Virtumonde [Archive] - Safer-Networking Forums

View Full Version : Virtumonde

cadmian

2009-01-31, 20:08

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:28 PM, on 1/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\DOCUME~1\RYAN~1.RYA\LOCALS~1\Temp\winlognn.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\svschost.exe
C:\WINDOWS\system32\svñshost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\RYAN~1.RYA\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: C:\WINDOWS\system32\hgdfeeeh4fdg.dll - {c5bf49a2-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\hgdfeeeh4fdg.dll
O2 - BHO: BHO - {c9c42510-9b21-41c1-9dcd-8382a2d07c61} - C:\WINDOWS\system32\iehelper.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Pmiqoweture] rundll32.exe "C:\WINDOWS\erikusadiyurega.dll",e
O4 - HKLM\..\Run: [Ekobahoze] rundll32.exe "C:\WINDOWS\Rvayolog.dll",e
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\RYAN~1.RYA\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [svschost.exe] C:\WINDOWS\system32\svschost.exe -check
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\RYAN~1.RYA\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\RYAN~1.RYA\LOCALS~1\Temp\csrssc.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O20 - AppInit_DLLs: iaewze.dll gzyimg.dll rkstig.dll tiwmde.dll fiisnp.dll yjjsgl.dll tnsqgr.dll vkhbgy.dll xiakxa.dll pnbizl.dll vjfglm.dll cycsom.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hgdfeeeh4fdg.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7428 bytes

