View Full Version : Can't Run Spybot S&D
yourallthesame
2009-11-12, 01:40
http://forums.spybot.info/showthread.php?p=346542#post346542 <-- link to old post where I was advised to start this new one.
I started noticing that I couldn't open Task Manager because it said that it was disabled by the administrator. I found out some stuff about it on google, so I downloaded Spybot S&D and can't open. Here's the HJT log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:53 AM, on 11/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EDIMAX\Common\RaUI.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\paul\LOCALS~1\Temp\winnrvlrq.exe
C:\DOCUME~1\paul\LOCALS~1\Temp\ceionk.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Wireless Utility.lnk = C:\Program Files\EDIMAX\Common\RaUI.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 6999 bytes
Hi,
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized, if not you'll find it in c:\rsit folder)
yourallthesame
2009-11-17, 14:09
Hi Blade, thanks for helping me out here...
LOG.txt:
Logfile of random's system information tool 1.06 (written by random/random)
Run by paul at 2009-11-17 20:05:01
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 18 GB (23%) free of 78 GB
Total RAM: 255 MB (17% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:19 PM, on 11/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EDIMAX\Common\RaUI.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\paul\LOCALS~1\Temp\winiufnap.exe
C:\DOCUME~1\paul\LOCALS~1\Temp\thftbd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\paul\My Documents\Downloads\RSIT.exe
C:\Program Files\trend micro\paul.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Wireless Utility.lnk = C:\Program Files\EDIMAX\Common\RaUI.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 6774 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2009-07-31 909040]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - D:\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
Ask Toolbar - C:\Program Files\Ask.com\GenericAskToolbar.dll [2009-07-10 1174920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2009-07-31 159472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{D4027C7F-154A-4066-A1AD-4243D8127440} - Ask Toolbar - C:\Program Files\Ask.com\GenericAskToolbar.dll [2009-07-10 1174920]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2009-07-31 909040]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-23 185584]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-09-05 491520]
"LogitechQuickCamRibbon"=C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2009-05-08 2854160]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 109424]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 1004920]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-10-28 215328]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-23 185584]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1768960]
"SpybotSD TeaTimer"=D:\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
C:\WINDOWS\FixCamera.exe [2007-07-11 20480]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
C:\WINDOWS\vsnp2std.exe [2007-05-10 344064]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe [2004-10-14 1482752]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
C:\WINDOWS\tsnp2std.exe [2007-05-12 344064]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Wireless Utility.lnk - C:\Program Files\EDIMAX\Common\RaUI.exe
C:\Documents and Settings\paul\Start Menu\Programs\Startup
OpenOffice.org 3.1.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableCMD"=0
"DisableTaskMgr"=1
"DisableRegistryTools"=1
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0
"DisableCMD"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=
"NoFolderOptions"=
"NoRun"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\intel proset\PROSet.exe"="D:\intel proset\PROSet.exe:*:Enabled:ipsec"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec"
"C:\Program Files\Analog Devices\Core\smax4pnp.exe"="C:\Program Files\Analog Devices\Core\smax4pnp.exe:*:Enabled:ipsec"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Adobe\Adobe Bridge CS3\Bridge.exe"="C:\Program Files\Adobe\Adobe Bridge CS3\Bridge.exe:*:Enabled:Adobe Bridge CS3"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\WinSCP\WinSCP.exe"="C:\Program Files\WinSCP\WinSCP.exe:*:Enabled:WinSCP"
"C:\Program Files\Logitech\Logitech Vid\Vid.exe"="C:\Program Files\Logitech\Logitech Vid\Vid.exe:*:Enabled:Logitech Vid"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\fraikw.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\fraikw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\vynja.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\vynja.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\fgbp.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\fgbp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\icripm.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\icripm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winxjya.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winxjya.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\twwm.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\twwm.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\byele.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\byele.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winyndlvj.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winyndlvj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winhhal.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winhhal.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winlguis.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winlguis.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winfaoiv.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winfaoiv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\iien.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\iien.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winxbrq.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winxbrq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winnarl.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winnarl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winvnli.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winvnli.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winwmyf.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winwmyf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\ltxx.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\ltxx.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winxgfhy.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winxgfhy.exe:*:Enabled:ipsec"
"C:\Program Files\QuickTime\QTTask.exe"="C:\Program Files\QuickTime\QTTask.exe:*:Enabled:ipsec"
"C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winpptvob.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winpptvob.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winosod.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winosod.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winajgrjt.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winajgrjt.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\wingnomy.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\wingnomy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winmjnf.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winmjnf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winpxnwmr.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winpxnwmr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winynsi.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winynsi.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winrfgy.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winrfgy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\wincxrkw.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\wincxrkw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\qnlsf.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\qnlsf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winjklyg.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winjklyg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winomawn.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winomawn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winqvxxmv.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winqvxxmv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\sbebxy.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\sbebxy.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winmmowfx.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winmmowfx.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\windjfj.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\windjfj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winqoqcdd.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winqoqcdd.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winrxjoa.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winrxjoa.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\ynkrik.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\ynkrik.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\gxldtw.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\gxldtw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winfyyyef.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winfyyyef.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winijpxko.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winijpxko.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winevxnhh.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winevxnhh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winwronlp.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winwronlp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winsvpxp.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winsvpxp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winxdpux.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winxdpux.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winpruid.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winpruid.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\gelfxh.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\gelfxh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\wintsogj.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\wintsogj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\vcdyqq.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\vcdyqq.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\onujyo.