View Full Version : DNS Settings Changed, Spybot & MBAM Won't Start
Hi all,
I hope someone can please help me with this infection, as it's driving me nuts. My HJT v2.0.2 log is pasted below (in Normal mode). Here is a description of what has happened:
During websurfing my PC froze and I had to reboot. Upon the reboot, the following serious symptoms have all emerged:
* DNS settings were changed (hardcoded) on all network adapters (the addresses entered for primary and secondary DNS servers were 85.255.112.64 and 85.255.112.225). I have since manually fixed this (i.e. back to ISP-pushed DNS entries).
* I've been experiencing many URL redirections to random pages, especially from Google search results.
* Neither Spybot S&D nor Malwarebytes' Anti-Malware (MBAM) will now start; I tried renaming the EXE files in both cases, but no luck - they simply will not launch.
* Now whenever the computer boots up, just after entering the Windows 2000 credentials, I get a text box with Chinese (I think?) characters and just an "OK" button. I tried to copy and paste the Chinese characters here:
碠碠Ā. Once I click OK, the rest of the boot process completes as normal.
Despite all of the above, running the latest version of Spyware Doctor claims that the machine is clean. I'd be very grateful for any help as I'm at a loss as to what else to try... :-(
Cheers,
Milo
------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:00:19, on 23/04/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\MGE\PersonalSolutionPac\RunSC.exe
C:\Program Files\MGE\PersonalSolutionPac\PCtl.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\MGE\PersonalSolutionPac\BIL.EXE
C:\Program Files\MGE\PersonalSolutionPac\CILUSB.EXE
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINNT\system32\PnkBstrA.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\VoSKY USB Phone\USBDetect.exe
C:\Program Files\Telstra\Telstra Turbo Modem\Bin\Demon6280.exe
C:\Program Files\Maxtor\ManagerApp\OneTouch.exe
C:\Program Files\Maxtor\utils\mspm.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MGE\PersonalSolutionPac\mgenetsystray.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\NetPerSec\NetPerSec.exe
C:\Program Files\Arcane Software\Vermillion FTP Daemon\vftpd.exe
C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\DriversNExecutables\Antiviru_Antispyware\HiJackThis\HijackThis.exe
C:\Program Files\Spyware Doctor\sdloader.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ivanovich.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\FlashCapture\fcbho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [USBDetect] C:\Program Files\VoSKY USB Phone\USBDetect.exe
O4 - HKLM\..\Run: [Telstra_TM] C:\Program Files\Telstra\Telstra Turbo Modem\Bin\Demon6280.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\OneTouch.exe
O4 - HKLM\..\Run: [mspm] C:\Program Files\Maxtor\utils\mspm.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [pspNetSystray] C:\Program Files\MGE\PersonalSolutionPac\mgenetsystray.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetPerSec.lnk = C:\Program Files\NetPerSec\NetPerSec.exe
O4 - Global Startup: Vermillion FTP Daemon.lnk = C:\Program Files\Arcane Software\Vermillion FTP Daemon\vftpd.exe
O4 - Global Startup: VitalAgent IT.lnk = C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\fciext.dll/FCIEXT.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra 'Tools' menuitem: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O15 - Trusted Zone: http://www.tab.com.au
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229552143288
O16 - DPF: {6DA0CFB8-46F2-11D6-B90C-00C04F689AB6} (BillToBill.Signature) - http://login.billtobill.com/login/download/b2bsig1003.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229552128637
O16 - DPF: {769F454F-A488-11D4-AA30-005004C3096A} (DME Web Support) - http://wsmsg0604/dmeweb/ckowebcab/ckoweb.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://rna.nsa.nexus.telstra.com.au/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4CE148E-7484-40A5-85D6-12BADF234B2C}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\TalentVX\Skype4COM.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: MGE Service module - Unknown owner - C:\Program Files\MGE\PersonalSolutionPac\RunSC.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINNT\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINNT\System32\ups2.exe (file missing)
--
End of file - 13459 bytes
An update:
Having read Shaba's advice for Ryeke, who seems to have a very similar problem to mine (in thread http://forums.spybot.info/showthread.php?t=47879), I also downloaded and ran the RSIT tool as per Shaba's advice, to provide more info.
In case it is helpful, please find the RSIT log.txt and info.txt files below, in that order:
RSIT log.txt
==========
Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-04-23 19:00:37
Microsoft Windows 2000 Professional Service Pack 4
System drive C: has 4 GB (16%) free of 26 GB
Total RAM: 767 MB (46% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:00:51, on 23/04/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\MGE\PersonalSolutionPac\RunSC.exe
C:\Program Files\MGE\PersonalSolutionPac\PCtl.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\MGE\PersonalSolutionPac\BIL.EXE
C:\Program Files\MGE\PersonalSolutionPac\CILUSB.EXE
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINNT\system32\PnkBstrA.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\VoSKY USB Phone\USBDetect.exe
C:\Program Files\Telstra\Telstra Turbo Modem\Bin\Demon6280.exe
C:\Program Files\Maxtor\ManagerApp\OneTouch.exe
C:\Program Files\Maxtor\utils\mspm.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MGE\PersonalSolutionPac\mgenetsystray.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\NetPerSec\NetPerSec.exe
C:\Program Files\Arcane Software\Vermillion FTP Daemon\vftpd.exe
C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\DriversNExecutables\Antiviru_Antispyware\RSIT\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ivanovich.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\FlashCapture\fcbho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [USBDetect] C:\Program Files\VoSKY USB Phone\USBDetect.exe
O4 - HKLM\..\Run: [Telstra_TM] C:\Program Files\Telstra\Telstra Turbo Modem\Bin\Demon6280.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\OneTouch.exe
O4 - HKLM\..\Run: [mspm] C:\Program Files\Maxtor\utils\mspm.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [pspNetSystray] C:\Program Files\MGE\PersonalSolutionPac\mgenetsystray.exe
O4 - HKLM\..\Run: [oleaut32.dll] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetPerSec.lnk = C:\Program Files\NetPerSec\NetPerSec.exe
O4 - Global Startup: Vermillion FTP Daemon.lnk = C:\Program Files\Arcane Software\Vermillion FTP Daemon\vftpd.exe
O4 - Global Startup: VitalAgent IT.lnk = C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\fciext.dll/FCIEXT.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra 'Tools' menuitem: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O15 - Trusted Zone: http://www.tab.com.au
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229552143288
O16 - DPF: {6DA0CFB8-46F2-11D6-B90C-00C04F689AB6} (BillToBill.Signature) - http://login.billtobill.com/login/download/b2bsig1003.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229552128637
O16 - DPF: {769F454F-A488-11D4-AA30-005004C3096A} (DME Web Support) - http://wsmsg0604/dmeweb/ckowebcab/ckoweb.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://rna.nsa.nexus.telstra.com.au/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4CE148E-7484-40A5-85D6-12BADF234B2C}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\TalentVX\Skype4COM.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: MGE Service module - Unknown owner - C:\Program Files\MGE\PersonalSolutionPac\RunSC.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINNT\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINNT\System32\ups2.exe (file missing)
--
End of file - 13536 bytes
======Scheduled tasks folder======
C:\WINNT\tasks\SyncBack MiloBkup_C_Cavedog.job
C:\WINNT\tasks\SyncBack MiloBkup_C_MailFaves.job
C:\WINNT\tasks\SyncBack MiloBkup_D.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7c1ce531-09e9-4fc5-9803-1c2956615786}]
IeCaptureBho Object - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B3868B4-EBA8-48FA-A19B-E1DFB99066FA}]
BHO Class - C:\Program Files\FlashCapture\fcbho.dll [2009-03-26 815104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-09 35840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-04-09 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINNT\System32\msdxm.ocx [2005-03-31 844560]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=mobsync.exe /logon []
"LoadQM"=C:\WINNT\loadqm.exe [2000-05-03 7536]
"anvshell"=C:\WINNT\anvshell.exe [2000-08-02 319488]
"SoundMan"=C:\WINNT\SOUNDMAN.EXE [2002-03-21 46592]
"NeroCheck"=C:\WINNT\System32\NeroCheck.exe [2001-07-09 155648]
"NvCplDaemon"=C:\WINNT\system32\NvCpl.dll [2005-12-10 7311360]
"nwiz"=nwiz.exe /install []
"CreateCD50"=C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe [2002-07-31 131157]
"AdaptecDirectCD"=C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe [2002-07-31 684032]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2003-05-20 77824]
"Tweak UI"=TWEAKUI.CPL,TweakMeUp []
"NvMediaCenter"=C:\WINNT\system32\NvMcTray.dll [2005-12-10 86016]
"OpwareSE2"=C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe [2003-05-08 49152]
"USBDetect"=C:\Program Files\VoSKY USB Phone\USBDetect.exe [2005-09-12 200704]
"Telstra_TM"=C:\Program Files\Telstra\Telstra Turbo Modem\Bin\Demon6280.exe [2007-06-11 245760]
"MaxtorOneTouch"=C:\Program Files\Maxtor\ManagerApp\OneTouch.exe [2006-08-11 712704]
"mspm"=C:\Program Files\Maxtor\utils\mspm.exe [2005-09-03 225280]
""= []
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2007-03-01 153136]
"NBKeyScan"=C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [2007-09-10 1828136]
"AtiPTA"=C:\WINNT\system32\atiptaxx.exe [2006-02-22 344064]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-09 148888]
"pspNetSystray"=C:\Program Files\MGE\PersonalSolutionPac\mgenetsystray.exe [2007-01-23 1208320]
"oleaut32.dll"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-07-16 1166216]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Steam"= []
"H/PC Connection Agent"=C:\PROGRA~1\MICROS~4\wcescomm.exe [2005-11-15 1200128]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe [2007-08-21 202024]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
BlackICE Utility.lnk - C:\Program Files\Network ICE\BlackICE\blackice.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
NetPerSec.lnk - C:\Program Files\NetPerSec\NetPerSec.exe
Vermillion FTP Daemon.lnk - C:\Program Files\Arcane Software\Vermillion FTP Daemon\vftpd.exe
VitalAgent IT.lnk - C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
VPN Client.lnk - C:\WINNT\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
PowerReg SchedulerV2.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ActiveSync]
C:\WINNT\system32\WcesWlgn.dll [2005-11-15 7168]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINNT\system32\Ati2evxx.dll [2006-05-04 61440]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,zpasspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
======File associations======
.js - edit - C:\WINNT\System32\Notepad.exe %1
.js - open - C:\WINNT\System32\WScript.exe "%1" %*
.vbs - edit - C:\WINNT\System32\Notepad.exe %1
.vbs - open - C:\WINNT\System32\WScript.exe "%1" %*
======List of files/folders created in the last 1 months======
2009-04-23 18:32:56 ----D---- C:\rsit
2009-04-23 18:16:44 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-23 18:16:44 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-23 16:27:05 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-04-23 16:26:49 ----A---- C:\WINNT\system32\oleaccrc.dll
2009-04-23 16:26:49 ----A---- C:\WINNT\system32\oleacc.dll
2009-04-23 16:26:49 ----A---- C:\WINNT\system32\msaatext.dll
2009-04-23 16:26:48 ----D---- C:\Program Files\Spyware Doctor
2009-04-23 16:26:48 ----D---- C:\Documents and Settings\Administrator\Application Data\PC Tools
2009-04-23 15:21:03 ----D---- C:\Program Files\Trend Micro
2009-04-23 15:17:08 ----D---- C:\Program Files\ERUNT