Shaba

2009-02-03, 16:37

Hi cadmian

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

cadmian

2009-02-04, 04:28

Thanks for the help

ComboFix 09-02-02.04 - Ryan 2009-02-03 22:07:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1414 [GMT -5:00]
Running from: c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\abbopcck.dll
c:\windows\system32\adlhtk.dll
c:\windows\system32\ahanwdxk.dll
c:\windows\system32\aqaubeeo.dll
c:\windows\system32\aqglolyj.ini
c:\windows\system32\ayhtvyxi.dll
c:\windows\system32\bctcpe.dll
c:\windows\system32\blpgyrwo.ini
c:\windows\system32\bmvyqoxn.dll
c:\windows\system32\csrsuqpk.ini
c:\windows\system32\cubxdaxn.ini
c:\windows\system32\cycsom.dll
c:\windows\system32\dpyuslgu.dll
c:\windows\system32\egdblcwu.ini
c:\windows\system32\elfogdxc.ini
c:\windows\system32\eltdntmi.dll
c:\windows\system32\faatxcnx.ini
c:\windows\system32\fgckrxdd.ini
c:\windows\system32\fiisnp.dll
c:\windows\system32\fvghdk.dll
c:\windows\system32\fwwjiybp.ini
c:\windows\system32\gacjrjdt.ini
c:\windows\system32\gjavshjl.ini
c:\windows\system32\gsaiiz.dll
c:\windows\system32\gzyimg.dll
c:\windows\system32\hdcaix.dll
c:\windows\system32\hlmaworn.dll
c:\windows\system32\hrhyxfwf.dll
c:\windows\system32\hzvdje.dll
c:\windows\system32\iaewze.dll
c:\windows\system32\iehelper.dll
c:\windows\system32\ihxbjcdo.ini
c:\windows\system32\imxgigit.dll
c:\windows\system32\iotpprwt.ini
c:\windows\system32\jqacawwn.ini
c:\windows\system32\jsscno.dll
c:\windows\system32\kisidxgj.dll
c:\windows\system32\krhqvp.dll
c:\windows\system32\ksycxllu.ini
c:\windows\system32\kvlyxybi.dll
c:\windows\system32\kvskoham.dll
c:\windows\system32\kxdwnaha.ini
c:\windows\system32\lhpiot.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\nnnMFxuS.dll.vir
c:\windows\system32\nslaxcct.dll
c:\windows\system32\oehqnqah.dll
c:\windows\system32\ogobobbb.ini
c:\windows\system32\pbyijwwf.dll
c:\windows\system32\pnbizl.dll
c:\windows\system32\qizpbd.dll
c:\windows\system32\qqjdyxrx.dll
c:\windows\system32\qrymerlp.dll
c:\windows\system32\rapjjrvq.dll
c:\windows\system32\rkstig.dll
c:\windows\system32\rswtpqkm.ini
c:\windows\system32\sctkqtbb.dll
c:\windows\system32\shgvsuqr.ini
c:\windows\system32\svschost.exe
c:\windows\system32\tiwmde.dll
c:\windows\system32\tnsqgr.dll
c:\windows\system32\toivecpp.dll
c:\windows\system32\udsklkej.ini
c:\windows\system32\ugrnogvt.dll
c:\windows\system32\utkitrdx.ini
c:\windows\system32\uvpsyjlw.dll
c:\windows\system32\vivyeofa.ini
c:\windows\system32\vjfglm.dll
c:\windows\system32\vkhbgy.dll
c:\windows\system32\vrnxfnsg.dll
c:\windows\system32\win
c:\windows\system32\win\nha-jchillin-dsa.log
c:\windows\system32\wrimiyqb.ini
c:\windows\system32\wwgvmrjc.ini
c:\windows\system32\wwkgtium.ini
c:\windows\system32\xiakxa.dll
c:\windows\system32\xncltneh.dll
c:\windows\system32\xncxtaaf.dll
c:\windows\system32\yhdjkecq.ini
c:\windows\system32\yjjsgl.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-01-31 14:02 . 2009-01-31 14:03 <DIR> d-------- c:\program files\ERUNT
2009-01-27 18:49 . 2009-01-27 18:50 133,120 --a------ c:\windows\erikusadiyurega.dll
2009-01-27 18:39 . 2009-01-27 18:39 88,576 --a------ c:\windows\system32\svñshost.exe
2009-01-27 18:37 . 2009-01-27 18:37 43,008 --a------ c:\windows\Rvayolog.dll
2009-01-27 17:07 . 2009-01-27 17:07 387,592 --a------ c:\windows\sysguard.exe
2009-01-27 17:07 . 2009-01-27 17:07 387,592 --a------ C:\eych.exe
2009-01-27 17:07 . 2009-02-03 22:15 93,420 --a------ c:\windows\system32\drivers\8158e7af.sys
2009-01-27 17:06 . 2009-01-27 17:06 705 --a------ C:\wgqjqf.exe
2009-01-27 17:06 . 2009-01-27 17:06 705 --a------ C:\nwurjr.exe
2009-01-27 17:05 . 2009-01-27 17:06 2 --a------ C:\-2011643985
2009-01-27 17:04 . 2009-01-27 17:04 15,000 --a------ c:\windows\system32\hgdfeeeh4fdg.dll
2009-01-27 17:03 . 2009-01-27 17:03 52,736 --a------ c:\windows\system32\wscbngpp.dll
2009-01-26 16:33 . 2009-01-26 16:33 <DIR> d-------- c:\documents and settings\Administrator.RYAN-CAE55FD3B0
2009-01-26 14:11 . 2009-01-27 16:00 <DIR> d-------- c:\program files\America's Army Deploy Client
2009-01-26 14:11 . 2009-01-26 14:12 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\America's Army Deploy Client
2009-01-26 13:54 . 2009-01-26 13:54 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-26 13:53 . 2009-01-26 13:53 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-26 13:53 . 2009-01-26 13:53 <DIR> d-------- c:\program files\MSBuild
2009-01-26 13:52 . 2009-01-26 13:53 <DIR> d-------- C:\58335e2d7a8e0e8703
2009-01-26 13:52 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-01-26 13:52 . 2008-07-06 07:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-01-26 13:52 . 2008-07-06 05:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-26 13:52 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-01-26 13:52 . 2008-07-06 07:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-26 13:52 . 2008-07-06 07:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-01-26 13:52 . 2008-07-06 07:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-26 13:45 . 2009-01-26 13:45 <DIR> d-------- c:\program files\MSXML 6.0
2009-01-15 03:37 . 2009-01-15 03:37 42,320 --a------ c:\windows\system32\xfcodec.dll