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\onujyo.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winagto.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winagto.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\windqks.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\windqks.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winohuyv.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winohuyv.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winqnmr.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winqnmr.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winblcqj.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winblcqj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winutpo.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winutpo.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winvwwvhw.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winvwwvhw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winmaegl.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winmaegl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\wxaokh.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\wxaokh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\msgxa.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\msgxa.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winlfixjd.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winlfixjd.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\smcbyh.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\smcbyh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\okpby.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\okpby.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winmlku.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winmlku.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winbeimj.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winbeimj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\nmdve.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\nmdve.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winmgisjj.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winmgisjj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winbsayot.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winbsayot.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\ctyld.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\ctyld.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\kroi.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\kroi.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winoquyjs.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winoquyjs.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winnvvmvg.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winnvvmvg.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\ildl.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\ildl.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winniry.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winniry.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\yelswh.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\yelswh.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\neaalp.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\neaalp.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\chtcbb.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\chtcbb.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winvicbio.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winvicbio.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\xfpfj.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\xfpfj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\cvyn.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\cvyn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winhbwstf.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winhbwstf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winnipj.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winnipj.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\wintxbgn.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\wintxbgn.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winkejd.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winkejd.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\wintvqlf.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\wintvqlf.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winopfggs.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winopfggs.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\dqqtrt.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\dqqtrt.exe:*:Enabled:ipsec"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4e353e2-9ecd-11de-b3d8-001f1f05d87f}]
shell\AutoRun\command - G:\autorun.exe
shell\phone\command - G:\autorun.exe
INFO.txt:
info.txt logfile of random's system information tool 1.06 2009-11-17 20:05:23
======Uninstall list======
-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only)-->C:\Program Files\AC3Filter\uninstall.exe
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 9.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A92000000001}
Adobe Setup-->MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Apple Application Support-->MsiExec.exe /I{B607C354-CD79-4D22-86D1-92DC94153F42}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Ask Toolbar-->MsiExec.exe /I{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Edimax Wireless LAN-->C:\Program Files\InstallShield Installation Information\{E91E8912-769D-42F0-8408-0E329443BABC}\setup.exe -runfromtemp -l0x0009 -removeonly
ERUNT 1.1j-->"C:\Documents and Settings\paul\Desktop\ERUNT\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Intel(R) PRO Network Adapters and Drivers-->Prounstl.exe
Intel(R) PROSet-->MsiExec.exe /I{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}
iTunes-->MsiExec.exe /I{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013F0}
Java(TM) 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF}
LimeWire 5.3.6-->"D:\Program Files\LimeWire\uninstall.exe"
Logitech Vid-->MsiExec.exe /I{4FBCEA31-5D18-4212-9231-DE7CF1BE7DBB}
Logitech Webcam Software-->MsiExec.exe /I{AC96671C-2001-432C-9826-5266D84EF1DC}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.5.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
OpenOffice.org 3.1-->MsiExec.exe /I{E6B87DC4-2B3D-4483-ADFF-E483BF718991}
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
QuickTime-->MsiExec.exe /I{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}
RegCure 1.5.0.1-->d:\Program Files\RegCure\uninst.exe
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972260)-->"C:\WINDOWS\$NtUninstallKB972260$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Skype web features-->MsiExec.exe /I{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}
Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
Spybot - Search & Destroy-->"D:\Spybot - Search & Destroy\unins000.exe"
UnHackMe 5.00 release-->"D:\UnHackMe\unhackme\unins000.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB973874)-->"C:\WINDOWS\ie8updates\KB973874-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
USB2.0 PC Camera-->C:\Program Files\InstallShield Installation Information\{75438C0E-9925-412E-AD85-D0E71C6CE2ED}\setup.exe -runfromtemp -l0x0009 -removeonly -u
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip 12.1-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}
Xvid 1.2.2 final uninstall-->"C:\Program Files\Xvid\unins000.exe"
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Search Protection-->C:\PROGRA~1\Yahoo!\SEARCH~1\UNINST~1.EXE
Yahoo! Software Update-->C:\PROGRA~1\Yahoo!\SOFTWA~1\UNINST~1.EXE
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
======System event log======
Computer Name: PAUL-579C8BBC1B
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001F1F05D87F. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Record Number: 2283
Source Name: Dhcp
Time Written: 20091005115719.000000+480
Event Type: warning
User:
Computer Name: PAUL-579C8BBC1B
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001F1F05D87F. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Record Number: 2280
Source Name: Dhcp
Time Written: 20091005115709.000000+480
Event Type: warning
User:
Computer Name: PAUL-579C8BBC1B
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001F1F05D87F. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Record Number: 2278
Source Name: Dhcp
Time Written: 20091005115659.000000+480
Event Type: warning
User:
Computer Name: PAUL-579C8BBC1B
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001F1F05D87F. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Record Number: 2276
Source Name: Dhcp
Time Written: 20091005115649.000000+480
Event Type: warning
User:
Computer Name: PAUL-579C8BBC1B
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001F1F05D87F. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Record Number: 2274
Source Name: Dhcp
Time Written: 20091005115639.000000+480
Event Type: warning
User:
=====Application event log=====
Computer Name: PAUL-579C8BBC1B
Event Code: 1015
Message: Failed to connect to server. Error: 0x800401F0
Record Number: 364
Source Name: MsiInstaller
Time Written: 20090922120100.000000+480
Event Type: warning
User: PAUL-579C8BBC1B\paul
Computer Name: PAUL-579C8BBC1B
Event Code: 1002
Message: Hanging application firefox.exe, version 1.9.1.3523, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Record Number: 303
Source Name: Application Hang
Time Written: 20090911205158.000000+480
Event Type: error
User:
Computer Name: PAUL-579C8BBC1B
Event Code: 1002
Message: Hanging application iTunes.exe, version 9.0.0.70, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Record Number: 297
Source Name: Application Hang
Time Written: 20090911185238.000000+480
Event Type: error
User:
Computer Name: PAUL-579C8BBC1B
Event Code: 1002
Message: Hanging application firefox.exe, version 1.9.1.3497, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Record Number: 250
Source Name: Application Hang
Time Written: 20090906081102.000000+480
Event Type: error
User:
Computer Name: PAUL-579C8BBC1B
Event Code: 1002
Message: Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Record Number: 237
Source Name: Application Hang
Time Written: 20090902170807.000000+480
Event Type: error
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\DivX Shared\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 3 Stepping 3, GenuineIntel
"PROCESSOR_REVISION"=0303
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
-----------------EOF-----------------
Thanks a bunch!
