info on Timbuktu Pro
OTMI Log
Active Scan Log
How are things running now ?
SageMaven
2008-12-28, 03:01
Info on Timbuktu Pro
- This was installed prior to my acquiring of the machine. No one is connecting to it and I usually turn it off as soon as windows boots
OTMI Log
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SpybotSD TeaTimer not found.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\"AppInit_DLLs"|"" /E : value set successfully!
Registry key HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List not found.
Registry key HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.
Registry key HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List not found.
========== FILES ==========
c:\windows\wininit.ini moved successfully.
c:\documents and settings\admin\Application Data\Azureus\updates moved successfully.
c:\documents and settings\admin\Application Data\Azureus\torrents moved successfully.
c:\documents and settings\admin\Application Data\Azureus\tmp moved successfully.
c:\documents and settings\admin\Application Data\Azureus\subs moved successfully.
c:\documents and settings\admin\Application Data\Azureus\shares moved successfully.
c:\documents and settings\admin\Application Data\Azureus\plugins moved successfully.
c:\documents and settings\admin\Application Data\Azureus\net moved successfully.
c:\documents and settings\admin\Application Data\Azureus\media\azpd moved successfully.
c:\documents and settings\admin\Application Data\Azureus\media moved successfully.
c:\documents and settings\admin\Application Data\Azureus\logs\save moved successfully.
c:\documents and settings\admin\Application Data\Azureus\logs moved successfully.
c:\documents and settings\admin\Application Data\Azureus\dht moved successfully.
c:\documents and settings\admin\Application Data\Azureus\active moved successfully.
c:\documents and settings\admin\Application Data\Azureus moved successfully.
c:\Program Files\Vuze\plugins\azupnpav moved successfully.
c:\Program Files\Vuze\plugins\azupdater moved successfully.
c:\Program Files\Vuze\plugins\azrating moved successfully.
c:\Program Files\Vuze\plugins\azplugins moved successfully.
c:\Program Files\Vuze\plugins\azemp\mplayer moved successfully.
c:\Program Files\Vuze\plugins\azemp moved successfully.
c:\Program Files\Vuze\plugins moved successfully.
c:\Program Files\Vuze\jre\lib\zi\SystemV moved successfully.
c:\Program Files\Vuze\jre\lib\zi\Pacific moved successfully.
c:\Program Files\Vuze\jre\lib\zi\Indian moved successfully.
c:\Program Files\Vuze\jre\lib\zi\Europe moved successfully.
c:\Program Files\Vuze\jre\lib\zi\Etc moved successfully.
c:\Program Files\Vuze\jre\lib\zi\Australia moved successfully.
c:\Program Files\Vuze\jre\lib\zi\Atlantic moved successfully.
c:\Program Files\Vuze\jre\lib\zi\Asia moved successfully.
c:\Program Files\Vuze\jre\lib\zi\Antarctica moved successfully.
c:\Program Files\Vuze\jre\lib\zi\America\North_Dakota moved successfully.
c:\Program Files\Vuze\jre\lib\zi\America\Kentucky moved successfully.
c:\Program Files\Vuze\jre\lib\zi\America\Indiana moved successfully.
c:\Program Files\Vuze\jre\lib\zi\America\Argentina moved successfully.
c:\Program Files\Vuze\jre\lib\zi\America moved successfully.
c:\Program Files\Vuze\jre\lib\zi\Africa moved successfully.
c:\Program Files\Vuze\jre\lib\zi moved successfully.
c:\Program Files\Vuze\jre\lib\servicetag moved successfully.
c:\Program Files\Vuze\jre\lib\security moved successfully.
c:\Program Files\Vuze\jre\lib\management moved successfully.
c:\Program Files\Vuze\jre\lib\images\cursors moved successfully.
c:\Program Files\Vuze\jre\lib\images moved successfully.
c:\Program Files\Vuze\jre\lib\im moved successfully.
c:\Program Files\Vuze\jre\lib\i386 moved successfully.
c:\Program Files\Vuze\jre\lib\fonts moved successfully.
c:\Program Files\Vuze\jre\lib\ext moved successfully.
c:\Program Files\Vuze\jre\lib\deploy moved successfully.
c:\Program Files\Vuze\jre\lib\cmm moved successfully.
c:\Program Files\Vuze\jre\lib\applet moved successfully.
c:\Program Files\Vuze\jre\lib moved successfully.
c:\Program Files\Vuze\jre\bin\client moved successfully.
c:\Program Files\Vuze\jre\bin moved successfully.
c:\Program Files\Vuze\jre moved successfully.
c:\Program Files\Vuze\.install4j moved successfully.
c:\Program Files\Vuze moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_794.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12262008_162308
Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_794.dat not found!