2009-01-05 22:29 . 2009-01-31 14:04 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 03:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-31 19:17 --------- d-----w c:\program files\Vuze
2009-01-31 19:17 --------- d-----w c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus
2009-01-28 21:27 --------- d-s---w c:\program files\Xfire
2009-01-28 21:27 --------- d-----w c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Xfire
2009-01-27 22:42 --------- d-----w c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\teamspeak2
2009-01-27 22:34 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Symantec
2009-01-26 01:29 138,064 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-17 23:11 --------- d-----w c:\program files\Steam
2009-01-07 00:32 --------- d-----w c:\program files\SpeedFan
2008-12-23 18:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-19 22:18 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 04:03 --------- d-----w c:\program files\SmartMusic 11
2008-11-07 23:03 22,328 ----a-w c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\PnkBstrK.sys
2006-11-17 23:58 81,920 ----a-w c:\documents and settings\ryan\Application Data\ezpinst.exe
2006-11-17 23:58 47,360 -c--a-w c:\documents and settings\ryan\Application Data\pcouffin.sys
2004-08-04 18:00 413,696 ----a-w c:\program files\mozilla firefox\plugins\msvcp60.dll
2007-08-25 03:52 300,400 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-10 158208]
"Pmiqoweture"="c:\windows\erikusadiyurega.dll" [2009-01-27 133120]
"Ekobahoze"="c:\windows\Rvayolog.dll" [2009-01-27 43008]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= vdrcodec.dll
"VIDC.XFR1"= xfcodec.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryan.RYAN-CAE55FD3B0^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=c:\windows\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryan.RYAN-CAE55FD3B0^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-09-09 01:18 57344 c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2009-01-07 16:22 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 11:15 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-10-17 14:52 51048 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--------- 2003-06-18 01:00 45056 c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 06:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 02:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 12:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ekobahoze]
--a------ 2009-01-27 18:37 43008 c:\windows\Rvayolog.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 11:35 49152 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 10:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 10:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2001-08-23 16:52 331830 c:\program files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-10-07 13:33 13574144 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-09-04 18:25 81920 c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-10-07 13:33 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-08-24 23:53 714608 c:\program files\Norton Internet Security\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
--a------ 2003-11-10 15:06 406016 c:\windows\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pmiqoweture]
--a------ 2009-01-27 18:50 133120 c:\windows\erikusadiyurega.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-12 19:08 1410296 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 03:48 36975 c:\program files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysguard]
--a------ 2009-01-27 17:07 387592 c:\windows\sysguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-06 19:57 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check]
--a------ 2005-12-21 09:14 73728 c:\windows\system32\PCLECoInst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
--------- 2005-10-14 11:01 122880 c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2001-10-05 19:34 24576 c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2005-11-08 07:30 16384 c:\windows\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2005-11-08 07:30 18944 c:\windows\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-10-07 13:33 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SEGA\\Medieval II Total War\\medieval2.exe"=
"c:\\Program Files\\Steam\\steamapps\\captain09\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\captain09\\half-life 2\\hl2.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\defcon\\defcon.exe"=
"c:\\Program Files\\Codemasters\\Soldiers - Heroes of World War II\\SOLDIERS.EXE"=
"c:\\Program Files\\Ubisoft\\Silent Hunter Wolves of the Pacific\\sh4.exe"=
"c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27750:TCP"= 27750:TCP:gamespy
"27750:UDP"= 27750:UDP:gamespy
"28900:TCP"= 28900:TCP:master server list
"29900:TCP"= 29900:TCP:gp connection manager
"29901:TCP"= 29901:TCP:gp serach manager
"6500:TCP"= 6500:TCP:query port
"3783:TCP"= 3783:TCP:voice chat port gs
"13139:UDP"= 13139:UDP:CUSTOM UDP PINGS
"6515:UDP"= 6515:UDP:dplay udp
"6500:UDP"= 6500:UDP:query port udp
"6667:UDP"= 6667:UDP:irc gs udp
"3783:UDP"= 3783:UDP:voice chat port udp
"27900:UDP"= 27900:UDP:master srever udp
"28900:UDP"= 28900:UDP:master server list udp
"29900:UDP"= 29900:UDP:gp connection manager udp
"29901:UDP"= 29901:UDP:gp search manager udp