2009-04-11 23:05:17 ----D---- C:\Program Files\FlashCapture
2009-04-11 21:38:57 ----D---- C:\Program Files\Flash Saving Plugin
2009-04-09 09:21:42 ----A---- C:\WINNT\system32\javaws.exe
2009-04-09 09:21:42 ----A---- C:\WINNT\system32\javaw.exe
2009-04-09 09:21:42 ----A---- C:\WINNT\system32\java.exe
2009-03-29 20:41:08 ----RA---- C:\WINNT\system32\lvcoinst.ini
2009-03-29 20:41:08 ----RA---- C:\WINNT\system32\lvci1150.dll
2009-03-29 20:41:06 ----RA---- C:\WINNT\system32\LVUI2RC.dll
2009-03-29 20:41:05 ----RA---- C:\WINNT\system32\LVUI2.dll
2009-03-29 20:41:04 ----RA---- C:\WINNT\system32\lvcodec2.dll
2009-03-29 20:40:51 ----D---- C:\Program Files\Common Files\logishrd
2009-03-29 20:40:50 ----A---- C:\WINNT\system32\vfwwdm32.dll
2009-03-29 20:40:50 ----A---- C:\WINNT\system32\tsbyuv.dll
2009-03-29 20:40:49 ----A---- C:\WINNT\system32\iyuv_32.dll
2009-03-26 16:43:26 ----D---- C:\Program Files\AC3Filter
======List of files/folders modified in the last 1 months======
2009-04-23 18:32:57 ----D---- C:\WINNT\system32
2009-04-23 18:31:15 ----D---- C:\WINNT\security
2009-04-23 18:29:04 ----D---- C:\WINNT\Temp
2009-04-23 18:28:29 ----D---- C:\WINNT\system32\drivers
2009-04-23 18:26:13 ----D---- C:\WINNT\system32\NtmsData
2009-04-23 18:22:41 ----A---- C:\WINNT\SchedLgU.Txt
2009-04-23 18:16:44 ----RD---- C:\Program Files
2009-04-23 17:56:19 ----AD---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-23 16:54:27 ----D---- C:\WINNT
2009-04-23 16:43:57 ----SD---- C:\WINNT\Downloaded Program Files
2009-04-23 16:27:09 ----RSHDC---- C:\WINNT\system32\dllcache
2009-04-23 16:27:01 ----D---- C:\WINNT\inf
2009-04-23 16:26:58 ----D---- C:\WINNT\RegisteredPackages
2009-04-23 15:55:50 ----A---- C:\WINNT\ntbtlog.txt
2009-04-23 11:29:06 ----SHD---- C:\WINNT\Installer
2009-04-23 11:20:31 ----SHD---- C:\WINNT\CSC
2009-04-23 11:04:29 ----SHD---- C:\RECYCLER
2009-04-23 02:53:29 ----AD---- C:\Program Files\SyncBack
2009-04-21 19:04:11 ----D---- C:\Program Files\Folder Lock
2009-04-18 13:42:46 ----D---- C:\Program Files\Steam
2009-04-18 01:10:09 ----D---- C:\Documents and Settings\Administrator\Application Data\dvdcss
2009-04-18 01:09:43 ----A---- C:\WINNT\NeroDigital.ini
2009-04-17 19:18:48 ----D---- C:\Documents and Settings\Administrator\Application Data\uTorrent
2009-04-14 21:10:27 ----D---- C:\Documents and Settings\Administrator\Application Data\Skype
2009-04-12 14:21:16 ----D---- C:\My Music
2009-04-09 09:21:08 ----A---- C:\WINNT\system32\deploytk.dll
2009-04-07 17:37:53 ----A---- C:\WINNT\AVCAMERA.INI
2009-03-29 20:41:01 ----D---- C:\WINNT\twain_32
2009-03-29 20:40:51 ----D---- C:\Program Files\Common Files
2009-03-28 10:40:02 ----D---- C:\Documents and Settings\Administrator\Application Data\Canon
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 ANVOSDNT;ASUS Keyboard Filter Driver; C:\WINNT\System32\DRIVERS\anvosdnt.sys [2002-07-30 323635]
R1 atitray;atitray; \??\C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.sys []
R1 Cdr4_2K;Cdr4_2K; C:\WINNT\system32\drivers\Cdr4_2K.sys [2007-07-27 9336]
R1 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2007-07-27 9464]
R1 cdudf;cdudf; C:\WINNT\system32\drivers\cdudf.sys [2002-07-31 362083]
R1 pwd_2k;pwd_2k; C:\WINNT\system32\drivers\pwd_2k.sys [2002-07-31 132058]
R1 UdfReadr;UdfReadr; C:\WINNT\system32\drivers\UdfReadr.sys [2002-07-31 227266]
R1 VIAPFD;VIAPFD; C:\WINNT\System32\Drivers\VIAPFD.SYS [2001-12-18 3279]
R2 0VsNdis08;VitalAgent Network Driver 8.0; \??\C:\Program Files\INS\VitalAgent\Program\VsNdis08.sys []
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver; \??\C:\WINNT\system32\Drivers\CVPNDRVA.sys []
R2 HidUsb;Microsoft HID Class Driver; C:\WINNT\System32\DRIVERS\hidusb.sys [1999-10-04 13904]
R2 mbmiodrvr;mbmiodrvr; \??\C:\WINNT\system32\mbmiodrvr.sys []
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINNT\System32\DRIVERS\nwlnkipx.sys [2003-06-20 91408]
R2 NwlnkNb;NWLink NetBIOS; C:\WINNT\System32\DRIVERS\nwlnknb.sys [2003-06-20 65520]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINNT\System32\DRIVERS\nwlnkspx.sys [2000-07-26 58480]
R2 SecDrv;SecDrv; \??\C:\WINNT\System32\drivers\SECDRV.SYS []
R3 ALCXWDM;Service for Avance AC97 Audio (WDM); C:\WINNT\system32\drivers\ALCXWDM.SYS [2002-05-28 627660]
R3 ati2mtag;ati2mtag; C:\WINNT\system32\DRIVERS\ati2mtag.sys [2006-05-04 1540608]
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINNT\system32\DRIVERS\dne2000.sys [2007-01-31 127376]
R3 dsNcAdpt;Juniper Network Connect Adapter; C:\WINNT\system32\DRIVERS\dsNcAdpt.sys [2008-08-29 23552]
R3 dvd_2K;dvd_2K; C:\WINNT\system32\drivers\dvd_2K.sys [2002-07-31 25578]
R3 EL90X;3Com EtherLink XL Adapter Driver; C:\WINNT\System32\DRIVERS\el90xnd5.sys [1999-11-02 78096]
R3 IKSysFlt;System Filter Driver; C:\WINNT\system32\drivers\iksysflt.sys [2008-06-02 66952]
R3 IKSysSec;System Security Driver; C:\WINNT\system32\drivers\iksyssec.sys [2008-06-10 81288]
R3 IPSECSHM;Nortel IPSECSHM Adapter; C:\WINNT\System32\DRIVERS\ipsecw2k.sys [2003-07-18 115680]
R3 LVUSBSta;Logitech USB Monitor Filter; C:\WINNT\system32\DRIVERS\LVUSBSta.sys [2007-10-12 41752]
R3 NaiFiltr;NaiFiltr; \??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys []
R3 OVT511;EliteCam2000; C:\WINNT\System32\Drivers\omcamvid.sys [2000-03-06 126882]
R3 rtl8139;Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver; C:\WINNT\System32\DRIVERS\RTL8139.SYS [1999-09-24 18704]
R3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\System32\DRIVERS\uhcd.sys [2003-06-20 32848]
R3 usbaudio;USB Audio Driver (WDM); C:\WINNT\system32\drivers\usbaudio.sys [1999-10-12 68912]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\System32\DRIVERS\usbhub.sys [2003-06-20 40176]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\System32\DRIVERS\usbprint.sys [2003-06-20 21872]
R3 usbscan;USB Scanner Driver; C:\WINNT\System32\DRIVERS\usbscan.sys [2003-06-20 12592]
R3 USBSTOR;USB Mass Storage Driver; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2003-06-20 21552]
R3 WinDriver6;WinDriver6; C:\WINNT\system32\drivers\windrvr6.sys [2007-04-06 166912]
R4 black;BlackICE driver, version 1.0, by Internet Security Systems, Inc.; \??\C:\WINNT\System32\drivers\BlackDrv.sys []
S1 ANVIOCTL;ANVIOCTL; C:\WINNT\System32\DRIVERS\anvioctl.sys [2000-12-12 212540]
S1 kbdhid;Keyboard HID Driver; C:\WINNT\System32\DRIVERS\kbdhid.sys [1999-10-04 13744]
S1 StarOpen;StarOpen; C:\WINNT\system32\drivers\StarOpen.sys []
S2 0VsComm12;VitalAgent Serial Port Driver 12.2; \??\C:\Program Files\INS\VitalAgent\Program\VsComm12.sys []
S2 BsUDF;InCD UDF Driver; C:\WINNT\system32\drivers\BsUDF.sys []
S2 IPSECEXT;Nortel Extranet Access Protocol; C:\WINNT\System32\DRIVERS\ipsecw2k.sys [2003-07-18 115680]
S3 ccdecode;Closed Caption Decoder; C:\WINNT\system32\drivers\ccdecode.sys [2004-07-09 16384]
S3 cm8330;C-Media CM8330 Audio Driver (WDM); C:\WINNT\system32\drivers\cm8330.sys [2000-02-25 23413]
S3 cmusbnet;WAN Driver @ 3GPP (6280); C:\WINNT\system32\DRIVERS\cmusbnet.sys [2007-06-22 87424]
S3 cmusbser;Cmotech USB Device for Legacy Serial Communication; C:\WINNT\system32\DRIVERS\cmusbser.sys [2006-12-13 87040]
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINNT\system32\DRIVERS\CVirtA.sys [2007-01-18 5275]
S3 ELNK3;3Com EtherLink III; C:\WINNT\System32\DRIVERS\elnk3.sys [1999-09-25 37136]
S3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM); C:\WINNT\system32\drivers\ES1370MP.sys [1999-11-12 41328]
S3 FilterService;UVC Filter Service; C:\WINNT\system32\DRIVERS\lvuvcflt.sys [2007-10-12 23832]
S3 GMSIPCI;GMSIPCI; \??\F:\INSTALL\GMSIPCI.SYS []
S3 GVCplDrv;GVCplDrv; C:\WINNT\system32\drivers\GVCplDrv.sys [2006-03-24 17756]
S3 HidBatt;HID UPS Battery Driver; C:\WINNT\System32\DRIVERS\HidBatt.sys [2003-06-20 18928]
S3 IKFileSec;File Security Driver; C:\WINNT\system32\drivers\ikfilesec.sys [2008-06-02 42376]
S3 LVUVC;Logitech QuickCam Pro 9000(UVC); C:\WINNT\system32\DRIVERS\lvuvc.sys [2007-10-12 3647384]
S3 mmc_2K;mmc_2K; C:\WINNT\system32\drivers\mmc_2K.sys [2002-07-31 30246]
S3 mouhid;Mouse HID Driver; C:\WINNT\System32\DRIVERS\mouhid.sys [2003-06-20 11632]
S3 MPE;BDA MPE Filter; C:\WINNT\System32\DRIVERS\MPE.sys [2004-07-09 15104]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2002-12-12 5504]
S3 MXOPSWD;Maxtor OneTouch Security Driver; C:\WINNT\system32\DRIVERS\mxopswd.sys [2005-04-06 15360]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\System32\DRIVERS\NABTSFEC.sys [2004-07-09 83968]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINNT\system32\DRIVERS\NdisIP.sys [2004-07-09 10112]
S3 nm;Network Monitor Driver; C:\WINNT\System32\DRIVERS\NMnt.sys [2003-06-20 37552]
S3 NPF;NetGroup Packet Filter Driver; C:\WINNT\system32\drivers\npf.sys [2007-11-07 34064]
S3 NtApm;NT Apm/Legacy Interface Driver; C:\WINNT\System32\DRIVERS\NtApm.sys [1999-09-25 9104]
S3 nv;nv; C:\WINNT\System32\DRIVERS\nv4_mini.sys [2005-12-10 3536768]
S3 nv4;nv4; C:\WINNT\System32\DRIVERS\anv_mini.sys [2000-07-20 457422]
S3 OVT511Plus;AVerCam; C:\WINNT\System32\Drivers\omcamvid.sys [2000-03-06 126882]
S3 PORTMON;PORTMON; \??\C:\TRL_Backup\Sniffer\InterestingSnoops\PORTMSYS.SYS []
S3 sb16;C-Media SB16 Driver (WDM); C:\WINNT\system32\drivers\cm8330sb.sys [2000-02-25 21431]
S3 sermouse;Serial Mouse Driver; C:\WINNT\System32\DRIVERS\sermouse.sys [2000-07-26 17136]
S3 SiSV;SiSV; C:\WINNT\System32\DRIVERS\SiSV.sys [1999-09-28 49904]
S3 SLIP;BDA Slip De-Framer; C:\WINNT\System32\DRIVERS\SLIP.sys [2004-07-09 10880]
S3 streamip;BDA IPSink; C:\WINNT\System32\DRIVERS\StreamIP.sys [2004-07-09 14976]
S3 TDIMSYS;TDIMSYS; \??\C:\WINNT\system32\drivers\TDIMSYS.SYS []
S3 viafilter;VIA USB Filter; C:\WINNT\System32\Drivers\viausb.sys [2002-02-07 9038]
S3 vsdatant;vsdatant; \??\C:\WINNT\system32\vsdatant.sys []
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINNT\System32\DRIVERS\wceusbsh.sys [2005-06-14 104576]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\System32\DRIVERS\WSTCODEC.SYS [2004-07-09 18688]
S4 ACPI;ACPI; C:\WINNT\system32\drivers\ACPI.sys []
S4 IntelIde;IntelIde; C:\WINNT\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINNT\system32\Ati2evxx.exe [2006-05-04 413696]
R2 AvSynMgr;AVSync Manager; C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe [2001-04-30 155665]
R2 BlackICE;BlackICE; C:\Program Files\Network ICE\BlackICE\blackd.exe [2001-12-19 651264]
R2 CVPND;Cisco Systems, Inc. VPN Service; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [2007-10-26 1524512]
R2 dsNcService;Juniper Network Connect Service; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [2008-08-29 431472]
R2 HCLInetd;Hummingbird Inetd; C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe [2000-08-02 32768]
R2 HCLInetd;Hummingbird Inetd; C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe [2000-08-02 32768]
R2 HidServ;HID Input Service; C:\WINNT\system32\hidserv.exe [2003-06-20 19728]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-04-09 152984]
R2 Jconfigd;Hummingbird Jconfig Daemon; C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe [2000-07-08 28672]
R2 MaxBackServiceInt;MaxBackServiceInt; C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe [2006-07-17 184320]
R2 MGE Service module;MGE Service module; C:\Program Files\MGE\PersonalSolutionPac\RunSC.exe [2007-01-23 126976]
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2007-09-10 836904]
R2 NTService1;MaxSyncService; C:\Program Files\Maxtor\Utils\SyncServices.exe [2006-02-07 106496]
R2 PnkBstrA;PnkBstrA; C:\WINNT\system32\PnkBstrA.exe [2007-10-07 66872]
R2 StiSvc;Still Image Service; C:\WINNT\system32\stisvc.exe [2003-06-20 61712]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINNT\System32\mspmspsv.exe [2001-05-01 53248]
R3 McShield;McShield; C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe [2001-04-30 229499]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2007-08-21 382248]
S2 ATI Smart;ATI Smart; C:\WINNT\system32\ati2sgag.exe [2004-09-15 516096]
S2 NVSvc;NVIDIA Driver Helper Service; C:\WINNT\System32\nvsvc32.exe [2005-12-10 131139]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2007-11-07 92792]
S3 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
S3 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2008-08-07 1073544]
S3 WmdmPmSN;Portable Media Serial Number Service; C:\WINNT\System32\svchost.exe [2000-07-26 7952]