Hello again :)
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
LimeWire
I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
After that:
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New rsit log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
yourallthesame
2009-11-18, 13:11
Hey Blade,
Thanx for the continued support. I am in the process of downloading all the programs you have suggested. One problem though, I can't open Spybot S&D, so I can't disable the TeaTimer. What should I do? Should I just proceed with the other programs and get the logs?
Yes, skip over that step.
yourallthesame
2009-11-18, 15:28
I had to run combofix twice cuz I thought it hung while waiting for the log to be produced... apparently I didn't read the part clearly that stated that it could take a while producing the log. Anyhow, here it is. Thanx!
ComboFix 09-11-18.06 - paul 11/18/2009 20:37.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.109 [GMT 8:00]
Running from: c:\documents and settings\paul\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\2o1ajagt.exe
c:\docume~1\paul\LOCALS~1\Temp\cvasds0.dll
c:\docume~1\paul\LOCALS~1\Temp\cvasds1.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASC3360PR
-------\Service_asc3360pr
-------\Legacy_ASC3360PR
((((((((((((((((((((((((( Files Created from 2009-10-18 to 2009-11-18 )))))))))))))))))))))))))))))))
.
2009-11-18 12:37 . 2008-04-14 12:00 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-18 12:37 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-17 20:52 . 2009-11-17 20:53 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Adobe
2009-11-17 12:05 . 2009-11-17 12:05 -------- d-----w- C:\rsit
2009-11-15 05:24 . 2009-11-15 05:24 -------- d-sh--w- c:\documents and settings\Guest\PrivacIE
2009-11-15 05:24 . 2009-11-15 05:24 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\AskToolbar
2009-11-14 20:16 . 2009-11-14 20:16 1 ----a-w- c:\documents and settings\Guest\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-14 20:14 . 2009-11-14 20:14 -------- d-----w- c:\documents and settings\Guest\Application Data\OpenOffice.org
2009-11-11 23:31 . 2009-11-17 12:05 -------- d-----w- c:\program files\Trend Micro
2009-11-11 13:48 . 2009-11-11 13:48 -------- d-----w- C:\RootkitNO
2009-11-11 13:35 . 2009-11-11 13:35 -------- d-----w- c:\documents and settings\paul\Local Settings\Application Data\Help
2009-11-11 13:33 . 2009-11-11 13:33 2 --shatr- c:\windows\winstart.bat
2009-11-11 13:32 . 2008-12-22 07:56 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-11-11 12:11 . 2009-11-18 11:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-10 17:20 . 2009-11-10 17:20 -------- d-sh--w- c:\documents and settings\Guest\IETldCache
2009-11-10 13:31 . 2009-11-10 13:31 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Yahoo
2009-11-10 13:29 . 2009-11-10 13:29 16504 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-10 12:00 . 2009-08-01 16:16 6326232 ---ha-w- c:\documents and settings\paul\Application Data\mjusbsp\in00000\setup.exe
2009-11-10 12:00 . 2009-08-01 16:16 6330328 ---ha-w- c:\documents and settings\paul\Application Data\mjusbsp\Upgrade\setup1.exe
2009-11-10 12:00 . 2009-08-01 16:12 798232 ---ha-w- c:\documents and settings\paul\Application Data\mjusbsp\Upgrade\install1.exe
2009-11-10 11:57 . 2009-11-10 12:00 7690776 ---h--w- c:\documents and settings\paul\Application Data\mjusbsp\ar00000\upgrade.exe
2009-11-10 09:25 . 2009-11-10 12:00 -------- d-----w- c:\documents and settings\paul\Application Data\mjusbsp
2009-11-09 23:39 . 2009-11-09 23:39 -------- d-----w- c:\program files\iPod
2009-11-09 23:39 . 2009-11-09 23:40 -------- d-----w- c:\program files\iTunes
2009-11-09 23:19 . 2009-11-09 23:19 152872 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-08 15:01 . 2009-11-08 15:01 -------- d-----w- c:\windows\.jagex_cache_32
2009-11-07 02:54 . 2009-11-07 02:54 504038 ----a-w- C:\sqlite3.dll
2009-10-29 14:35 . 2009-10-29 14:35 5595136 ----a-w- C:\SharePod.exe
2009-10-29 09:55 . 2009-10-29 09:55 152576 ----a-w- c:\documents and settings\paul\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-23 15:05 . 2009-10-23 15:05 -------- d-----w- c:\documents and settings\paul\Local Settings\Application Data\Identities
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-17 12:33 . 2009-11-17 12:33 2015 ---h--r- c:\windows\system32\drivers\hosts
2009-11-15 05:24 . 2009-11-10 13:28 -------- d--h--r- c:\documents and settings\Guest\Application Data\yahoo!