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2007-08-25 149352]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-02-21 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-21 99376]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-05-29 23888]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-01-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-03 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Ryan.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 20:19]
.
- - - - ORPHANS REMOVED - - - -

BHO-{c9c42510-9b21-41c1-9dcd-8382a2d07c61} - c:\windows\system32\iehelper.dll
HKCU-Run-svschost.exe - c:\windows\system32\svschost.exe
MSConfigStartUp-AceGain LiveUpdate - c:\program files\AceGain\LiveUpdate\LiveUpdate.exe
MSConfigStartUp-DLA - c:\windows\System32\DLA\DLACTRLW.EXE
MSConfigStartUp-jsf8uiw3jnjgffght - c:\docume~1\RYAN~1.RYA\LOCALS~1\Temp\winlognn.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exe
MSConfigStartUp-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
MSConfigStartUp-MPFEXE - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MPSExe - c:\progra~1\mcafee.com\mps\mscifapp.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe
MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-pccguide - c:\program files\Trend Micro\Internet Security 2007\pccguide.exe
MSConfigStartUp-PCLEUSBTip - c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
MSConfigStartUp-svschost - c:\windows\system32\svschost.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
MSConfigStartUp-tezrtsjhfr84iusjfo84f - c:\docume~1\RYAN~1.RYA\LOCALS~1\Temp\csrssc.exe
MSConfigStartUp-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Mozilla\Firefox\Profiles\y85sttv0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\All Users.WINDOWS\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npUMediaPlayer5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 22:13:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\8158e7af]
"ImagePath"="\SystemRoot\System32\drivers\8158e7af.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-682003330-813497703-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:20,73,5b,cf,55,40,31,86,23,4f,9c,6e,28,14,25,4f,53,32,ac,f2,89,aa,a5,
c4,98,e3,9c,cf,44,36,a1,9e,42,40,1b,0f,ee,8d,28,25,a0,6d,30,d8,ba,df,c1,d4,\
"??"=hex:e2,06,90,c3,a9,ab,f7,ca,1c,f7,63,d7,3e,f2,89,5d