-----------------EOF-----------------
RSIT info.txt
==========
info.txt logfile of random's system information tool 1.06 2009-04-23 18:33:23
======Uninstall list======
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINNT\UNINST.EXE -fC:\PROGRA~1\NOKIA9~1\DeIsL1.isu -cC:\PROGRA~1\NOKIA9~1\ILUNINST.DLL
-->C:\WINNT\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINNT\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINNT\UNNeroShowTime.exe /UNINSTALL
-->C:\WINNT\UNNeroVision.exe /UNINSTALL
-->C:\WINNT\UNRecode.exe /UNINSTALL
3GP Player 2008-->"C:\Program Files\3GP Player\unins000.exe"
A+ German-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D1AAE4A6-CC31-454C-8BDE-A1507FDC6F0D}\setup.exe"
AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe
Access Point Utility-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{0BA27E35-EBB2-440E-9F07-46315C42AD6A}
ACDSee Classic-->C:\PROGRA~1\ACDSee32\UNWISE.EXE C:\PROGRA~1\ACDSee32\INSTALL.LOG
Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Download Manager 2.0 (Remove Only)-->"C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 10 ActiveX-->C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.7-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}
Adobe Shockwave Player-->C:\WINNT\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~2\Install.log
Adolix Split and Merge PDF v1.3-->"C:\Program Files\Adolix Split and Merge PDF\unins000.exe"
AFPL Ghostscript 8.14-->C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\gs8.14\uninstal.txt"
AFPL Ghostscript Fonts-->C:\Program Files\gs\uninstgs.exe "C:\Program Files\gs\fonts\uninstal.txt"
Age of Mythology - The Titans Expansion-->"G:\Age of Mythology\UNINSTXP.EXE" /runtemp /addremove
Age of Mythology-->"G:\Age of Mythology\UNINSTAL.EXE" /runtemp /addremove
Applian FLV Player-->"C:\WINNT\FLV Player\uninstall.exe" "/U:C:\Program Files\FLV Player\Uninstall\uninstall.xml"
AsfTools 3.1 (remove only)-->C:\Program Files\AsfTools 3.1\Uninst.exe
ASUS Display Drivers-->C:\WINNT\anvunis.exe
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver (Omega 3.8.252)-->rundll32 C:\WINNT\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Avance AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
AVerMedia AVerCam-->C:\WINNT\IsUninst.exe -f"C:\Program Files\AVerCam\Uninst.isu"
BlackICE-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76542EE3-5849-11D2-9C18-00609707C0FF}\setup.exe"
BulletProof FTP-->C:\Program Files\BPFTP\uninstbp.EXE
Cablenut 4.02 (remove only)-->C:\Program Files\Cablenut\uninst-cablenut.exe
Canon Camera Support Core Library-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon MF Drivers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{01B93B3A-283F-411B-A648-69CABCACC986}\Setup.exe" -l0x9 -Uninstall
Canon MF Toolbox 4.7.0.0.mf04-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{132CA5D9-C745-4B0B-A3B2-8C7A6EC3EE7E}\Setup.exe" -l0x9 -Uninstall
Canon Utilities Digital Photo Professional 3.0-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\Digital Photo Professional\Uninst.ini"
Cheating-Death 4.12.0-->C:\Program Files\Cheating-Death\UninstCD.exe
Cisco Systems VPN Client 5.0.02.0090-->MsiExec.exe /X{871DF2BE-41D2-4334-AC33-839AF16FC8FE}
Cluedos (remove only)-->"C:\Program Files\Cluedos\uninst.exe"
COGS-->MsiExec.exe /I{F8ECB04F-BAE1-476B-A187-5B733E8BD0C4}
Combat Mission-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BD1DC860-2B0A-11D4-BD2E-00500480A380}\setup.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Counter-Strike: Source-->"C:\Program Files\Steam\steam.exe" steam://uninstall/240
CrashBak 2004-->C:\WINNT\iun6002.exe "G:\Flight Simulator 9\CrashBak2004\irunin.ini"
DeepBurner Pro v1.6.0.198-->"C:\Program Files\Astonsoft\DeepBurner Pro\Uninstall.exe" "C:\Program Files\Astonsoft\DeepBurner Pro\install.log"
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Duke Nukem - Manhattan Project-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8B9336DB-8D04-4325-BAFC-C7141D8E6CA1}
Easy CD Creator 5 Basic-->MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
e-PDF To Word Converter v2.5-->"C:\Program Files\e-PDF To Word Converter\unins000.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
FlashCapture v2.6.0.1231-->"C:\Program Files\FlashCapture\uninstall.exe"
FLV Player-->"C:\WINNT\FLV Player\uninstall.exe" "/U:C:\Program Files\FLV Player\Uninstall\uninstall.xml"
Folder Access 2.0.0 Free Version-->C:\PROGRA~1\FOLDER~2\FOLDER~1.EXE UnInstall
Free PDF2Word Converter-->MsiExec.exe /I{2B1F0D3F-E38C-4189-ACED-5DD413E029E6}
GameSpy Arcade-->C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG
Global DiVX Player-->"C:\Program Files\GDiVX Player\GDiVX-Uninstall.exe"
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Grand Theft Auto Vice City-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B35F00C-E63D-40DC-9839-DF15A33EAC46}\Setup.exe" -l0x9
GSview 4.6-->C:\Program Files\gs\Ghostgum\gsview\uninstgs.exe "C:\Program Files\gs\Ghostgum\gsview\uninstal.txt"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for MDAC 2.53 (KB911562)-->"C:\WINNT\$SQLUninstallMDAC25SP3-KB911562-x86-ENU$\spuninst\spuninst.exe"
Hotfix for MDAC 2.53 (KB927779)-->"C:\WINNT\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$\spuninst\spuninst.exe"
Hummingbird Exceed V7.0-->MsiExec.exe /I{CE573341-2049-4FBA-9473-C2B5DA82E8E8}
ICQ-->C:\PROGRA~1\ICQ\ICQUninstall.EXE
I-Jolt-->"C:\Program Files\I-Jolt\unins000.exe"
Internet Explorer Q903235-->C:\WINNT\ieuninst.exe C:\WINNT\INF\Q903235.inf
IZArc 3.4.1.4-->"C:\Program Files\IZArc\unins000.exe"
J2SE Runtime Environment 5.0 Update 10-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.2_08-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142080}
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java(TM) SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Juniper Networks Network Connect 6.2.0-->"C:\Program Files\Juniper Networks\Network Connect 6.2.0\uninstall.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Mathcad 2000 Professional-->C:\WINNT\IsUninst.exe -f"C:\Program Files\MathSoft\Mathcad 2000 Professional\Uninst.isu"
MATLAB Family of Products Release 14-->C:\MATLAB7\uninstall\uninstall.exe C:\MATLAB7\
Maxtor Backup-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{9C3F9580-F5CF-4288-894E-9FF0EB24A21C} /l1033
Maxtor OneTouch III-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{FF268652-B3E8-494F-8343-1FC6DD0FF523} /l1033
McAfee VirusScan-->MsiExec.exe /I{87AEFD84-BC0D-11D4-B885-00508B022A51}
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft ActiveSync 4.0-->MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E}
Microsoft Flight Simulator 2004 A Century of Flight-->"G:\Flight Simulator 9\UNINSTAL.EXE" /runtemp /addremove
Microsoft Office 2000 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Live Meeting 2005-->MsiExec.exe /I{2A8C1EC1-9253-4CAA-812B-57F5826C1F17}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Rise Of Nations-->"C:\Program Files\Microsoft Games\Rise of Nations\UNINSTAL.EXE" /runtemp /addremove
Microsoft Visual C++ 6.0 Professional Edition-->"C:\Program Files\Microsoft Visual Studio\VC98\Setup\1033\Setup.exe"
Microsoft XML Parser and SDK-->MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Motherboard Monitor 5-->"C:\Program Files\Motherboard Monitor 5\unins000.exe"
MP3 To Wave Converter PLUS-->C:\PROGRA~1\ACOUST~1\UNWISE.EXE C:\PROGRA~1\ACOUST~1\INSTALL.LOG
MSDN Library - Visual Studio 6.0a-->"C:\Program Files\Microsoft Visual Studio\MSDN98\98VSa\1033\Setup\Setup.exe"
MSI MSIDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
MSN Gaming Zone-->C:\PROGRA~1\MSNGAM~1\zsetup.exe /Uninstall
MSN Messenger 7.0-->MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600820}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML4 Parser-->MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
MultiRes (remove only)-->C:\Program Files\Radeon Omega Drivers\MultiRes\uninstal.exe
My DShot Camera Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5E54A963-5088-4C7E-8253-D06BCFFA8A46}\setup.exe"
MySpaceIM-->C:\Program Files\MySpace\IM\Uninstall.exe
Neighbours From Hell-->MsiExec.exe /X{09920072-6923-4E37-A150-5C6A3092DB7E}
NeoTrace Pro 3.25 Trial-->C:\PROGRA~1\NEOTRA~1\UNWISE.EXE C:\PROGRA~1\NEOTRA~1\INSTALL.LOG
Nero 8-->MsiExec.exe /X{A39DAD32-3515-438D-8617-F8AE2A301033}
NetPerSec-->C:\WINNT\IsUninst.exe -f"C:\Program Files\NetPerSec\Uninst.isu"
Nortel Networks Contivity VPN Client-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF964A78-078C-11D1-B7A7-0000C0134CE6}\setup.exe" Uninstall
NVIDIA Drivers-->C:\WINNT\system32\nvudisp.exe UninstallGUI
OmniPage SE 2.0-->MsiExec.exe /I{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}
Online Documentation-->C:\WINNT\IsUninst.exe -f"C:\Program Files\MathSoft\Mathcad 2000 Professional\Doc\Uninst.isu"
PDF Export Kit-->C:\PROGRA~1\INTELL~1\demos\UNWISE.EXE /U C:\PROGRA~1\INTELL~1\demos\pdfekit.log
PDFCreator-->C:\Program Files\PDFCreator\unins000.exe
Personal Solution Pac-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0335E386-9ECB-11D4-BA6E-0020AFBCF620}\setup.exe"
P-Guard v.1.03-->"C:\Program Files\P-Guard\unins000.exe"
PhoeniX WorX Client-->MsiExec.exe /I{ADE4E72B-35C4-41DD-99B7-A30722FF01A4}
Postal 2-->C:\WINNT\unvise32.exe g:\Postal2\uninstal.log
QuickTime-->C:\WINNT\unvise32qt.exe C:\WINNT\System32\QuickTime\Uninstall.log
Radeon Omega Drivers v3.8.252 Setup Files and Tools-->"C:\WINNT\Radeon Omega Drivers v3.8.252 Uninstall.exe" "/U:C:\Program Files\Radeon Omega Drivers\v3.8.252\Omega Uninstall.xml"
Railkings Railroad Simulator-->C:\WINNT\IsUninst.exe -f"g:\games\Railkings Railroad Simulator\Uninst.isu"
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for DirectX 9 (KB951698)-->"C:\WINNT\$NtUninstallKB951698_DX9$\spuninst\spuninst.exe"
Security Update for Microsoft .NET Framework 2.0 (KB947746)-->C:\WINNT\system32\msiexec.exe /promptrestart /uninstall {F787D19E-C7F4-4758-A9DD-5CCF6D72EA86} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Windows 2000 (KB904706)-->"C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB923689)-->"C:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB941569)-->"C:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows Media Encoder (KB954156)-->"C:\WINNT\$NtUninstallKB954156_WM9L$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINNT\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINNT\$NtUninstallKB952069_WM71$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINNT\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB954600)-->"C:\WINNT\$NtUninstallKB954600_WM41$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINNT\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINNT\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB936782)-->"C:\WINNT\$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe"
Server Query - GameArena Edition (remove only)-->"C:\Program Files\Server Query - GameArena Edition\uninst-ga.exe"
Shockwave-->C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
Skype™ 3.5-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SMS Buddy-->"C:\Program Files\SMS Buddy\Uninstall\unins000.exe"
SopCast 1.1.2-->C:\Program Files\SopCast\uninst.exe
Spb GPRS Monitor-->C:\Program Files\Microsoft ActiveSync\Spb GPRS Monitor\Uninstall.exe Spb GPRS Monitor
Spring 0.74b3-->C:\Program Files\Spring\uninst.exe
Spyware Doctor 6.0-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
Steam(TM)-->C:\PROGRA~1\Steam\UNWISE.EXE C:\PROGRA~1\Steam\INSTALL.LOG
SyncBack-->"C:\Program Files\SyncBack\unins000.exe"
TA Demo Recorder-->"C:\Program Files\TADemo\uninstall.exe"
TA WarZone Client-->C:\CAVEDOG\WarZone\UNWISE.EXE C:\CAVEDOG\WarZone\INSTALL.LOG
TalentVX-->MsiExec.exe /I{EC034D7F-D81A-4D64-BCC8-11D8E42BD8ED}
Telstra Turbo Modem Manager-->C:\Program Files\InstallShield Installation Information\{A3E07804-B5DB-43E1-AEBD-DC89422CF254}\setup.exe -runfromtemp -l0x0009 -removeonly
Telstra Usage Meter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{714E6F9A-7FAF-41F1-8B36-75ED9449479B}\setup.exe" UsageMaint
The Playa-->"C:\Program Files\The Playa\uninstall.exe"
Total Annihilation - Core Contingency-->C:\CAVEDOG\TOTALA\CC\CCQUERY.EXE
Total Annihilation-->C:\CAVEDOG\TOTALA\setup.exe -u
Trillian-->C:\Program Files\Trillian\trillian.exe /uninstall