2009-11-11 13:54 . 2009-08-04 06:17 -------- d-----w- c:\program files\Ask.com
2009-11-09 23:39 . 2009-09-10 22:55 -------- d-----w- c:\program files\Common Files\Apple
2009-11-09 22:09 . 2009-08-26 23:21 1 ----a-w- c:\documents and settings\paul\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-07 21:03 . 2009-08-04 07:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-07 02:25 . 2009-08-06 12:08 -------- d-----w- c:\documents and settings\paul\Application Data\LimeWire
2009-11-06 10:43 . 2009-10-06 02:27 -------- d-----w- c:\program files\RedSnow
2009-10-30 08:43 . 2009-08-06 08:32 -------- d-----w- c:\documents and settings\paul\Application Data\Skype
2009-10-30 08:39 . 2009-08-06 08:35 -------- d-----w- c:\documents and settings\paul\Application Data\skypePM
2009-10-29 09:58 . 2009-08-05 06:59 -------- d-----w- c:\program files\Java
2009-10-24 05:15 . 2009-08-27 12:22 -------- d-----w- c:\program files\Xvid
2009-10-14 02:56 . 2009-10-14 02:56 -------- d-----w- c:\documents and settings\paul\Application Data\SharePod
2009-10-11 09:22 . 2009-10-06 01:38 -------- d-----w- c:\documents and settings\paul\Application Data\DivX
2009-10-06 01:26 . 2009-10-06 01:25 -------- d-----w- c:\program files\DivX
2009-10-06 01:25 . 2009-10-06 01:25 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-03 08:27 . 2009-10-03 08:27 -------- d-----w- c:\program files\RedSnow iTouch Jailbreak
2009-10-03 07:03 . 2009-10-03 07:03 -------- d-----w- c:\program files\hi join
2009-10-03 07:01 . 2009-08-04 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-10-03 03:54 . 2009-08-05 05:54 16504 ----a-w- c:\documents and settings\paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-03 03:44 . 2009-10-03 03:44 -------- d-----w- c:\program files\MSBuild
2009-10-03 03:44 . 2009-10-03 03:44 -------- d-----w- c:\program files\Reference Assemblies
2009-10-02 23:38 . 2009-09-10 23:04 -------- d-----w- c:\documents and settings\paul\Application Data\Apple Computer
2009-09-26 02:04 . 2009-08-06 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-25 02:13 . 2009-09-22 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-09-22 04:02 . 2009-09-22 03:41 -------- d-----w- c:\program files\Common Files\logishrd
2009-09-22 04:01 . 2009-09-22 03:35 -------- d-----w- c:\program files\Logitech
2009-09-19 00:06 . 2009-09-19 00:06 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-11 14:18 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-28 11:42 . 2009-09-10 22:56 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 11:42 . 2009-09-10 22:56 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2008-04-14 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-18_12.24.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-18 12:48 . 2009-04-30 08:01 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
- 2009-11-18 12:23 . 2009-04-30 08:01 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-10 09:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 185584]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1768960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 185584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 491520]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2854160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 109424]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 1004920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 215328]
c:\documents and settings\Guest\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 457728]
c:\documents and settings\paul\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 457728]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Utility.lnk - c:\program files\EDIMAX\Common\RaUI.exe [2009-8-4 786432]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Adobe\\Adobe Bridge CS3\\Bridge.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"=
"c:\\WINDOWS\\system32\\dmremote.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Documents and Settings\\paul\\Application Data\\mjusbsp\\cdloader2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Documents and Settings\\paul\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"c:\\Program Files\\Logitech\\Logitech WebCam Software\\LWS.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\RegCure\\RegCure.exe"= d:\\Program Files\\RegCure\\RegCure.exe
"c:\\WINDOWS\\PEV.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"=
"c:\\DOCUME~1\\paul\\LOCALS~1\\Temp\\winudgfjo.exe"=
"c:\\DOCUME~1\\paul\\LOCALS~1\\Temp\\winpwmg.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:443
"5060:UDP"= 5060:UDP:5060
"5070:UDP"= 5070:UDP:5070
R3 asc3360pr;asc3360pr;\??\c:\windows\system32\drivers\nqokln.sys --> c:\windows\system32\drivers\nqokln.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ASC3360PR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
2009-11-18 c:\windows\Tasks\RegCure Program Check.job
- d:\program files\RegCure\RegCure.exe [2008-04-21 12:46]
2009-11-13 c:\windows\Tasks\RegCure.job
- d:\program files\RegCure\RegCure.exe [2008-04-21 12:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\paul\Application Data\Mozilla\Firefox\Profiles\5uoghj58.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-18 20:56
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys spfe.sys hal.dll >>UNKNOWN [0x81F4F938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf92a4f28
\Driver\ACPI -> ACPI.sys @ 0xf90fecb8
\Driver\atapi -> atapi.sys @ 0xf90b9b40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
atapi.sys @ 0x0 0x0 bytes
\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xF90B9B40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xF90B9B40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xF90B9B40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xF90B9B40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xF90B9B40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xF90B9B40 atapi.sys
\Driver\atapi IRP hooks detected !