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,6f,f4,be,90,d9,
67,b8,1a,e2,63,26,f1,3f,c8,ff,68,41,78,54,6b,cb,25,73,5e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,f6,0c,7d,2f,96,
ca,85,a4,6a,9c,d6,61,af,45,84,18,38,bb,d5,45,c2,68,70,5c,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,b1,90,bd,98,0f,
82,36,a5,ff,7c,85,e0,43,d4,0e,fe,e7,38,ef,42,95,63,97,c3,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,7c,bb,2a,93,e4,
7a,b2,c6,86,8c,21,01,be,91,eb,e7,ba,33,a5,03,1a,41,48,16,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,da,5f,49,83,d5,
68,6c,32,f5,1d,4d,73,a8,13,5c,05,1d,83,69,e8,ac,fb,66,38,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,ad,10,9c,25,0e,
50,98,40,df,20,58,62,78,6b,cf,c8,4e,9e,52,48,ec,c0,a7,1c,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,6e,1f,1a,18,a9,
f2,ec,98,fb,a7,78,e6,12,2f,9a,ea,e2,c6,0d,83,3a,45,f8,77,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,f0,f5,7e,a5,18,
c7,cf,4a,01,3a,48,fc,e8,04,4a,f1,82,29,83,2f,7d,40,7b,d2,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,22,f8,3c,27,d5,
48,bb,f8,f6,0f,4e,58,98,5b,89,c9,25,df,65,00,2e,63,32,b1,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,cd,11,2f,37,58,
24,c3,36,3d,ce,ea,26,2d,45,aa,78,37,32,9f,41,5c,1f,78,77,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,28,bc,64,67,b4,
5a,85,96,2a,b7,cc,b5,b9,7f,41,e7,8b,2c,6d,d9,31,77,a6,50,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,6b,e3,f5,94,81,
ff,84,55,6c,43,2d,1e,aa,22,2f,9c,92,e1,1e,0f,d6,06,73,36,6c,43,2d,1e,aa,22,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\CTXFISPI.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-02-03 22:25:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-04 03:25:30

Pre-Run: 113,521,491,968 bytes free
Post-Run: 113,844,137,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

479 --- E O F --- 2007-08-16 07:04:11

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:44 PM, on 2/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Pmiqoweture] rundll32.exe "C:\WINDOWS\erikusadiyurega.dll",e
O4 - HKLM\..\Run: [Ekobahoze] rundll32.exe "C:\WINDOWS\Rvayolog.dll",e
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6822 bytes

Shaba

2009-02-04, 07:17

Before we continue I have to ask that is Norton up-to-date?

cadmian

2009-02-04, 20:58

No, I dont believe it is, my subscription just ran out a little while ago. I also dont remember the last time it was updated.

Shaba

2009-02-05, 06:12

Thank you for information.

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

cadmian

2009-02-05, 22:11

Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Center 2.0
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Photoshop Elements 4.0
Adobe Reader 8
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Age of Empires III
AGEIA PhysX v7.07.09
AIM 6
America's Army Deploy Client
AppCore
Apple Mobile Device Support
Apple Software Update
Audiosurf Demo
AVI Codec Pack
AviSynth 2.5
Bonjour
Call of Duty(R) 2
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.2 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.3 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
CAL-NHA Anti-Cheat 1.00
CALNHA Version 2.0
ccCommon
Combat Arms
Company of Heroes
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Component Framework
Conexant D850 56K V.9x DFVc Modem
Dawn of War - Dark Crusade
Dawn Of War - Winter Assault
DawnOfWar
Dell CinePlayer
Dell Resource CD
DiscAPI (Studio 10)
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Error Repair Professional 3.6
ERUNT 1.1j
Fahrenheit: Indigo Prophecy Director's Cut
FIFA 09 Demo
Football Manager 2008 Gold Demo
Fraps
Gunbound Revolution
Half-Life 2: Deathmatch
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
Insurgency ( Remove only)
Insurgency Mod
Intel(R) PRO Network Connections Drivers
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 3
Left 4 Dead Demo
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Medieval II Total War
Memorex exPressit Label Design Studio
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
mIRC
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Multiwinia Demo
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Drivers
NVIDIA nTune
PartyPokerNet
PDF Settings
Peggle Deluxe 1.0
Pinnacle Instant DVD Recorder
Portal
PunkBuster Services
Qloud Plug-in for iTunes
QuickTime
RAPID
RealPlayer
Rome - Total War(TM)
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Seismovision 3 (remove only)
Silent Hunter 4 Wolves of the Pacific
SmartMusic 11
SmartSound Quicktracks Plugin
Soldiers - Heroes of World War II
Sonic Encoders
Sonic Update Manager
Sony DVD Architect Studio 4.0
Sony Vegas Movie Studio Platinum 7.0
Sound Blaster X-Fi
SPBBC 32bit
SpeedFan (remove only)
Spybot - Search & Destroy
Starcraft
Starship Troopers
Steam
Studio 10
System Requirements Lab
TeamSpeak 2 RC2
The Lord of the Rings Online™: Shadows of Angmar™ v07.12.30.54
The Wonderful End of the World Demo
Trackless
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update Rollup 2 for Windows XP Media Center Edition 2005
Ventrilo Client
VideoLAN VLC media player 0.8.6d
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB925766
WinRAR archiver
World of Warcraft
Xfire (remove only)

Shaba

2009-02-06, 07:07

Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\erikusadiyurega.dll
c:\windows\system32\svñshost.exe
c:\windows\Rvayolog.dll
c:\windows\sysguard.exe
C:\eych.exe
c:\windows\system32\drivers\8158e7af.sys
C:\wgqjqf.exe
C:\nwurjr.exe
C:\-2011643985
c:\windows\system32\hgdfeeeh4fdg.dll
c:\windows\system32\wscbngpp.dll

Folder::
c:\program files\Vuze
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus

Driver::
8158e7af

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

cadmian

2009-02-07, 00:28

ComboFix 09-02-02.04 - Ryan 2009-02-06 18:03:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.940 [GMT -5:00]
Running from: c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Created a new restore point