Tweak UI-->C:\WINNT\rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultUninstall 4 C:\WINNT\Inf\Tweakui.Inf
Typing Tutor-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Typing Tutor\Uninst.isu"
Update Rollup 1 for Windows 2000 SP4-->"C:\WINNT\$NtUpdateRollupPackUninstall$\spuninst\spuninst.exe"
Vermillion FTP Daemon-->C:\WINNT\uninst.exe -f"C:\Program Files\Arcane Software\Vermillion FTP Daemon\DeIsL1.isu" -c"C:\Program Files\Arcane Software\Vermillion FTP Daemon\_ISREG32.DLL"
VideoLAN VLC media player 0.8.6c-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Visio 2000-->C:\Program Files\Common Files\Visio Shared\Vim.exe
VitalAgentIT-->C:\PROGRA~1\INS\VITALA~1\UNWISE.EXE C:\PROGRA~1\INS\VITALA~1\INSTALL.LOG
Vodei Multimedia Processor 2.00-->C:\Program Files\Vodei\uninst.exe
VoSKY USB Phone-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7E7CBAA1-5D14-4351-B688-DDE6BE99A6E5}\setup.exe" -l0x9
WarZone Client v1.0.40-->C:\CAVEDOG\WarZone\UNWISE.EXE C:\CAVEDOG\WarZone\INSTALL.LOG
WarZone Client v1.0.41-->C:\CAVEDOG\WarZone\UNWISE.EXE C:\CAVEDOG\WarZone\INSTALL.LOG
WarZone Client v1.0.44-->C:\CAVEDOG\WarZone\UNWISE.EXE C:\CAVEDOG\WarZone\INSTALL.LOG
WarZone Client-->C:\CAVEDOG\WarZone\UNWISE.EXE C:\CAVEDOG\WarZone\INSTALL.LOG
Windows 2000 Hotfix - KB833407-->C:\WINNT\$NtUninstallKB833407$\spuninst\spuninst.exe
Windows 2000 Hotfix - KB842773-->C:\WINNT\$NtUninstallKB842773$\spuninst\spuninst.exe
Windows 2000 Hotfix - KB890046-->"C:\WINNT\$NtUninstallKB890046$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB893756-->"C:\WINNT\$NtUninstallKB893756$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB894320-->"C:\WINNT\$NtUninstallKB894320$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896358-->"C:\WINNT\$NtUninstallKB896358$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896422-->"C:\WINNT\$NtUninstallKB896422$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896423-->"C:\WINNT\$NtUninstallKB896423$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896424-->"C:\WINNT\$NtUninstallKB896424$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896688-->"C:\WINNT\$NtUninstallKB896688-IE6SP1-20051004.130236$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896727-->"C:\WINNT\$NtUninstallKB896727-IE6SP1-20050719.165959$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB899587-->"C:\WINNT\$NtUninstallKB899587$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB899588-->"C:\WINNT\$NtUninstallKB899588$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB899589-->"C:\WINNT\$NtUninstallKB899589$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB900725-->"C:\WINNT\$NtUninstallKB900725$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB901017-->"C:\WINNT\$NtUninstallKB901017$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB901214-->"C:\WINNT\$NtUninstallKB901214$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB902400-->"C:\WINNT\$NtUninstallKB902400$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB905414-->"C:\WINNT\$NtUninstallKB905414$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB905495-->"C:\WINNT\$NtUninstallKB905495-IE6SP1-20050805.184113$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB905749-->"C:\WINNT\$NtUninstallKB905749$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB905915-->"C:\WINNT\$NtUninstallKB905915-IE6SP1-20051122.175908$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB908519-->"C:\WINNT\$NtUninstallKB908519$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB908523-->"C:\WINNT\$NtUninstallKB908523$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB908531-->"C:\WINNT\$NtUninstallKB908531$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB911280-->"C:\WINNT\$NtUninstallKB911280$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB911567-->"C:\WINNT\$NtUninstallKB911567-OE6SP1-20060316.165634$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB912812-->"C:\WINNT\$NtUninstallKB912812-IE6SP1-20060322.182418$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB912919-->"C:\WINNT\$NtUninstallKB912919$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB913580-->"C:\WINNT\$NtUninstallKB913580$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB914388-->"C:\WINNT\$NtUninstallKB914388$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB914389-->"C:\WINNT\$NtUninstallKB914389$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB916281-->"C:\WINNT\$NtUninstallKB916281-IE6SP1-20060526.162249$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917008-->"C:\WINNT\$NtUninstallKB917008$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917159-->"C:\WINNT\$NtUninstallKB917159$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917422-->"C:\WINNT\$NtUninstallKB917422$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917537-->"C:\WINNT\$NtUninstallKB917537$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917736-->"C:\WINNT\$NtUninstallKB917736$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917953-->"C:\WINNT\$NtUninstallKB917953$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB918118-->"C:\WINNT\$NtUninstallKB918118$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB918899-->"C:\WINNT\$NtUninstallKB918899-IE6SP1-20060725.123917$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB920213-->"C:\WINNT\$NtUninstallKB920213$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB920670-->"C:\WINNT\$NtUninstallKB920670$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB920683-->"C:\WINNT\$NtUninstallKB920683$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB920685-->"C:\WINNT\$NtUninstallKB920685$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB920958-->"C:\WINNT\$NtUninstallKB920958$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB921398-->"C:\WINNT\$NtUninstallKB921398$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB921883-->"C:\WINNT\$NtUninstallKB921883$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB922582-->"C:\WINNT\$NtUninstallKB922582$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB922616-->"C:\WINNT\$NtUninstallKB922616$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB922760-->"C:\WINNT\$NtUninstallKB922760-IE6SP1-20061018.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB923191-->"C:\WINNT\$NtUninstallKB923191$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB923414-->"C:\WINNT\$NtUninstallKB923414$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB923694-->"C:\WINNT\$NtUninstallKB923694-OE6SP1-20061106.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB923810-->"C:\WINNT\$NtUninstallKB923810$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB923980-->"C:\WINNT\$NtUninstallKB923980$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB924191-->"C:\WINNT\$NtUninstallKB924191$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB924270-->"C:\WINNT\$NtUninstallKB924270$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB924667-->"C:\WINNT\$NtUninstallKB924667$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB925454-->"C:\WINNT\$NtUninstallKB925454-IE6SP1-20061116.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB925486-->"C:\WINNT\$NtUninstallKB925486-IE6SP1-20060918.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB925902-->"C:\WINNT\$NtUninstallKB925902$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB926122-->"C:\WINNT\$NtUninstallKB926122$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB926436-->"C:\WINNT\$NtUninstallKB926436$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB927891-->"C:\WINNT\$NtUninstallKB927891$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB928090-->"C:\WINNT\$NtUninstallKB928090-IE6SP1-20070125.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB928843-->"C:\WINNT\$NtUninstallKB928843$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB929969-->"C:\WINNT\$NtUninstallKB929969-IE6SP1-20061220.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB930178-->"C:\WINNT\$NtUninstallKB930178$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB931768-->"C:\WINNT\$NtUninstallKB931768-IE6SP1-20070219.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB931784-->"C:\WINNT\$NtUninstallKB931784$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB932168-->"C:\WINNT\$NtUninstallKB932168$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB933566-->"C:\WINNT\$NtUninstallKB933566-IE6SP1-20070417.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB933729-->"C:\WINNT\$NtUninstallKB933729$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB935839-->"C:\WINNT\$NtUninstallKB935839$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB935840-->"C:\WINNT\$NtUninstallKB935840$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB937894-->"C:\WINNT\$NtUninstallKB937894$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB938464-->"C:\WINNT\$NtUninstallKB938464-IE6SP1-20080429.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB938827-->"C:\WINNT\$NtUninstallKB938827$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB943055-->"C:\WINNT\$NtUninstallKB943055$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB943485-->"C:\WINNT\$NtUninstallKB943485$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB944338-->"C:\WINNT\$NtUninstallKB944338$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB945553-->"C:\WINNT\$NtUninstallKB945553$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB950749-->"C:\WINNT\$NtUninstallKB950749$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB950974-->"C:\WINNT\$NtUninstallKB950974$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB951066-->"C:\WINNT\$NtUninstallKB951066-OE6SP1-20080625.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB951748-->"C:\WINNT\$NtUninstallKB951748$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB952954-->"C:\WINNT\$NtUninstallKB952954$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB954211-->"C:\WINNT\$NtUninstallKB954211$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB955069-->"C:\WINNT\$NtUninstallKB955069$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB956391-->"C:\WINNT\$NtUninstallKB956391$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB956802-->"C:\WINNT\$NtUninstallKB956802$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB957095-->"C:\WINNT\$NtUninstallKB957095$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB957097-->"C:\WINNT\$NtUninstallKB957097$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB958215-->"C:\WINNT\$NtUninstallKB958215-IE6SP1-20081016.120000$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB958644-->"C:\WINNT\$NtUninstallKB958644$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB960714-->"C:\WINNT\$NtUninstallKB960714-IE6SP1-20081211.120000$\spuninst\spuninst.exe"
Windows 2000 Service Pack 4-->C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
Windows Installer 3.1 (KB893803)-->"C:\WINNT\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINNT\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Encoder 9 Series-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series-->MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Player 9 Hotfix [See KB885492 for more information]-->C:\WINNT\$NtUninstallKB885492$\spuninst\spuninst.exe
Windows Media Player system update (9 Series)-->C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinDriver 9.0.0.0 USB Driver-->C:\WINNT\system32\WdReg.exe -inf C:\WINNT\INF\WinDrvr6.inf uninstall
WinImage-->"D:\DriversNExecutables\WinImage\winimage.exe" /uninstall
WinPcap 4.0.2-->C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Wireshark 0.99.4-->"C:\Program Files\Wireshark\uninstall.exe"
Wolfenstein - Enemy Territory-->G:\WOLFEN~1\Uninstall\Unwise.exe /u G:\WOLFEN~1\Uninstall\Install.log
WT Realism Update v2.0-->"C:\Sierra\WT Realism Update\unins000.exe"
Xming 6.9.0.18-->"C:\Program Files\Xming\unins000.exe"
XviD MPEG-4 Video Codec-->"C:\Program Files\XviD\unins000.exe"
Yahoo! Install Manager-->C:\WINNT\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger Explorer Bar-->C:\WINNT\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\MESSEN~1\YHEXBM~2.DLL
Yahoo!7 Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
======System event log======
Computer Name: DGVIMS-TOPLICA
Event Code: 2504
Message: The server could not bind to the transport \Device\NetBT_Tcpip_{A84BC5DB-0B9A-4587-84F6-181C38CE7897}.