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2964)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\docume~1\paul\LOCALS~1\Temp\winudgfjo.exe
c:\docume~1\paul\LOCALS~1\Temp\winpwmg.exe
c:\docume~1\paul\LOCALS~1\Temp\winnwsq.exe
.
**************************************************************************
.
Completion time: 2009-11-18 21:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-18 13:09
Pre-Run: 22,928,322,560 bytes free
Post-Run: 22,612,533,248 bytes free
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 59D11E9CF9A7D5777D9250526F76F9A4
Hi,
Uninstall Daemon Tools and download SPTD setup file (http://www.duplexsecure.com/faq/download/SPTDinst-v162-x86.exe) and execute it.
In dialog that appears press "Uninstall" button and then SPTD will remove itself from your Windows installation.
When done, run ComboFix again and post back its report & fresh rsit log.
yourallthesame
2009-11-19, 13:22
Hi Blade,
couldn't reach the location of that link for sptd file...
Please try this (http://www.duplexsecure.com/download/SPTDinst-v162-x86.exe).
yourallthesame
2009-11-19, 15:46
Hi Blade,
Here's the Combofix log:
ComboFix 09-11-18.07 - paul 11/19/2009 21:15.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.118 [GMT 8:00]
Running from: c:\documents and settings\paul\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASC3360PR
-------\Service_asc3360pr
((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.
2009-11-19 11:19 . 2009-11-19 11:19 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-18 12:37 . 2008-04-14 12:00 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-18 12:37 . 2008-04-14 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-17 20:52 . 2009-11-17 20:53 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Adobe
2009-11-17 12:05 . 2009-11-17 12:05 -------- d-----w- C:\rsit
2009-11-15 05:24 . 2009-11-15 05:24 -------- d-sh--w- c:\documents and settings\Guest\PrivacIE
2009-11-15 05:24 . 2009-11-15 05:24 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\AskToolbar
2009-11-14 20:16 . 2009-11-14 20:16 1 ----a-w- c:\documents and settings\Guest\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-14 20:14 . 2009-11-14 20:14 -------- d-----w- c:\documents and settings\Guest\Application Data\OpenOffice.org
2009-11-11 23:31 . 2009-11-17 12:05 -------- d-----w- c:\program files\Trend Micro
2009-11-11 13:48 . 2009-11-11 13:48 -------- d-----w- C:\RootkitNO
2009-11-11 13:35 . 2009-11-11 13:35 -------- d-----w- c:\documents and settings\paul\Local Settings\Application Data\Help
2009-11-11 13:33 . 2009-11-11 13:33 2 --shatr- c:\windows\winstart.bat
2009-11-11 13:32 . 2008-12-22 07:56 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-11-11 12:11 . 2009-11-18 11:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-10 17:20 . 2009-11-10 17:20 -------- d-sh--w- c:\documents and settings\Guest\IETldCache
2009-11-10 13:31 . 2009-11-10 13:31 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Yahoo
2009-11-10 13:29 . 2009-11-10 13:29 16504 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-10 12:00 . 2009-08-01 16:16 6326232 ---ha-w- c:\documents and settings\paul\Application Data\mjusbsp\in00000\setup.exe
2009-11-10 12:00 . 2009-08-01 16:16 6330328 ---ha-w- c:\documents and settings\paul\Application Data\mjusbsp\Upgrade\setup1.exe
2009-11-10 12:00 . 2009-08-01 16:12 798232 ---ha-w- c:\documents and settings\paul\Application Data\mjusbsp\Upgrade\install1.exe
2009-11-10 11:57 . 2009-11-10 12:00 7690776 ---h--w- c:\documents and settings\paul\Application Data\mjusbsp\ar00000\upgrade.exe
2009-11-10 09:25 . 2009-11-10 12:00 -------- d-----w- c:\documents and settings\paul\Application Data\mjusbsp
2009-11-09 23:39 . 2009-11-09 23:39 -------- d-----w- c:\program files\iPod
2009-11-09 23:39 . 2009-11-09 23:40 -------- d-----w- c:\program files\iTunes
2009-11-09 23:19 . 2009-11-09 23:19 152872 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-08 15:01 . 2009-11-08 15:01 -------- d-----w- c:\windows\.jagex_cache_32
2009-11-07 02:54 . 2009-11-07 02:54 504038 ----a-w- C:\sqlite3.dll
2009-10-29 14:35 . 2009-10-29 14:35 5595136 ----a-w- C:\SharePod.exe
2009-10-29 09:55 . 2009-10-29 09:55 152576 ----a-w- c:\documents and settings\paul\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-23 15:05 . 2009-10-23 15:05 -------- d-----w- c:\documents and settings\paul\Local Settings\Application Data\Identities
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 12:41 . 2009-08-26 23:21 1 ----a-w- c:\documents and settings\paul\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-17 12:33 . 2009-11-17 12:33 2015 ---h--r- c:\windows\system32\drivers\hosts
2009-11-15 05:24 . 2009-11-10 13:28 -------- d--h--r- c:\documents and settings\Guest\Application Data\yahoo!