FILE ::
C:\-2011643985
C:\eych.exe
C:\nwurjr.exe
C:\wgqjqf.exe
c:\windows\erikusadiyurega.dll
c:\windows\Rvayolog.dll
c:\windows\sysguard.exe
c:\windows\system32\drivers\8158e7af.sys
c:\windows\system32\hgdfeeeh4fdg.dll
c:\windows\system32\svñshost.exe
c:\windows\system32\wscbngpp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-2011643985
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\.certs
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\.keystore
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\.lock
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\0461783866D1BFFF046844276142F839563C4AAE.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\0461783866D1BFFF046844276142F839563C4AAE.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\0BE042EBE36CB6424EDADA17BA81C24728AC31DC.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\0BE042EBE36CB6424EDADA17BA81C24728AC31DC.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\0E814C3464965111B2E74DDF63D19E33FAFC2857.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\0E814C3464965111B2E74DDF63D19E33FAFC2857.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\0F3B673605814C05406088D86948500D696FB59E.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\0F3B673605814C05406088D86948500D696FB59E.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\0F87FCBC6C11DB6CCF933DD9F71C603A91104F6F.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\0F87FCBC6C11DB6CCF933DD9F71C603A91104F6F.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\51C144FDAB62D6DE1226C6467A4E54F0453B74AF.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\51C144FDAB62D6DE1226C6467A4E54F0453B74AF.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\6723F46D006F61A10C063D3D61EE2C014B85CB7F.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\6723F46D006F61A10C063D3D61EE2C014B85CB7F.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\68CA06270C0039373B85D3A14D6EC70827DBD0A2.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\68CA06270C0039373B85D3A14D6EC70827DBD0A2.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\6DD1DD26AF3EB8DB14E5D578942C861C71192F99.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\6DD1DD26AF3EB8DB14E5D578942C861C71192F99.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\6F60E2DAA5EB33022D5F3567785EDCC76C008E9B.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\6F60E2DAA5EB33022D5F3567785EDCC76C008E9B.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\6F829BC7D25173236813300AFFFF75DDCA903BA4.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\6F829BC7D25173236813300AFFFF75DDCA903BA4.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\6FA5357658C57CB3A730395D10B39EC8CAE20AD3.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\6FA5357658C57CB3A730395D10B39EC8CAE20AD3.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\805236DF03F8EC9885BBCB89AAA55FB25B331B77.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\805236DF03F8EC9885BBCB89AAA55FB25B331B77.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\885FC8645F332576562ABF72FB935B3D243C3B13.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\885FC8645F332576562ABF72FB935B3D243C3B13.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\9055AC12C69076DA647B999CFB31BF879F3E4D75.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\9055AC12C69076DA647B999CFB31BF879F3E4D75.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\93FF708BB390E86CE9DFE27E32282BCD248B96F6.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\93FF708BB390E86CE9DFE27E32282BCD248B96F6.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\975A1C63F3FA426ED99A4576A0E8904F55E97F49.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\975A1C63F3FA426ED99A4576A0E8904F55E97F49.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\98F638A590B6F8296AEC695CF8184ECE150741F2.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\98F638A590B6F8296AEC695CF8184ECE150741F2.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\9D9CDFD64DDCD1339F564B43673863E95F519229.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\9D9CDFD64DDCD1339F564B43673863E95F519229.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\A0EB82599EDFFA4E8413CFA17AB3861A992AD112.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\A0EB82599EDFFA4E8413CFA17AB3861A992AD112.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\A53788A3F0555272E80068F8674FD60E8929098D.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\A53788A3F0555272E80068F8674FD60E8929098D.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\C05118B64A4732C3C9E066826EB50D93817F394F.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\C05118B64A4732C3C9E066826EB50D93817F394F.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\C19E6AAE60F6480672207ECFD2352CBB2896D148.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\C19E6AAE60F6480672207ECFD2352CBB2896D148.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\C607D0B1874D1B1FED47CDA3ED3B411373726B62.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\C607D0B1874D1B1FED47CDA3ED3B411373726B62.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\cache.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\CDEBF5BD77970BC76BEE1AC3DCCCD9C80D8A6C60.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\CDEBF5BD77970BC76BEE1AC3DCCCD9C80D8A6C60.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\DE083348BFA7FB0930AF5CE901585042F4CC9836.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\DE083348BFA7FB0930AF5CE901585042F4CC9836.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\E0C255F901F9F85BB86A9BC9E2AFEC0B14E5B877.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\E0C255F901F9F85BB86A9BC9E2AFEC0B14E5B877.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\E332FDFA3FC6016BC13167294DEB32AA4BCB5894.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\E332FDFA3FC6016BC13167294DEB32AA4BCB5894.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\E72E275902FF4B99E5AA693B441AEAC67A50AD6A.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\E72E275902FF4B99E5AA693B441AEAC67A50AD6A.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\EAE70ABC2F9B855D66DF481AECA463FE3F4E2D1F.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\EAE70ABC2F9B855D66DF481AECA463FE3F4E2D1F.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\F4CA0941FDAE2F1EA353D914F6C8CE0CA7CD2E14.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\F4CA0941FDAE2F1EA353D914F6C8CE0CA7CD2E14.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\F73B8FB27802446A01C8D16B7DFECB284861CB09.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\F73B8FB27802446A01C8D16B7DFECB284861CB09.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\FA4E81BFFD2B4F2241FD6D01590787DEF36F17AA.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\active\FA4E81BFFD2B4F2241FD6D01590787DEF36F17AA.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\azureus.config
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\azureus.statistics
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\banips.config
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\banips.config.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\dht\general.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\dht\version.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\downloads.config
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\friends.config
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\friends.config.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\alerts_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\AutoSpeed_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\AutoSpeed_2.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\AutoSpeedSearchHistory_2.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\clientid_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\debug_2.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\Friends_2.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\MetaSearch_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\MetaSearch_Engine_3.txt
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\MetaSearch_Engine_4.txt
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\MetaSearch_Engine_5.txt
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\MetaSearch_Engine_6.txt
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\MetaSearch_Engine_9.txt
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\NetStatus_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\SpeedMan_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\SpeedMan_2.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\Subscriptions_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\thread_2.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\v3.ads_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\v3.emp_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\v3.Friends_2.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\v3.MD_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\logs\v3.Stream_1.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\metasearch.config
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\net\pm_5668.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\tables.config
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\tables.config.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\timingstats.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\tmp\AZU19068.tmp
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\tmp\AZU19069.tmp
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\tmp\AZU19070.tmp
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\tmp\AZU19071.tmp
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\tmp\AZU19072.tmp
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\tmp\AZU19073.tmp
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\tmp\AZU19074.tmp
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\tmp\AZU19075.tmp
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] 28. Pink - So what.mp3.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] 805236df03f8ec9885bbcb89aaa55fb25b331b77.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Ace_Hood_-_Cash_Flow_ft._Rick_Ross_&T-Pain_ _Video_(debigG).torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Adobe Photoshop CS3 Extended + Crack.1397546.SN(2).torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Bob Marley - The Very Best Of legend.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Brand_New_Deja_Entendu-2003-fnt.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Coldplay - Viva La Vida [2008]MP3[TCRG].torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Death Cab For Cutie - Plans.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] download.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Eminem - Curtain Call - The Hits (2005) CD 1.1176861.SN.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Flo Rida Ft. Will I Am - In The Ayer.mp3.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Jack Johnson - In Between Dreams - FLAC.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Justin Timberlake - Justified(2).torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Kevin_Rudolf___Lil_Wayne_-_Let_It_Rock_[Clean].4428349.TPB.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Kill Bill - Vol 1 soundtrack [2003] 5 hidden tracks - Full Album - 320kbps -HQ cd covers.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Lil Wayne - Tha Carter III [2008][explicit].torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Linkin Park - Minutes To Midnight [2007][CD+SkidVid+Cov].torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] MIA - Kala [2007][CD+SkidVid_XviD+Cov]192Kbps.1390025.SN.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Muse - Black Holes And Revelations [2006][CD+Vid+Cov].torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Postal Service - Give Up.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Regina Spektor - Begin To Hope.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Rihanna-Disturbia[2008].mp3.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Saving_Abel-Saving_Abel-2008-EON.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Say Anything - ...Is A Real Boy (2004).torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Something_Corporate_-_Leaving_Through_the_Window_[192kbps].4520349.TPB.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] T.I.-Paper_Trail-(Proper)-2008-HipHopGenerals.Com.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] T.I. vs T.I.P.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] The Best of ''Coldplay''.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] The Game - My Life feat. Lil Wayne - L.A.X. - 2008 - Parry Gill.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] The_Academy_Is..._-_Almost_Here_(320kbps_mp3).4383985.TPB.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] The_Killers-Day_And_Age-2008-404.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] TI_-_King.3834881.TPB.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Timbaland-Present_Shock_Value_(Deluxe_Edition)-2CD-2007-SMO.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Yellowcard - Ocean Avenue.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Young Jeezy-Lets Get It Thug Motivation 101.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\[isoHunt] Young.Jeezy-The.Recession-Retail-2008-[NoFS].4363937.TPB.torrent
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\AZU19077.tmp
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\AZU19314.tmp
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\AZU35479.tmp
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\torrents\AZU51651.tmp
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\tracker.config
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\tracker.config.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\unsentdata.config
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\unsentdata.config.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\update.log
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\update.properties
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\VuzeActivities.config
c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Azureus\VuzeActivities.config.bak
C:\eych.exe
C:\nwurjr.exe
c:\program files\Vuze
c:\program files\Vuze\plugins\azemp\azemp_2.0.32.jar
c:\program files\Vuze\plugins\azemp\azemp_2.0.32.zip
c:\program files\Vuze\plugins\azemp\azmplay.exe.bak
c:\program files\Vuze\plugins\azemp\cp1250-a.raw.bak
c:\program files\Vuze\plugins\azemp\cp1250-b.raw.bak
c:\program files\Vuze\plugins\azemp\font.desc.bak
c:\program files\Vuze\plugins\azemp\mplayer\config
c:\program files\Vuze\plugins\azemp\osd-mplayer-a.raw.bak
c:\program files\Vuze\plugins\azemp\osd-mplayer-b.raw.bak
c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.32
C:\wgqjqf.exe
c:\windows\erikusadiyurega.dll
c:\windows\Rvayolog.dll
c:\windows\sysguard.exe
c:\windows\system32\drivers\8158e7af.sys
c:\windows\system32\hgdfeeeh4fdg.dll
c:\windows\system32\svñshost.exe
c:\windows\system32\wscbngpp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_8158e7af