Record Number: 17781
Source Name: Server
Time Written
Hi Milo,
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Hi Blade,
many thanks for getting back to me. Before proceeding with the ComboFix, I have a quick question for you. I also ran Panda's Activescan 2.0 in the meantime (seeing that it's highly recommended in many other threads in the forum), and I wanted to show you its results, just to give more information and based on that, confirm that you're still happy with me to go ahead with the ComboFix as advised. I feel more comfortable to just check with you first.
Below you will find the Panda log, as well as the latest HJT log. Please note that the virus identified by Panda (Trj/Downloader.VTK) was _unable_ to be disinfected by Panda (the message was "Check the permissions of the infected file...."). When I tried to manually locate the *.DLL file, it wasn't anywhere on my system (perhaps it's being hidden somehow).
Milo
Panda ActiveScan 2.0 LOG
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-04-25 03:42:46
PROTECTIONS: 1
MALWARE: 1
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan 4.5.1 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00801746 Trj/Downloader.VTK Virus/Trojan Yes 0 Yes No globalroot\systemroot\system32\gxvxculiyhkwfrccflvjbextrmudklmoypnrq.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location E39
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description E39
;===================================================================================================================================================================================
184379 MEDIUM MS08-001 E39
182048 HIGH MS07-069 E39
182043 HIGH MS07-064 E39
176382 HIGH MS07-057 E39
170911 HIGH MS07-050 E39
170907 HIGH MS07-046 E39
170906 HIGH MS07-045 E39
170904 HIGH MS07-043 E39
;===================================================================================================================================================================================
HJT Latest Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:14, on 25/04/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\MGE\PersonalSolutionPac\RunSC.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\MGE\PersonalSolutionPac\PCtl.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\MGE\PersonalSolutionPac\BIL.EXE
C:\Program Files\MGE\PersonalSolutionPac\CILUSB.EXE
C:\WINNT\system32\PnkBstrA.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\VoSKY USB Phone\USBDetect.exe
C:\Program Files\Telstra\Telstra Turbo Modem\Bin\Demon6280.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MGE\PersonalSolutionPac\mgenetsystray.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\NetPerSec\NetPerSec.exe
C:\Program Files\Arcane Software\Vermillion FTP Daemon\vftpd.exe
C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ivanovich.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\FlashCapture\fcbho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [USBDetect] C:\Program Files\VoSKY USB Phone\USBDetect.exe
O4 - HKLM\..\Run: [Telstra_TM] C:\Program Files\Telstra\Telstra Turbo Modem\Bin\Demon6280.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [pspNetSystray] C:\Program Files\MGE\PersonalSolutionPac\mgenetsystray.exe
O4 - HKLM\..\Run: [oleaut32.dll] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetPerSec.lnk = C:\Program Files\NetPerSec\NetPerSec.exe
O4 - Global Startup: Vermillion FTP Daemon.lnk = C:\Program Files\Arcane Software\Vermillion FTP Daemon\vftpd.exe
O4 - Global Startup: VitalAgent IT.lnk = C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\fciext.dll/FCIEXT.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra 'Tools' menuitem: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O15 - Trusted Zone: http://www.tab.com.au
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229552143288
O16 - DPF: {6DA0CFB8-46F2-11D6-B90C-00C04F689AB6} (BillToBill.Signature) - http://login.billtobill.com/login/download/b2bsig1003.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229552128637
O16 - DPF: {769F454F-A488-11D4-AA30-005004C3096A} (DME Web Support) - http://wsmsg0604/dmeweb/ckowebcab/ckoweb.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://rna.nsa.nexus.telstra.com.au/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4CE148E-7484-40A5-85D6-12BADF234B2C}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\TalentVX\Skype4COM.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: MGE Service module - Unknown owner - C:\Program Files\MGE\PersonalSolutionPac\RunSC.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINNT\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINNT\System32\ups2.exe (file missing)
--
End of file - 12804 bytes
When I tried to manually locate the *.DLL file, it wasn't anywhere on my system (perhaps it's being hidden somehow).
Hi
Yes, the file is hidden. Please follow the original plan in my previous post :)
Hi Blade,
I don't want to celebrate too early, but it's looking very promising. Please find below the ComboFix log and latest HJT log, as requested.
The reason I say it's looking promising is that all of my symptoms have disappeared: (i) No more Chinese message at bootup just before the Win2k login console, (ii) No more web brower + Google search redirects, (iii) Spybot S&D and MBAM are now able to run.
Finally, a quick question for you. Once this bad experience is behind me (hopefully, fingers crossed), do you recommend that I use MBAM from now on?
Or do I go back to using Spybot S&D, which despite being updated to the latest version and running resident Teatimer, didn't save me from this vicious infection? :-(
Thanks for all your help and advice so far.
Cheers,
Milo
===========
ComboFix Log
ComboFix 09-04-25.03 - Administrator 25/04/2009 11:12.1 - NTFSx86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\winnt\IE4 Error Log.txt
c:\winnt\system32\drivers\gxvxculeyivkfxsdgjgrnyuwcxlhukiryaxxt.sys
c:\winnt\system32\gxvxccounter
c:\winnt\system32\gxvxculiyhkwfrccflvjbextrmudklmoypnrq.dll
c:\winnt\system32\msconfig.exe
c:\winnt\Web\default.htt
D:\Autorun.inf . . . . failed to delete
G:\Autorun.inf . . . . failed to delete
H:\Autorun.inf . . . . failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_GXVXCSERV.SYS
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.
2009-04-25 01:20 . 2009-04-25 01:20 16384 ----atw c:\winnt\system32\Perflib_Perfdata_2c0.dat
2009-04-24 17:29 . 2008-06-19 06:24 28544 ----a-w c:\winnt\system32\drivers\pavboot.sys
2009-04-24 17:28 . 2009-04-24 17:28 -------- d-----w c:\program files\Panda Security
2009-04-24 14:52 . 2009-04-24 17:20 -------- d-----w c:\program files\EsetOnlineScanner
2009-04-24 14:44 . 2009-04-24 14:44 -------- d-----w c:\program files\iss
2009-04-23 08:16 . 2009-04-06 05:32 15504 ----a-w c:\winnt\system32\drivers\mbam.sys
2009-04-23 08:16 . 2009-04-06 05:32 38496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2009-04-23 08:16 . 2009-04-23 08:20 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 08:16 . 2009-04-23 08:16 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 06:54 . 2009-04-23 07:14 1110236 ---h--w c:\winnt\ShellIconCache
2009-04-23 06:27 . 2009-04-24 08:16 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-23 06:26 . 2002-05-15 05:16 360448 -c--a-w c:\winnt\system32\dllcache\oleacc.dll
2009-04-23 06:26 . 2002-05-15 05:16 360448 ----a-w c:\winnt\system32\oleacc.dll
2009-04-23 06:26 . 2002-05-15 05:16 356352 -c--a-w c:\winnt\system32\dllcache\oleaccrc.dll
2009-04-23 06:26 . 2002-05-15 05:16 356352 ----a-w c:\winnt\system32\oleaccrc.dll
2009-04-23 06:26 . 2002-05-15 05:16 462848 ----a-w c:\winnt\system32\msaatext.dll
2009-04-23 05:21 . 2009-04-23 05:21 -------- d-----w c:\program files\Trend Micro
2009-04-23 05:17 . 2009-04-23 05:17 -------- d-----w c:\program files\ERUNT
2009-04-11 13:05 . 2009-04-11 13:05 -------- d-----w c:\program files\FlashCapture
2009-04-11 12:41 . 2009-03-12 03:48 41390 ----a-w C:\player01.swf
2009-04-11 12:41 . 2009-03-12 03:48 41390 ----a-w C:\player.swf
2009-04-11 11:38 . 2009-04-11 12:42 -------- d-----w c:\program files\Flash Saving Plugin
2009-03-29 10:41 . 2007-10-12 01:57 195096 ----a-r c:\winnt\system32\lvci1150.dll
2009-03-29 10:41 . 2007-10-12 01:18 21138 ----a-r c:\winnt\system32\Repository.reg
2009-03-29 10:41 . 2007-10-12 01:11 59500 ----a-r c:\winnt\system32\lvcoinst.ini
2009-03-29 10:41 . 2007-10-12 02:00 41752 ----a-r c:\winnt\system32\drivers\LVUSBSta.sys
2009-03-29 10:41 . 2007-10-12 02:00 465432 ----a-r c:\winnt\system32\LVUI2RC.dll
2009-03-29 10:41 . 2007-10-12 02:00 490008 ----a-r c:\winnt\system32\LVUI2.dll
2009-03-29 10:41 . 2007-10-12 01:57 416280 ----a-r c:\winnt\system32\lvcodec2.dll
2009-03-29 10:40 . 2007-10-12 02:00 3647384 ----a-r c:\winnt\system32\drivers\lvuvc.sys
2009-03-29 10:40 . 2009-03-29 10:40 -------- d-----w c:\program files\Common Files\logishrd
2009-03-29 10:40 . 2003-06-19 18:05 51472 -c--a-w c:\winnt\system32\dllcache\vfwwdm32.dll
2009-03-29 10:40 . 2003-06-19 18:05 51472 ----a-w c:\winnt\system32\vfwwdm32.dll
2009-03-29 10:40 . 1999-11-30 12:39 12560 -c--a-w c:\winnt\system32\dllcache\tsbyuv.dll
2009-03-29 10:40 . 1999-11-30 12:39 12560 ----a-w c:\winnt\system32\tsbyuv.dll
2009-03-29 10:40 . 1999-12-02 04:30 258320 ----a-w c:\winnt\system32\msh263.drv
2009-03-29 10:40 . 1999-11-30 12:39 45840 -c--a-w c:\winnt\system32\dllcache\iyuv_32.dll
2009-03-29 10:40 . 1999-11-30 12:39 45840 ----a-w c:\winnt\system32\iyuv_32.dll
2009-03-29 10:40 . 1999-12-02 04:30 19728 -c--a-w c:\winnt\system32\dllcache\dshowext.ax
2009-03-29 10:40 . 1999-12-02 04:30 19728 ----a-w c:\winnt\system32\dshowext.ax
2009-03-29 10:38 . 2007-10-12 02:01 23832 ----a-r c:\winnt\system32\drivers\lvuvcflt.sys
2009-03-26 06:43 . 2008-07-09 08:05 421888 ----a-w c:\winnt\system32\ac3filter.acm
2009-03-26 06:43 . 2009-03-26 06:43 -------- d-----w c:\program files\AC3Filter
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 16:58 . 2009-03-07 07:55 -------- d---a-w c:\program files\SyncBack
2009-04-24 14:07 . 2001-09-22 11:53 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-24 14:02 . 2001-09-21 22:42 -------- d-----w c:\program files\ICQ
2009-04-23 07:56 . 2003-11-04 10:53 -------- d---a-w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 09:04 . 2004-09-25 15:34 -------- d-----w c:\program files\Folder Lock
2009-04-18 03:42 . 2005-11-14 08:35 -------- d-----w c:\program files\Steam
2009-04-17 15:10 . 2007-08-21 12:03 -------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2009-04-17 09:18 . 2009-02-08 09:31 -------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2009-04-14 11:10 . 2006-09-01 00:09 -------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2009-04-08 23:21 . 2008-12-03 09:47 410984 ----a-w c:\winnt\system32\deploytk.dll
2009-03-28 00:40 . 2006-06-22 11:30 -------- d-----w c:\documents and settings\Administrator\Application Data\Canon
2009-03-21 14:33 . 2009-03-21 14:33 -------- d-----w c:\program files\MGE
2009-03-13 14:21 . 2009-03-13 14:21 3796 ----a-w c:\winnt\system32\d3d9caps.dat
2009-03-13 14:21 . 2009-03-13 14:21 -------- d-----w c:\documents and settings\Administrator\Application Data\atitray
2009-03-13 14:09 . 2009-03-13 14:08 -------- d-----w c:\program files\Radeon Omega Drivers