2009-11-11 13:54 . 2009-08-04 06:17 -------- d-----w- c:\program files\Ask.com
2009-11-09 23:39 . 2009-09-10 22:55 -------- d-----w- c:\program files\Common Files\Apple
2009-11-07 21:03 . 2009-08-04 07:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-07 02:25 . 2009-08-06 12:08 -------- d-----w- c:\documents and settings\paul\Application Data\LimeWire
2009-11-06 10:43 . 2009-10-06 02:27 -------- d-----w- c:\program files\RedSnow
2009-10-30 08:43 . 2009-08-06 08:32 -------- d-----w- c:\documents and settings\paul\Application Data\Skype
2009-10-30 08:39 . 2009-08-06 08:35 -------- d-----w- c:\documents and settings\paul\Application Data\skypePM
2009-10-29 09:58 . 2009-08-05 06:59 -------- d-----w- c:\program files\Java
2009-10-24 05:15 . 2009-08-27 12:22 -------- d-----w- c:\program files\Xvid
2009-10-14 02:56 . 2009-10-14 02:56 -------- d-----w- c:\documents and settings\paul\Application Data\SharePod
2009-10-11 09:22 . 2009-10-06 01:38 -------- d-----w- c:\documents and settings\paul\Application Data\DivX
2009-10-06 01:26 . 2009-10-06 01:25 -------- d-----w- c:\program files\DivX
2009-10-06 01:25 . 2009-10-06 01:25 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-03 08:27 . 2009-10-03 08:27 -------- d-----w- c:\program files\RedSnow iTouch Jailbreak
2009-10-03 07:03 . 2009-10-03 07:03 -------- d-----w- c:\program files\hi join
2009-10-03 07:01 . 2009-08-04 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-10-03 03:54 . 2009-08-05 05:54 16504 ----a-w- c:\documents and settings\paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-03 03:44 . 2009-10-03 03:44 -------- d-----w- c:\program files\MSBuild
2009-10-03 03:44 . 2009-10-03 03:44 -------- d-----w- c:\program files\Reference Assemblies
2009-10-02 23:38 . 2009-09-10 23:04 -------- d-----w- c:\documents and settings\paul\Application Data\Apple Computer
2009-09-26 02:04 . 2009-08-06 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-25 02:13 . 2009-09-22 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-09-22 04:02 . 2009-09-22 03:41 -------- d-----w- c:\program files\Common Files\logishrd
2009-09-22 04:01 . 2009-09-22 03:35 -------- d-----w- c:\program files\Logitech
2009-09-11 14:18 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-28 11:42 . 2009-09-10 22:56 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 11:42 . 2009-09-10 22:56 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2008-04-14 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-18_12.24.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-19 13:30 . 2009-11-19 13:30 16384 c:\windows\temp\wincyvid.exe
+ 2009-11-19 13:30 . 2009-11-19 13:30 11264 c:\windows\temp\pmsj.exe
+ 2009-11-19 13:30 . 2009-11-19 13:30 7680 c:\windows\temp\ciuowh.exe
+ 2009-11-19 13:26 . 2009-04-30 08:01 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
- 2009-11-18 12:23 . 2009-04-30 08:01 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-10 09:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 185584]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1768960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 185584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 491520]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2854160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 109424]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 1004920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 215328]
c:\documents and settings\Guest\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 457728]
c:\documents and settings\paul\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 457728]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Utility.lnk - c:\program files\EDIMAX\Common\RaUI.exe [2009-8-4 786432]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Adobe\\Adobe Bridge CS3\\Bridge.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"=
"c:\\WINDOWS\\system32\\dmremote.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Documents and Settings\\paul\\Application Data\\mjusbsp\\cdloader2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Documents and Settings\\paul\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"c:\\Program Files\\Logitech\\Logitech WebCam Software\\LWS.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\RegCure\\RegCure.exe"= d:\\Program Files\\RegCure\\RegCure.exe
"c:\\WINDOWS\\PEV.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"=
"c:\\Program Files\\Common Files\\LogiShrd\\LVMVFM\\LVPrcSrv.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.exe"=
"c:\\WINDOWS\\TEMP\\pmsj.exe"=
"c:\\WINDOWS\\TEMP\\ciuowh.exe"=
"c:\\WINDOWS\\TEMP\\wincyvid.exe"=
"c:\\DOCUME~1\\paul\\LOCALS~1\\Temp\\fvbt.exe"=
"c:\\DOCUME~1\\paul\\LOCALS~1\\Temp\\winrjvty.exe"=
"c:\\DOCUME~1\\paul\\LOCALS~1\\Temp\\uafwf.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:443
"5060:UDP"= 5060:UDP:5060
"5070:UDP"= 5070:UDP:5070
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ASC3360PR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
2009-11-19 c:\windows\Tasks\RegCure Program Check.job
- d:\program files\RegCure\RegCure.exe [2008-04-21 12:46]
2009-11-19 c:\windows\Tasks\RegCure.job
- d:\program files\RegCure\RegCure.exe [2008-04-21 12:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\paul\Application Data\Mozilla\Firefox\Profiles\5uoghj58.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.ph/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 21:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2732)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\TEMP\pmsj.exe
c:\windows\TEMP\ciuowh.exe
c:\windows\TEMP\wincyvid.exe
c:\windows\system32\wscntfy.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\docume~1\paul\LOCALS~1\Temp\fvbt.exe
c:\docume~1\paul\LOCALS~1\Temp\winrjvty.exe
c:\docume~1\paul\LOCALS~1\Temp\uafwf.exe
.