((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-01-31 14:02 . 2009-01-31 14:03 <DIR> d-------- c:\program files\ERUNT
2009-01-26 16:33 . 2009-01-26 16:33 <DIR> d-------- c:\documents and settings\Administrator.RYAN-CAE55FD3B0
2009-01-26 14:11 . 2009-01-27 16:00 <DIR> d-------- c:\program files\America's Army Deploy Client
2009-01-26 14:11 . 2009-01-26 14:12 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\America's Army Deploy Client
2009-01-26 13:54 . 2009-01-26 13:54 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-26 13:53 . 2009-01-26 13:53 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-26 13:53 . 2009-01-26 13:53 <DIR> d-------- c:\program files\MSBuild
2009-01-26 13:52 . 2009-01-26 13:53 <DIR> d-------- C:\58335e2d7a8e0e8703
2009-01-26 13:52 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-01-26 13:52 . 2008-07-06 07:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-01-26 13:52 . 2008-07-06 05:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-26 13:52 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-01-26 13:52 . 2008-07-06 07:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-26 13:52 . 2008-07-06 07:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-01-26 13:52 . 2008-07-06 07:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-26 13:45 . 2009-01-26 13:45 <DIR> d-------- c:\program files\MSXML 6.0
2009-01-15 03:37 . 2009-01-15 03:37 42,320 --a------ c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 23:15 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-05 23:28 --------- d-----w c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Xfire
2009-02-04 23:58 --------- d-s---w c:\program files\Xfire
2009-01-31 19:04 --------- d-----w c:\program files\Trend Micro
2009-01-27 22:42 --------- d-----w c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\teamspeak2
2009-01-27 22:34 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Symantec
2009-01-26 01:29 138,064 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-17 23:11 --------- d-----w c:\program files\Steam
2009-01-07 00:32 --------- d-----w c:\program files\SpeedFan
2008-12-23 18:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-19 22:18 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-07 23:03 22,328 ----a-w c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\PnkBstrK.sys
2006-11-17 23:58 81,920 ----a-w c:\documents and settings\ryan\Application Data\ezpinst.exe
2006-11-17 23:58 47,360 -c--a-w c:\documents and settings\ryan\Application Data\pcouffin.sys
2004-08-04 18:00 413,696 ----a-w c:\program files\mozilla firefox\plugins\msvcp60.dll
2007-08-25 03:52 300,400 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((( snapshot@2009-02-03_22.24.26.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2009-02-06\ERDNT.EXE
+ 2009-02-06 23:12:57 9,367,552 ----a-w c:\windows\ERDNT\AutoBackup\2009-02-06\Users\00000001\NTUSER.DAT
+ 2009-02-06 23:12:57 204,800 ----a-w c:\windows\ERDNT\AutoBackup\2009-02-06\Users\00000002\UsrClass.dat
+ 2009-02-06 23:14:25 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-10 158208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= vdrcodec.dll
"VIDC.XFR1"= xfcodec.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryan.RYAN-CAE55FD3B0^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=c:\windows\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ryan.RYAN-CAE55FD3B0^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-09-09 01:18 57344 c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2009-01-07 16:22 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 11:15 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-10-17 14:52 51048 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--------- 2003-06-18 01:00 45056 c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 06:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 02:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 12:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 11:35 49152 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 10:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 10:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2001-08-23 16:52 331830 c:\program files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-10-07 13:33 13574144 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-09-04 18:25 81920 c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-10-07 13:33 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-08-24 23:53 714608 c:\program files\Norton Internet Security\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
--a------ 2003-11-10 15:06 406016 c:\windows\system32\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-12 19:08 1410296 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 03:48 36975 c:\program files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-06 19:57 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check]
--a------ 2005-12-21 09:14 73728 c:\windows\system32\PCLECoInst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
--------- 2005-10-14 11:01 122880 c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2001-10-05 19:34 24576 c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2005-11-08 07:30 16384 c:\windows\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2005-11-08 07:30 18944 c:\windows\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-10-07 13:33 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SEGA\\Medieval II Total War\\medieval2.exe"=
"c:\\Program Files\\Steam\\steamapps\\captain09\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\captain09\\half-life 2\\hl2.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\defcon\\defcon.exe"=
"c:\\Program Files\\Codemasters\\Soldiers - Heroes of World War II\\SOLDIERS.EXE"=
"c:\\Program Files\\Ubisoft\\Silent Hunter Wolves of the Pacific\\sh4.exe"=
"c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27750:TCP"= 27750:TCP:gamespy
"27750:UDP"= 27750:UDP:gamespy
"28900:TCP"= 28900:TCP:master server list
"29900:TCP"= 29900:TCP:gp connection manager
"29901:TCP"= 29901:TCP:gp serach manager
"6500:TCP"= 6500:TCP:query port
"3783:TCP"= 3783:TCP:voice chat port gs
"13139:UDP"= 13139:UDP:CUSTOM UDP PINGS
"6515:UDP"= 6515:UDP:dplay udp
"6500:UDP"= 6500:UDP:query port udp
"6667:UDP"= 6667:UDP:irc gs udp
"3783:UDP"= 3783:UDP:voice chat port udp
"27900:UDP"= 27900:UDP:master srever udp
"28900:UDP"= 28900:UDP:master server list udp
"29900:UDP"= 29900:UDP:gp connection manager udp
"29901:UDP"= 29901:UDP:gp search manager udp