2009-03-13 14:08 . 2009-03-13 14:08 451072 ----a-w c:\winnt\Radeon Omega Drivers v3.8.252 Uninstall.exe
2009-03-13 14:06 . 2009-02-10 07:45 -------- d-----w c:\program files\ATI Technologies
2009-03-10 06:49 . 2009-03-10 06:49 -------- d-----w c:\program files\Adolix Split and Merge PDF
2009-02-26 01:02 . 2009-02-26 01:02 -------- d-----w c:\program files\Powerware
2009-02-10 09:02 . 2007-10-07 05:31 201440 ----a-w c:\winnt\system32\PnkBstrB.exe
2009-02-07 07:41 . 2008-01-26 07:38 3782 ----a-w C:\devicetable.log
2008-09-21 04:49 . 2005-09-05 12:46 49640 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2001-09-21 20:58 . 2001-09-21 20:58 271 ---h--w c:\program files\desktop.ini
2001-09-21 20:58 . 2001-09-21 20:58 21952 ---h--w c:\program files\folder.htt
1999-04-23 22:22 . 1999-04-23 22:22 12 --sh--w c:\winnt\system\WININETICMP32.drv
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\progra~1\MICROS~4\wcescomm.exe" [2005-11-15 1200128]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-21 202024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\winnt\System32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2005-12-09 7311360]
"CreateCD50"="c:\program files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [2002-07-31 131157]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-07-31 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-05-20 77824]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2005-12-09 86016]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"USBDetect"="c:\program files\VoSKY USB Phone\USBDetect.exe" [2005-09-12 200704]
"Telstra_TM"="c:\program files\Telstra\Telstra Turbo Modem\Bin\Demon6280.exe" [2007-06-11 245760]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-10 1828136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-08 148888]
"pspNetSystray"="c:\program files\MGE\PersonalSolutionPac\mgenetsystray.exe" [2007-01-22 1208320]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]
"LoadQM"="loadqm.exe" - c:\winnt\loadqm.exe [2000-05-03 7536]
"anvshell"="anvshell.exe" - c:\winnt\anvshell.exe [2000-08-02 319488]
"SoundMan"="SOUNDMAN.EXE" - c:\winnt\SOUNDMAN.EXE [2002-03-21 46592]
"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2005-12-09 1519616]
"Tweak UI"="TWEAKUI.CPL" - c:\winnt\system32\TWEAKUI.CPL [2000-06-18 106544]
"AtiPTA"="atiptaxx.exe" - c:\winnt\system32\atiptaxx.exe [2006-02-22 344064]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2006-2-11 256000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
BlackICE Utility.lnk - c:\program files\Network ICE\BlackICE\blackice.exe [2002-2-15 696320]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
NetPerSec.lnk - c:\program files\NetPerSec\NetPerSec.exe [2004-10-27 192512]
Vermillion FTP Daemon.lnk - c:\program files\Arcane Software\Vermillion FTP Daemon\vftpd.exe [2001-9-22 569344]
VitalAgent IT.lnk - c:\program files\INS\VitalAgent\Program\VtlAgent.exe [2001-9-22 1044992]
VPN Client.lnk - c:\winnt\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2009-1-5 6144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ActiveSync]
2005-11-15 08:44 7168 ----a-w c:\winnt\system32\WcesWlgn.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= mmdrv.dll
"wave4"= vg1000.dll
"mixer3"= vg1000.dll
"midi9"=
"aux7"=
"aux8"=
"aux9"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zpasspc.dll, zwebauth.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe"
R1 ANVIOCTL;ANVIOCTL;c:\winnt\system32\DRIVERS\anvioctl.sys [2000-12-12 212540]
R2 0VsComm12;VitalAgent Serial Port Driver 12.2;c:\program files\INS\VitalAgent\Program\VsComm12.sys [1999-11-12 15235]
R2 BsUDF;InCD UDF Driver; [x]
R2 IPSECEXT;Nortel Extranet Access Protocol;c:\winnt\system32\DRIVERS\ipsecw2k.sys [2003-07-18 115680]
R2 MGE Service module;MGE Service module;c:\program files\MGE\PersonalSolutionPac\RunSC.exe [2007-01-22 126976]
R3 cm8330;C-Media CM8330 Audio Driver (WDM);c:\winnt\system32\drivers\cm8330.sys [2000-02-25 23413]
R3 cmusbnet;WAN Driver @ 3GPP (6280);c:\winnt\system32\DRIVERS\cmusbnet.sys [2007-06-21 87424]
R3 cmusbser;Cmotech USB Device for Legacy Serial Communication;c:\winnt\system32\DRIVERS\cmusbser.sys [2006-12-13 87040]
R3 ELNK3;3Com EtherLink III;c:\winnt\system32\DRIVERS\elnk3.sys [1999-09-24 37136]
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\winnt\system32\drivers\ES1370MP.sys [1999-11-12 41328]
R3 NPF;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [2007-11-06 34064]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\DRIVERS\NtApm.sys [1999-09-25 9104]
R3 PORTMON;PORTMON; [x]
R3 sb16;C-Media SB16 Driver (WDM);c:\winnt\system32\drivers\cm8330sb.sys [2000-02-25 21431]
R3 SiSV;SiSV;c:\winnt\system32\DRIVERS\SiSV.sys [1999-09-27 49904]
R3 viafilter;VIA USB Filter;c:\winnt\System32\Drivers\viausb.sys [2002-02-07 9038]
S0 NaiFsRec;NaiFsRec;c:\winnt\System32\drivers\NaiFsRec.sys [2001-04-29 4512]
S0 pavboot;pavboot;c:\winnt\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 ANVOSDNT;ASUS Keyboard Filter Driver;c:\winnt\system32\DRIVERS\anvosdnt.sys [2002-07-30 323635]
S1 atitray;atitray;c:\program files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.sys [2006-02-28 12032]
S1 cdudf;cdudf; [x]
S2 0VsNdis08;VitalAgent Network Driver 8.0;c:\program files\INS\VitalAgent\Program\VsNdis08.sys [1999-11-12 32583]
S2 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\Avsynmgr.exe [2001-04-29 155665]
S2 BlackICE;BlackICE;c:\program files\Network ICE\BlackICE\blackd.exe [2001-12-19 651264]
S3 NaiFiltr;NaiFiltr;c:\program files\Common Files\Network Associates\McShield\NaiFiltr.sys [2001-04-29 24480]
S3 OVT511;EliteCam2000;c:\winnt\system32\Drivers\omcamvid.sys [2000-03-06 126882]
S4 black;BlackICE driver, version 1.0, by Internet Security Systems, Inc.;c:\winnt\System32\drivers\BlackDrv.sys [2002-02-05 131556]
.
Contents of the 'Scheduled Tasks' folder
2009-04-24 c:\winnt\Tasks\SyncBack MiloBkup_C_Cavedog.job
- c:\program files\SyncBack\SyncBack.exe [2009-03-07 01:00]
2009-04-24 c:\winnt\Tasks\SyncBack MiloBkup_C_MailFaves.job
- c:\program files\SyncBack\SyncBack.exe [2009-03-07 01:00]
2009-04-24 c:\winnt\Tasks\SyncBack MiloBkup_D.job
- c:\program files\SyncBack\SyncBack.exe [2009-03-07 01:00]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Steam - (no file)
HKLM-Run-oleaut32.dll - c:\program files\Spyware Doctor\pctsTray.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ivanovich.net/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &NeoTrace It! - c:\progra~1\NEOTRA~1\NTXcontext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Save F&lash with FlashCapture - c:\program files\FlashCapture\fciext.dll/FCIEXT.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{D4D7BC9D-5707-4494-B2F6-B362DB158664} - c:\program files\Telstra Usage Meter\UsgeMetr.htm
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: com.au\www.tab
TCP: {A4CE148E-7484-40A5-85D6-12BADF234B2C} = 192.168.0.1
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {6DA0CFB8-46F2-11D6-B90C-00C04F689AB6} - hxxp://login.billtobill.com/login/download/b2bsig1003.cab
DPF: {769F454F-A488-11D4-AA30-005004C3096A} - hxxp://wsmsg0604/dmeweb/ckowebcab/ckoweb.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 11:23
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\winnt\system32\Perflib_Perfdata_744.dat 16384 bytes
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSNDIS08]
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_0463&Pid_ffff\5&6b5df5d&0&0000\LogConf]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_0463&Pid_ffff\6&dbbab54&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(212)
c:\winnt\system32\vg1000.dll
c:\winnt\system32\Ati2evxx.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
- - - - - - - > 'explorer.exe'(864)
c:\winnt\AppPatch\AcLayers.DLL
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\winnt\system32\SHDOCVW.DLL
c:\winnt\system32\keyhook1000.dll
c:\winnt\system32\vg1000.dll
.
Completion time: 2009-04-25 11:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-25 01:29
Pre-Run: 4,675,960,832 bytes free
Post-Run: 5,534,248,960 bytes free
245 --- E O F --- 2008-12-19 00:08
=================
Latest HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:02, on 25/04/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\MGE\PersonalSolutionPac\RunSC.exe
C:\Program Files\MGE\PersonalSolutionPac\PCtl.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\MGE\PersonalSolutionPac\BIL.EXE
C:\Program Files\MGE\PersonalSolutionPac\CILUSB.EXE
C:\WINNT\system32\PnkBstrA.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\VoSKY USB Phone\USBDetect.exe
C:\Program Files\Telstra\Telstra Turbo Modem\Bin\Demon6280.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MGE\PersonalSolutionPac\mgenetsystray.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\NetPerSec\NetPerSec.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Arcane Software\Vermillion FTP Daemon\vftpd.exe
C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ivanovich.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\FlashCapture\fcbho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [USBDetect] C:\Program Files\VoSKY USB Phone\USBDetect.exe
O4 - HKLM\..\Run: [Telstra_TM] C:\Program Files\Telstra\Telstra Turbo Modem\Bin\Demon6280.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [pspNetSystray] C:\Program Files\MGE\PersonalSolutionPac\mgenetsystray.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetPerSec.lnk = C:\Program Files\NetPerSec\NetPerSec.exe
O4 - Global Startup: Vermillion FTP Daemon.lnk = C:\Program Files\Arcane Software\Vermillion FTP Daemon\vftpd.exe
O4 - Global Startup: VitalAgent IT.lnk = C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\fciext.dll/FCIEXT.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra 'Tools' menuitem: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O15 - Trusted Zone: http://www.tab.com.au
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229552143288
O16 - DPF: {6DA0CFB8-46F2-11D6-B90C-00C04F689AB6} (BillToBill.Signature) - http://login.billtobill.com/login/download/b2bsig1003.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229552128637
O16 - DPF: {769F454F-A488-11D4-AA30-005004C3096A} (DME Web Support) - http://wsmsg0604/dmeweb/ckowebcab/ckoweb.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://rna.nsa.nexus.telstra.com.au/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4CE148E-7484-40A5-85D6-12BADF234B2C}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\TalentVX\Skype4COM.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: MGE Service module - Unknown owner - C:\Program Files\MGE\PersonalSolutionPac\RunSC.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINNT\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINNT\System32\ups2.exe (file missing)
--
End of file - 12999 bytes
Finally, a quick question for you. Once this bad experience is behind me (hopefully, fingers crossed), do you recommend that I use MBAM from now on?
Or do I go back to using Spybot S&D, which despite being updated to the latest version and running resident Teatimer, didn't save me from this vicious infection? :-(
Hi
You can have both MBAM and Spybot installed there :) Unfortunately, there isn't a program that would detect all possible threats.