**************************************************************************
.
Completion time: 2009-11-19 21:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-19 13:42
ComboFix2.txt 2009-11-18 13:09
Pre-Run: 23,563,599,872 bytes free
Post-Run: 23,444,729,856 bytes free
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 9ABE832FC4BAC3C1C4900874C4218908
The RSIT log:
Logfile of random's system information tool 1.06 (written by random/random)
Run by paul at 2009-11-19 21:44:56
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 22 GB (29%) free of 78 GB
Total RAM: 255 MB (8% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:10 PM, on 11/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\TEMP\pmsj.exe
C:\WINDOWS\TEMP\ciuowh.exe
C:\WINDOWS\TEMP\wincyvid.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\EDIMAX\Common\RaUI.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\paul\LOCALS~1\Temp\fvbt.exe
C:\DOCUME~1\paul\LOCALS~1\Temp\winrjvty.exe
C:\DOCUME~1\paul\LOCALS~1\Temp\uafwf.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\paul\Desktop\RSIT.exe
C:\Program Files\trend micro\paul.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Wireless Utility.lnk = C:\Program Files\EDIMAX\Common\RaUI.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 6756 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2009-07-31 909040]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
Ask Toolbar - C:\Program Files\Ask.com\GenericAskToolbar.dll [2009-07-10 1174920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2009-07-31 159472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{D4027C7F-154A-4066-A1AD-4243D8127440} - Ask Toolbar - C:\Program Files\Ask.com\GenericAskToolbar.dll [2009-07-10 1174920]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2009-07-31 909040]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-23 185584]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-09-05 491520]
"LogitechQuickCamRibbon"=C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2009-05-08 2854160]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 109424]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 1004920]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-10-28 215328]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-23 185584]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1768960]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
C:\WINDOWS\FixCamera.exe [2007-07-11 20480]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
C:\WINDOWS\vsnp2std.exe [2007-05-10 344064]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe [2004-10-14 1482752]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
C:\WINDOWS\tsnp2std.exe [2007-05-12 344064]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Wireless Utility.lnk - C:\Program Files\EDIMAX\Common\RaUI.exe
C:\Documents and Settings\paul\Start Menu\Programs\Startup
OpenOffice.org 3.1.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Analog Devices\Core\smax4pnp.exe"="C:\Program Files\Analog Devices\Core\smax4pnp.exe:*:Enabled:ipsec"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Adobe\Adobe Bridge CS3\Bridge.exe"="C:\Program Files\Adobe\Adobe Bridge CS3\Bridge.exe:*:Enabled:Adobe Bridge CS3"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Logitech\Logitech Vid\Vid.exe"="C:\Program Files\Logitech\Logitech Vid\Vid.exe:*:Enabled:Logitech Vid"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:ipsec"
"C:\Program Files\QuickTime\QTTask.exe"="C:\Program Files\QuickTime\QTTask.exe:*:Enabled:ipsec"
"C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe:*:Enabled:ipsec"
"C:\WINDOWS\system32\dmremote.exe"="C:\WINDOWS\system32\dmremote.exe:*:Enabled:ipsec"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:ipsec"
"C:\WINDOWS\system32\wscntfy.exe"="C:\WINDOWS\system32\wscntfy.exe:*:Enabled:ipsec"
"C:\Documents and Settings\paul\Application Data\mjusbsp\cdloader2.exe"="C:\Documents and Settings\paul\Application Data\mjusbsp\cdloader2.exe:*:Enabled:ipsec"
"C:\Program Files\Java\jre6\bin\jusched.exe"="C:\Program Files\Java\jre6\bin\jusched.exe:*:Enabled:ipsec"
"C:\Documents and Settings\paul\Application Data\mjusbsp\magicJack.exe"="C:\Documents and Settings\paul\Application Data\mjusbsp\magicJack.exe:*:Enabled:magicJack"
"C:\Program Files\iTunes\iTunesHelper.exe"="C:\Program Files\iTunes\iTunesHelper.exe:*:Enabled:ipsec"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe"="C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe:*:Enabled:ipsec"
"C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe"="C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe:*:Enabled:ipsec"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"D:\Program Files\RegCure\RegCure.exe"="d:\Program Files\RegCure\RegCure.exe:*:Enabled:ipsec"