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2007-08-25 149352]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-02-21 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-21 99376]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-05-29 23888]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-03 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Ryan.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 20:19]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Pmiqoweture - c:\windows\erikusadiyurega.dll
HKLM-Run-Ekobahoze - c:\windows\Rvayolog.dll
MSConfigStartUp-ekobahoze - c:\windows\Rvayolog.dll
MSConfigStartUp-pmiqoweture - c:\windows\erikusadiyurega.dll
MSConfigStartUp-sysguard - c:\windows\sysguard.exe

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Ryan.RYAN-CAE55FD3B0\Application Data\Mozilla\Firefox\Profiles\y85sttv0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\All Users.WINDOWS\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npUMediaPlayer5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 18:14:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-813497703-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:20,73,5b,cf,55,40,31,86,23,4f,9c,6e,28,14,25,4f,53,32,ac,f2,89,aa,a5,
c4,98,e3,9c,cf,44,36,a1,9e,42,40,1b,0f,ee,8d,28,25,a0,6d,30,d8,ba,df,c1,d4,\
"??"=hex:e2,06,90,c3,a9,ab,f7,ca,1c,f7,63,d7,3e,f2,89,5d

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,6f,f4,be,90,d9,
67,b8,1a,e2,63,26,f1,3f,c8,ff,68,41,78,54,6b,cb,25,73,5e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,f6,0c,7d,2f,96,
ca,85,a4,6a,9c,d6,61,af,45,84,18,38,bb,d5,45,c2,68,70,5c,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,b1,90,bd,98,0f,
82,36,a5,ff,7c,85,e0,43,d4,0e,fe,e7,38,ef,42,95,63,97,c3,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,7c,bb,2a,93,e4,
7a,b2,c6,86,8c,21,01,be,91,eb,e7,ba,33,a5,03,1a,41,48,16,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,da,5f,49,83,d5,
68,6c,32,f5,1d,4d,73,a8,13,5c,05,1d,83,69,e8,ac,fb,66,38,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,ad,10,9c,25,0e,
50,98,40,df,20,58,62,78,6b,cf,c8,4e,9e,52,48,ec,c0,a7,1c,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,6e,1f,1a,18,a9,
f2,ec,98,fb,a7,78,e6,12,2f,9a,ea,e2,c6,0d,83,3a,45,f8,77,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,f0,f5,7e,a5,18,
c7,cf,4a,01,3a,48,fc,e8,04,4a,f1,82,29,83,2f,7d,40,7b,d2,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,22,f8,3c,27,d5,
48,bb,f8,f6,0f,4e,58,98,5b,89,c9,25,df,65,00,2e,63,32,b1,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,cd,11,2f,37,58,
24,c3,36,3d,ce,ea,26,2d,45,aa,78,37,32,9f,41,5c,1f,78,77,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,28,bc,64,67,b4,
5a,85,96,2a,b7,cc,b5,b9,7f,41,e7,8b,2c,6d,d9,31,77,a6,50,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,6b,e3,f5,94,81,
ff,84,55,6c,43,2d,1e,aa,22,2f,9c,92,e1,1e,0f,d6,06,73,36,6c,43,2d,1e,aa,22,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\CTXFISPI.EXE
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-02-06 18:25:51 - machine was rebooted [Ryan]
ComboFix-quarantined-files.txt 2009-02-06 23:25:48
ComboFix2.txt 2009-02-04 03:25:38

Pre-Run: 113,723,445,248 bytes free
Post-Run: 113,704,120,320 bytes free

583 --- E O F --- 2007-08-16 07:04:11

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:11 PM, on 2/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6576 bytes

Shaba

2009-02-07, 10:57

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

cadmian

2009-02-10, 23:42

When trying to update kaspersky the window will close out automatically at random times. This causes the update to start over again and it never is able to finish.

Shaba

2009-02-11, 06:06

Then please try this instead:

NOD32 online scan', 'Please go to Eset website (http://www.eset.com/onlinescan/) to perform an online scan. Please use Internet Explorer as it uses ActiveX.

Check (tick) this box: YES, I accept the Terms of Use.
Click on the Start button next to it.
When prompted to run ActiveX. click Yes.
You will be asked to install an ActiveX. Click Install.
Once installed, the scanner will be initialized.
After the scanner is initialized, click Start.
Uncheck (untick) Remove found threats box.
Check (tick) Scan unwanted applications.
Click on Scan.
It will start scanning. Please be patient.
Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

Shaba

2009-02-15, 12:00

Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.