Do you recognize these two files:
C:\player01.swf
C:\player.swf
Is your antivirus program up-to-date?
Start hjt, do a system scan, check (if found):
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
Close browsers and fix checked.
Uninstall old Adobe Reader versions and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader!
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
c:\documents and settings\Administrator\Application Data\uTorrent
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
Hi Blade,
I've done everything but the final step (Kaspersky full scan), and will address each of your points in this mail. The Kaspersky scan is taking forever to download + run, so as soon as it's complete I will post a follow-up mail.
1) I didn't recognise the two *.swf files and deleted them.
2) My virus program (McAfee) is always kept up to date (auto function, but I make sure to check DAT definition files manually, just to be safe).
3) I did the HJT fix as instructed - please find final HJT log below (which I took after completing all steps except the Kaspersky scan).
4) Adobe Reader v7 removed, and replaced with v9.
5) ComboFix instructions followed - please find resultant log at the bottom, below the HJT log.
6) ATF Cleaner downloaded and run: please note, the "Prefetch" box was greyed out and unable to be checked. All other boxes were available for checking, and I did as you instructed.
7) The final step, the Kaspersky Online Scan, is currently running (taking a long time), and when complete, I will post its report.
Thanks for your continuing efforts.
Cheers,
Milo
HJT Log
=======
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:01:35, on 26/04/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\MGE\PersonalSolutionPac\RunSC.exe
C:\Program Files\MGE\PersonalSolutionPac\PCtl.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\MGE\PersonalSolutionPac\BIL.EXE
C:\Program Files\MGE\PersonalSolutionPac\CILUSB.EXE
C:\WINNT\system32\PnkBstrA.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\VoSKY USB Phone\USBDetect.exe
C:\Program Files\Telstra\Telstra Turbo Modem\Bin\Demon6280.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MGE\PersonalSolutionPac\mgenetsystray.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\NetPerSec\NetPerSec.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Arcane Software\Vermillion FTP Daemon\vftpd.exe
C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ivanovich.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\FlashCapture\fcbho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [USBDetect] C:\Program Files\VoSKY USB Phone\USBDetect.exe
O4 - HKLM\..\Run: [Telstra_TM] C:\Program Files\Telstra\Telstra Turbo Modem\Bin\Demon6280.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [pspNetSystray] C:\Program Files\MGE\PersonalSolutionPac\mgenetsystray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetPerSec.lnk = C:\Program Files\NetPerSec\NetPerSec.exe
O4 - Global Startup: Vermillion FTP Daemon.lnk = C:\Program Files\Arcane Software\Vermillion FTP Daemon\vftpd.exe
O4 - Global Startup: VitalAgent IT.lnk = C:\Program Files\INS\VitalAgent\Program\VtlAgent.exe
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\fciext.dll/FCIEXT.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra 'Tools' menuitem: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O15 - Trusted Zone: http://www.tab.com.au
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229552143288
O16 - DPF: {6DA0CFB8-46F2-11D6-B90C-00C04F689AB6} (BillToBill.Signature) - http://login.billtobill.com/login/download/b2bsig1003.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229552128637
O16 - DPF: {769F454F-A488-11D4-AA30-005004C3096A} (DME Web Support) - http://wsmsg0604/dmeweb/ckowebcab/ckoweb.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://rna.nsa.nexus.telstra.com.au/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4CE148E-7484-40A5-85D6-12BADF234B2C}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\TalentVX\Skype4COM.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: MGE Service module - Unknown owner - C:\Program Files\MGE\PersonalSolutionPac\RunSC.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINNT\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINNT\System32\ups2.exe (file missing)
--
End of file - 12791 bytes
ComboFix Log
===========
ComboFix 09-04-25.03 - Administrator 26/04/2009 12:23.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.767.444 [GMT 10:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Application Data\uTorrent
c:\documents and settings\Administrator\Application Data\uTorrent\Big.Love.S03E04.HDTV.XviD-0TV.avi.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\dht.dat
c:\documents and settings\Administrator\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Administrator\Application Data\uTorrent\Mile High Complete Series.torrent
c:\documents and settings\Administrator\Application Data\uTorrent\resume.dat
c:\documents and settings\Administrator\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Administrator\Application Data\uTorrent\rss.dat
c:\documents and settings\Administrator\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Administrator\Application Data\uTorrent\settings.dat
c:\documents and settings\Administrator\Application Data\uTorrent\settings.dat.old
D:\Autorun.inf
G:\Autorun.inf
H:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.
2009-04-26 02:29 . 2009-04-26 02:29 16384 ----atw c:\winnt\system32\Perflib_Perfdata_2c4.dat
2009-04-25 01:41 . 2009-04-25 01:41 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-24 17:29 . 2008-06-19 06:24 28544 ----a-w c:\winnt\system32\drivers\pavboot.sys
2009-04-24 17:28 . 2009-04-24 17:28 -------- d-----w c:\program files\Panda Security
2009-04-24 14:52 . 2009-04-24 17:20 -------- d-----w c:\program files\EsetOnlineScanner
2009-04-24 14:44 . 2009-04-24 14:44 -------- d-----w c:\program files\iss
2009-04-23 08:16 . 2009-04-06 05:32 15504 ----a-w c:\winnt\system32\drivers\mbam.sys
2009-04-23 08:16 . 2009-04-06 05:32 38496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2009-04-23 08:16 . 2009-04-23 08:20 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 08:16 . 2009-04-23 08:16 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 06:54 . 2009-04-25 02:10 1111136 ---h--w c:\winnt\ShellIconCache
2009-04-23 06:27 . 2009-04-24 08:16 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-23 06:26 . 2002-05-15 05:16 360448 -c--a-w c:\winnt\system32\dllcache\oleacc.dll
2009-04-23 06:26 . 2002-05-15 05:16 360448 ----a-w c:\winnt\system32\oleacc.dll
2009-04-23 06:26 . 2002-05-15 05:16 356352 -c--a-w c:\winnt\system32\dllcache\oleaccrc.dll
2009-04-23 06:26 . 2002-05-15 05:16 356352 ----a-w c:\winnt\system32\oleaccrc.dll
2009-04-23 06:26 . 2002-05-15 05:16 462848 ----a-w c:\winnt\system32\msaatext.dll
2009-04-23 05:21 . 2009-04-23 05:21 -------- d-----w c:\program files\Trend Micro
2009-04-23 05:17 . 2009-04-23 05:17 -------- d-----w c:\program files\ERUNT
2009-04-11 13:05 . 2009-04-11 13:05 -------- d-----w c:\program files\FlashCapture
2009-04-11 12:41 . 2009-03-12 03:48 41390 ----a-w C:\player01.swf
2009-04-11 12:41 . 2009-03-12 03:48 41390 ----a-w C:\player.swf
2009-04-11 11:38 . 2009-04-11 12:42 -------- d-----w c:\program files\Flash Saving Plugin
2009-03-29 10:41 . 2007-10-12 01:57 195096 ----a-r c:\winnt\system32\lvci1150.dll
2009-03-29 10:41 . 2007-10-12 01:18 21138 ----a-r c:\winnt\system32\Repository.reg
2009-03-29 10:41 . 2007-10-12 01:11 59500 ----a-r c:\winnt\system32\lvcoinst.ini
2009-03-29 10:41 . 2007-10-12 02:00 41752 ----a-r c:\winnt\system32\drivers\LVUSBSta.sys
2009-03-29 10:41 . 2007-10-12 02:00 465432 ----a-r c:\winnt\system32\LVUI2RC.dll
2009-03-29 10:41 . 2007-10-12 02:00 490008 ----a-r c:\winnt\system32\LVUI2.dll
2009-03-29 10:41 . 2007-10-12 01:57 416280 ----a-r c:\winnt\system32\lvcodec2.dll
2009-03-29 10:40 . 2007-10-12 02:00 3647384 ----a-r c:\winnt\system32\drivers\lvuvc.sys
2009-03-29 10:40 . 2009-03-29 10:40 -------- d-----w c:\program files\Common Files\logishrd
2009-03-29 10:40 . 2003-06-19 18:05 51472 -c--a-w c:\winnt\system32\dllcache\vfwwdm32.dll
2009-03-29 10:40 . 2003-06-19 18:05 51472 ----a-w c:\winnt\system32\vfwwdm32.dll
2009-03-29 10:40 . 1999-11-30 12:39 12560 -c--a-w c:\winnt\system32\dllcache\tsbyuv.dll
2009-03-29 10:40 . 1999-11-30 12:39 12560 ----a-w c:\winnt\system32\tsbyuv.dll
2009-03-29 10:40 . 1999-12-02 04:30 258320 ----a-w c:\winnt\system32\msh263.drv
2009-03-29 10:40 . 1999-11-30 12:39 45840 -c--a-w c:\winnt\system32\dllcache\iyuv_32.dll
2009-03-29 10:40 . 1999-11-30 12:39 45840 ----a-w c:\winnt\system32\iyuv_32.dll
2009-03-29 10:40 . 1999-12-02 04:30 19728 -c--a-w c:\winnt\system32\dllcache\dshowext.ax
2009-03-29 10:40 . 1999-12-02 04:30 19728 ----a-w c:\winnt\system32\dshowext.ax
2009-03-29 10:38 . 2007-10-12 02:01 23832 ----a-r c:\winnt\system32\drivers\lvuvcflt.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 16:53 . 2009-03-07 07:55 -------- d---a-w c:\program files\SyncBack
2009-04-24 14:07 . 2001-09-22 11:53 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-24 14:02 . 2001-09-21 22:42 -------- d-----w c:\program files\ICQ
2009-04-23 07:56 . 2003-11-04 10:53 -------- d---a-w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-21 09:04 . 2004-09-25 15:34 -------- d-----w c:\program files\Folder Lock
2009-04-18 03:42 . 2005-11-14 08:35 -------- d-----w c:\program files\Steam
2009-04-17 15:10 . 2007-08-21 12:03 -------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2009-04-14 11:10 . 2006-09-01 00:09 -------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2009-04-08 23:21 . 2008-12-03 09:47 410984 ----a-w c:\winnt\system32\deploytk.dll
2009-03-28 00:40 . 2006-06-22 11:30 -------- d-----w c:\documents and settings\Administrator\Application Data\Canon
2009-03-26 06:43 . 2009-03-26 06:43 -------- d-----w c:\program files\AC3Filter
2009-03-21 14:33 . 2009-03-21 14:33 -------- d-----w c:\program files\MGE
2009-03-13 14:21 . 2009-03-13 14:21 3796 ----a-w c:\winnt\system32\d3d9caps.dat
2009-03-13 14:21 . 2009-03-13 14:21 -------- d-----w c:\documents and settings\Administrator\Application Data\atitray
2009-03-13 14:09 . 2009-03-13 14:08 -------- d-----w c:\program files\Radeon Omega Drivers
2009-03-13 14:08 . 2009-03-13 14:08 451072 ----a-w c:\winnt\Radeon Omega Drivers v3.8.252 Uninstall.exe
2009-03-13 14:06 . 2009-02-10 07:45 -------- d-----w c:\program files\ATI Technologies
2009-03-10 06:49 . 2009-03-10 06:49 -------- d-----w c:\program files\Adolix Split and Merge PDF
2009-02-26 01:02 . 2009-02-26 01:02 -------- d-----w c:\program files\Powerware
2009-02-10 09:02 . 2007-10-07 05:31 201440 ----a-w c:\winnt\system32\PnkBstrB.exe
2009-02-07 07:41 . 2008-01-26 07:38 3782 ----a-w C:\devicetable.log
2008-09-21 04:49 . 2005-09-05 12:46 49640 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2001-09-21 20:58 . 2001-09-21 20:58 271 ---h--w c:\program files\desktop.ini
2001-09-21 20:58 . 2001-09-21 20:58 21952 ---h--w c:\program files\folder.htt
1999-04-23 22:22 . 1999-04-23 22:22 12 --sh--w c:\winnt\system\WININETICMP32.drv
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\progra~1\MICROS~4\wcescomm.exe" [2005-11-15 1200128]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-21 202024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\winnt\System32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2005-12-09 7311360]
"CreateCD50"="c:\program files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [2002-07-31 131157]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-07-31 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-05-20 77824]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2005-12-09 86016]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"USBDetect"="c:\program files\VoSKY USB Phone\USBDetect.exe" [2005-09-12 200704]