Active Scan Log
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-12-27 19:56:35
PROTECTIONS: 0
MALWARE: 24
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.trafficmp.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.247realmedia.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.247realmedia.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.247realmedia.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.tribalfusion.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.com.com/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.yadro.ru/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.xiti.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.bs.serving-sys.com/]
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[www.burstbeacon.com/]
00168109 Cookie/Adtech TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.adtech.de/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.ads.pointroll.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.questionmarket.com/]
00192311 Adware/IST.ISTBar Adware No 1 Yes No J:\Documents and Settings\John Nadler\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-1d771bf3.zip[javainstaller/InstallerApplet.class]
00207338 Cookie/Target TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.target.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.atwola.com/]
00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.smartadserver.com/]
00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.smartadserver.com/]
00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No J:\Documents and Settings\John Nadler\Application Data\Mozilla\Firefox\Profiles\itif13es.default\cookies.txt[.smartadserver.com/]
00435585 W32/Autorun.AKK Virus/Worm No 1 No No C:\Documents and Settings\admin\My Documents\Azureus Downloads\Sothink SWF Decompiler 4.4.80916\Setup.exe[C:\Documents and Settings\admin\My Documents\Azureus Downloads\Sothink SWF Decompiler 4.4.80916\Setup.exe][is166347.exe]
00435585 W32/Autorun.AKK Virus/Worm No 1 No No C:\System Volume Information\_restore{632CB6C6-B18F-40A4-9B87-E2E5C9C069FF}\RP359\A0042900.exe[C:\System Volume Information\_restore{632CB6C6-B18F-40A4-9B87-E2E5C9C069FF}\RP359\A0042900.exe][is166347.exe]
00492147 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\ayolin.dll.vir
00492147 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{632CB6C6-B18F-40A4-9B87-E2E5C9C069FF}\RP376\A0043561.dll
00492147 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\ietasmdb.dll.vir
00492147 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{632CB6C6-B18F-40A4-9B87-E2E5C9C069FF}\RP376\A0043559.dll
01271851 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{632CB6C6-B18F-40A4-9B87-E2E5C9C069FF}\RP284\A0030106.dll
01271851 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{632CB6C6-B18F-40A4-9B87-E2E5C9C069FF}\RP284\A0030082.DLL
03204890 Generic Trojan Virus/Trojan No 0 No No J:\Installers\Alocohol 120 Keygens etc\Alcohol.120.v1.4.7.1005.Keygen.Only.(fixes.bug.in.CORE's.crack).rar[Alcohol 120 1.4.7.1005 keygen.exe]
04199736 Generic Worm Virus/Worm No 0 Yes No J:\Installers\commandandconquergeneralszerohourkeygenfff.zip[EA.Games.Multi.Keygen.exe]
04437511 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\admin\Desktop\ComboFix.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location .
;===================================================================================================================================================================================
No C:\Program Files\GOW\7-Zip\Gears of War\Gears.of.War.Launcher.exe .
No J:\Program Files\SpywareBlaster\sbautoupdate.exe .
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description .
;===================================================================================================================================================================================
;===================================================================================================================================================================================
How are things running now ?
Well the scan said I'm still infected and the pop-ups are coming back. not nearly as bad as before but every so often.
Cracks, Keygens and Warez
J:\Installers\Alocohol 120 Keygens etc\Alcohol.120.v1.4.7.1005.Keygen.Only.(fixes.bug.in.CORE's.crack).rar
J:\Installers\commandandconquergeneralszerohourkeygenfff.zip
In doing the crack, the 'cracker' has broken the 'End User Licence Agreement' (EULA) of the product.
The distribution and use of cracked copies is illegal in almost every developed country.
They are also one of the biggest causes of infection.
This applies to Cracks, Keygens and Warez
In the future I strongly suggest you stay away from using cracks and/or Keygens.
I can stop Timbuktu Pro from starting if you want.
Please post a fresh RSIT log along with the following
OTMoveIt
Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )
:Processes
:Files
C:\Documents and Settings\admin\Desktop\ComboFix.exe
C:\Documents and Settings\admin\My Documents\Azureus Downloads
J:\Documents and Settings\John Nadler\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-1d771bf3.zip
J:\Installers\Alocohol 120 Keygens etc\Alcohol.120.v1.4.7.1005.Keygen.Only.(fixes.bug.in.CORE's.crack).rar
J:\Installers\commandandconquergeneralszerohourkeygenfff.zip
:Commands
Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.