"Telstra_TM"="c:\program files\Telstra\Telstra Turbo Modem\Bin\Demon6280.exe" [2007-06-11 245760]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-10 1828136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-08 148888]
"pspNetSystray"="c:\program files\MGE\PersonalSolutionPac\mgenetsystray.exe" [2007-01-22 1208320]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]
"LoadQM"="loadqm.exe" - c:\winnt\loadqm.exe [2000-05-03 7536]
"anvshell"="anvshell.exe" - c:\winnt\anvshell.exe [2000-08-02 319488]
"SoundMan"="SOUNDMAN.EXE" - c:\winnt\SOUNDMAN.EXE [2002-03-21 46592]
"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2005-12-09 1519616]
"Tweak UI"="TWEAKUI.CPL" - c:\winnt\system32\TWEAKUI.CPL [2000-06-18 106544]
"AtiPTA"="atiptaxx.exe" - c:\winnt\system32\atiptaxx.exe [2006-02-22 344064]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2006-2-11 256000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BlackICE Utility.lnk - c:\program files\Network ICE\BlackICE\blackice.exe [2002-2-15 696320]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]
NetPerSec.lnk - c:\program files\NetPerSec\NetPerSec.exe [2004-10-27 192512]
Vermillion FTP Daemon.lnk - c:\program files\Arcane Software\Vermillion FTP Daemon\vftpd.exe [2001-9-22 569344]
VitalAgent IT.lnk - c:\program files\INS\VitalAgent\Program\VtlAgent.exe [2001-9-22 1044992]
VPN Client.lnk - c:\winnt\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2009-1-5 6144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ActiveSync]
2005-11-15 08:44 7168 ----a-w c:\winnt\system32\WcesWlgn.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= mmdrv.dll
"wave4"= vg1000.dll
"mixer3"= vg1000.dll
"midi9"=
"aux7"=
"aux8"=
"aux9"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zpasspc.dll, zwebauth.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe"
R1 ANVIOCTL;ANVIOCTL;c:\winnt\system32\DRIVERS\anvioctl.sys [2000-12-12 212540]
R2 0VsComm12;VitalAgent Serial Port Driver 12.2;c:\program files\INS\VitalAgent\Program\VsComm12.sys [1999-11-12 15235]
R2 BsUDF;InCD UDF Driver; [x]
R2 IPSECEXT;Nortel Extranet Access Protocol;c:\winnt\system32\DRIVERS\ipsecw2k.sys [2003-07-18 115680]
R2 MGE Service module;MGE Service module;c:\program files\MGE\PersonalSolutionPac\RunSC.exe [2007-01-22 126976]
R3 cm8330;C-Media CM8330 Audio Driver (WDM);c:\winnt\system32\drivers\cm8330.sys [2000-02-25 23413]
R3 cmusbnet;WAN Driver @ 3GPP (6280);c:\winnt\system32\DRIVERS\cmusbnet.sys [2007-06-21 87424]
R3 cmusbser;Cmotech USB Device for Legacy Serial Communication;c:\winnt\system32\DRIVERS\cmusbser.sys [2006-12-13 87040]
R3 ELNK3;3Com EtherLink III;c:\winnt\system32\DRIVERS\elnk3.sys [1999-09-24 37136]
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);c:\winnt\system32\drivers\ES1370MP.sys [1999-11-12 41328]
R3 NPF;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [2007-11-06 34064]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\DRIVERS\NtApm.sys [1999-09-25 9104]
R3 PORTMON;PORTMON; [x]
R3 sb16;C-Media SB16 Driver (WDM);c:\winnt\system32\drivers\cm8330sb.sys [2000-02-25 21431]
R3 SiSV;SiSV;c:\winnt\system32\DRIVERS\SiSV.sys [1999-09-27 49904]
R3 viafilter;VIA USB Filter;c:\winnt\System32\Drivers\viausb.sys [2002-02-07 9038]
S0 NaiFsRec;NaiFsRec;c:\winnt\System32\drivers\NaiFsRec.sys [2001-04-29 4512]
S0 pavboot;pavboot;c:\winnt\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 ANVOSDNT;ASUS Keyboard Filter Driver;c:\winnt\system32\DRIVERS\anvosdnt.sys [2002-07-30 323635]
S1 atitray;atitray;c:\program files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.sys [2006-02-28 12032]
S1 cdudf;cdudf; [x]
S2 0VsNdis08;VitalAgent Network Driver 8.0;c:\program files\INS\VitalAgent\Program\VsNdis08.sys [1999-11-12 32583]
S2 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\Avsynmgr.exe [2001-04-29 155665]
S2 BlackICE;BlackICE;c:\program files\Network ICE\BlackICE\blackd.exe [2001-12-19 651264]
S3 NaiFiltr;NaiFiltr;c:\program files\Common Files\Network Associates\McShield\NaiFiltr.sys [2001-04-29 24480]
S3 OVT511;EliteCam2000;c:\winnt\system32\Drivers\omcamvid.sys [2000-03-06 126882]
S4 black;BlackICE driver, version 1.0, by Internet Security Systems, Inc.;c:\winnt\System32\drivers\BlackDrv.sys [2002-02-05 131556]
.
Contents of the 'Scheduled Tasks' folder
2009-04-25 c:\winnt\Tasks\SyncBack MiloBkup_C_Cavedog.job
- c:\program files\SyncBack\SyncBack.exe [2009-03-07 01:00]
2009-04-25 c:\winnt\Tasks\SyncBack MiloBkup_C_MailFaves.job
- c:\program files\SyncBack\SyncBack.exe [2009-03-07 01:00]
2009-04-25 c:\winnt\Tasks\SyncBack MiloBkup_D.job
- c:\program files\SyncBack\SyncBack.exe [2009-03-07 01:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ivanovich.net/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &NeoTrace It! - c:\progra~1\NEOTRA~1\NTXcontext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Save F&lash with FlashCapture - c:\program files\FlashCapture\fciext.dll/FCIEXT.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{D4D7BC9D-5707-4494-B2F6-B362DB158664} - c:\program files\Telstra Usage Meter\UsgeMetr.htm
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: com.au\www.tab
TCP: {A4CE148E-7484-40A5-85D6-12BADF234B2C} = 192.168.0.1
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {6DA0CFB8-46F2-11D6-B90C-00C04F689AB6} - hxxp://login.billtobill.com/login/download/b2bsig1003.cab
DPF: {769F454F-A488-11D4-AA30-005004C3096A} - hxxp://wsmsg0604/dmeweb/ckowebcab/ckoweb.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 12:32
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\winnt\system32\Perflib_Perfdata_7c0.dat 16384 bytes
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSNDIS08]
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_0463&Pid_ffff\5&6b5df5d&0&0000\LogConf]
@DACL=(02 0000)
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_0463&Pid_ffff\6&dbbab54&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(216)
c:\winnt\system32\vg1000.dll
c:\winnt\system32\Ati2evxx.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
- - - - - - - > 'explorer.exe'(1344)
c:\winnt\AppPatch\AcLayers.DLL
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\winnt\system32\SHDOCVW.DLL
c:\winnt\system32\keyhook1000.dll
c:\winnt\system32\vg1000.dll
.
Completion time: 2009-04-26 12:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 02:38
Pre-Run: 5,618,855,936 bytes free
Post-Run: 5,616,066,560 bytes free
263 --- E O F --- 2008-12-19 00:08
Hi Milo
How's the Kaspersky scan progressing? If it still stalls, make sure antivirus protection is disabled during the scan.
Hi Blade,
Kaspersky has finally completed. It was going through all my archival stuff on drives D: and H: as well, so you can see from the log below, that this is where it found all of the threats.
Interestingly, these files have been around for years on here, and the latest version of McAfee (including the current one) has never picked them up. Same goes for Panda's Activescan.
(Q1) Why do you think that is?
In any case, these files are archival and never used, so unless a clean of them is very simple and not time-consuming, I'm not going to bother.
One question which does interest me though, is the Qoobox, which seems to me to be ComboFix's quarantine area.
(Q2) Should I delete its contents now?
I'd appreciate your help in answering Q1 and Q2 above, and after that please feel free to close this thread. Again, thank you very very much for all your help.
Cheers,
Milo
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, April 27, 2009
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, April 26, 2009 05:07:17
Records in database: 2079751
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics:
Files scanned: 257578
Threat name: 11
Infected objects: 60
Suspicious objects: 6
Duration of the scan: 07:10:02
File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINNT\system32\gxvxculiyhkwfrccflvjbextrmudklmoypnrq.dll.vir Infected: Trojan-Downloader.Win32.Agent.brpo 1
D:\DriversNExecutables\GDiVX1.9.9.2.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
D:\DriversNExecutables\GDiVX1.9.9.2.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af 1
D:\DriversNExecutables\GDiVX1.9.9.2.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl 1
D:\DriversNExecutables\GDiVX1.9.9.2.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m 2
D:\DriversNExecutables\vnc-3.3.7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2
D:\Environment\Exchange_Sep01.zip Infected: Email-Worm.VBS.KakWorm 8
D:\Environment\Outlook_Apr04_archive.rar Infected: Email-Worm.VBS.KakWorm 4
D:\Environment\Outlook_Apr04_archive.rar Suspicious: Exploit.HTML.Iframe.FileDownload 1
D:\Environment\Outlook_Jul02_archive.rar Infected: Email-Worm.VBS.KakWorm 6
D:\Environment\Outlook_Jul02_archive.rar Suspicious: Exploit.HTML.Iframe.FileDownload 1
D:\Environment\Outlook_Jun04_archive.rar Infected: Email-Worm.VBS.KakWorm 3
D:\Environment\Outlook_Jun04_archive.rar Suspicious: Exploit.HTML.Iframe.FileDownload 1
D:\GRAPHICS\FunnyProgs\IRCBosnia2.0.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.591 1
H:\SyncBack backup\D\DriversNExecutables\Drivers\Codecs\DivXPro511Adware.exe Infected: not-a-virus:AdWare.Win32.Gator.3202 1
H:\SyncBack backup\D\DriversNExecutables\GDiVX1.9.9.2.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
H:\SyncBack backup\D\DriversNExecutables\GDiVX1.9.9.2.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af 1
H:\SyncBack backup\D\DriversNExecutables\GDiVX1.9.9.2.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl 1
H:\SyncBack backup\D\DriversNExecutables\GDiVX1.9.9.2.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m 2
H:\SyncBack backup\D\DriversNExecutables\vnc-3.3.7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2
H:\SyncBack backup\D\Environment\Exchange_Sep01.zip Infected: Email-Worm.VBS.KakWorm 8
H:\SyncBack backup\D\Environment\Outlook_Apr04_archive.rar Infected: Email-Worm.VBS.KakWorm 3
H:\SyncBack backup\D\Environment\Outlook_Apr04_archive.rar Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\SyncBack backup\D\Environment\Outlook_Jul02_archive.rar Infected: Email-Worm.VBS.KakWorm 6
H:\SyncBack backup\D\Environment\Outlook_Jul02_archive.rar Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\SyncBack backup\D\Environment\Outlook_Jun04_archive.rar Infected: Email-Worm.VBS.KakWorm 3
H:\SyncBack backup\D\Environment\Outlook_Jun04_archive.rar Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\SyncBack backup\D\GRAPHICS\FunnyProgs\IRCBosnia2.0.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.591 1
H:\SyncBack backup\D\GRAPHICS\FunnyProgs\striptea.exe Infected: Hoax.Win32.BadJoke.Stript 1
The selected area was scanned.
Interestingly, these files have been around for years on here, and the latest version of McAfee (including the current one) has never picked them up. Same goes for Panda's Activescan.
(Q1) Why do you think that is?
Hi
I don't think McAfee or Panda Activescan checks email messages. Those email RAR archives you can leave there if you don't plan to open them.
Delete these files:
D:\DriversNExecutables\GDiVX1.9.9.2.exe
H:\SyncBack backup\D\DriversNExecutables\Drivers\Codecs\DivXPro511Adware.exe
H:\SyncBack backup\D\DriversNExecutables\GDiVX1.9.9.2.exe
H:\SyncBack backup\D\GRAPHICS\FunnyProgs\striptea.exe
These can be ignored:
D:\DriversNExecutables\vnc-3.3.7-x86_win32.exe
D:\GRAPHICS\FunnyProgs\IRCBosnia2.0.exe
H:\SyncBack backup\D\DriversNExecutables\vnc-3.3.7-x86_win32.exe
H:\SyncBack backup\D\GRAPHICS\FunnyProgs\IRCBosnia2.0.exe
One question which does interest me though, is the Qoobox, which seems to me to be ComboFix's quarantine area.
(Q2) Should I delete its contents now?
You can uninstall ComboFix by running following steps:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.