"C:\WINDOWS\PEV.exe"="C:\WINDOWS\PEV.exe:*:Enabled:ipsec"
"C:\Program Files\OpenOffice.org 3\program\soffice.bin"="C:\Program Files\OpenOffice.org 3\program\soffice.bin:*:Enabled:ipsec"
"C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe"="C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe:*:Enabled:ipsec"
"C:\Program Files\OpenOffice.org 3\program\soffice.exe"="C:\Program Files\OpenOffice.org 3\program\soffice.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\pmsj.exe"="C:\WINDOWS\TEMP\pmsj.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\ciuowh.exe"="C:\WINDOWS\TEMP\ciuowh.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\wincyvid.exe"="C:\WINDOWS\TEMP\wincyvid.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\fvbt.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\fvbt.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winrjvty.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winrjvty.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\uafwf.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\uafwf.exe:*:Enabled:ipsec"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
======List of files/folders created in the last 1 months======
2009-11-19 21:42:23 ----A---- C:\ComboFix.txt
2009-11-19 21:25:20 ----D---- C:\WINDOWS\temp
2009-11-18 20:11:59 ----A---- C:\Boot.bak
2009-11-18 20:11:53 ----RASHD---- C:\cmdcons
2009-11-18 20:07:33 ----A---- C:\WINDOWS\PEV.exe
2009-11-18 20:07:33 ----A---- C:\WINDOWS\NIRCMD.exe
2009-11-18 20:07:33 ----A---- C:\WINDOWS\MBR.exe
2009-11-18 20:07:32 ----A---- C:\WINDOWS\zip.exe
2009-11-18 20:07:32 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-11-18 20:07:32 ----A---- C:\WINDOWS\SWSC.exe
2009-11-18 20:07:32 ----A---- C:\WINDOWS\SWREG.exe
2009-11-18 20:07:32 ----A---- C:\WINDOWS\sed.exe
2009-11-18 20:07:32 ----A---- C:\WINDOWS\grep.exe
2009-11-18 20:03:30 ----D---- C:\Qoobox
2009-11-17 20:05:01 ----D---- C:\rsit
2009-11-14 07:18:18 ----A---- C:\WINDOWS\system32\tmp.txt
2009-11-14 07:18:06 ----A---- C:\rapport.txt
2009-11-12 07:39:12 ----D---- C:\WINDOWS\ERDNT
2009-11-12 07:31:31 ----D---- C:\Program Files\Trend Micro
2009-11-11 22:10:14 ----A---- C:\WINDOWS\rootkitno.ini
2009-11-11 22:06:45 ----D---- C:\WINDOWS\Minidump
2009-11-11 21:49:28 ----A---- C:\WINDOWS\system32\PARTIZAN.TXT
2009-11-11 21:48:01 ----D---- C:\RootkitNO
2009-11-11 21:35:21 ----D---- C:\Documents and Settings\paul\Application Data\Help
2009-11-11 21:33:19 ----RASHOT---- C:\WINDOWS\winstart.bat
2009-11-11 21:05:25 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2009-11-11 20:11:01 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-10 17:25:05 ----D---- C:\Documents and Settings\paul\Application Data\mjusbsp
2009-11-10 07:39:43 ----D---- C:\Program Files\iPod
2009-11-10 07:39:21 ----D---- C:\Program Files\iTunes
2009-11-08 23:01:08 ----D---- C:\WINDOWS\.jagex_cache_32
2009-11-07 10:54:52 ----A---- C:\sqlite3.dll
2009-10-29 22:35:48 ----A---- C:\SharePod.exe
2009-10-29 22:07:58 ----A---- C:\Readme.txt
======List of files/folders modified in the last 1 months======
2009-11-19 21:43:09 ----D---- C:\Program Files\Mozilla Firefox
2009-11-19 21:42:28 ----D---- C:\WINDOWS\system32\drivers
2009-11-19 21:38:44 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-19 21:34:01 ----D---- C:\WINDOWS
2009-11-19 21:34:01 ----A---- C:\WINDOWS\system.ini
2009-11-19 21:25:40 ----D---- C:\WINDOWS\system32\config
2009-11-19 21:22:37 ----D---- C:\WINDOWS\system32
2009-11-19 21:22:37 ----D---- C:\WINDOWS\AppPatch
2009-11-19 21:22:33 ----D---- C:\Program Files\Common Files
2009-11-19 21:14:46 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-19 20:18:37 ----D---- C:\WINDOWS\Prefetch
2009-11-19 19:21:26 ----RD---- C:\Program Files
2009-11-19 05:53:51 ----HD---- C:\WINDOWS\inf
2009-11-18 21:08:18 ----D---- C:\WINDOWS\repair
2009-11-18 20:37:47 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-18 20:11:59 ----RASH---- C:\boot.ini
2009-11-17 20:33:33 ----SD---- C:\Documents and Settings\paul\Application Data\Microsoft
2009-11-15 07:57:05 ----SHD---- C:\WINDOWS\Installer
2009-11-14 07:42:20 ----SD---- C:\WINDOWS\Tasks
2009-11-11 21:54:15 ----D---- C:\Program Files\Ask.com
2009-11-11 13:35:53 ----HD---- C:\WINDOWS\$hf_mig$
2009-11-10 21:28:08 ----D---- C:\Documents and Settings
2009-11-10 07:39:41 ----D---- C:\Program Files\Common Files\Apple
2009-11-10 07:33:10 ----D---- C:\WINDOWS\WinSxS
2009-11-08 05:07:39 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-11-08 05:07:04 ----D---- C:\Documents and Settings\paul\Application Data\Adobe
2009-11-08 05:03:23 ----D---- C:\Program Files\Common Files\Adobe
2009-11-08 05:02:34 ----D---- C:\Program Files\Adobe
2009-11-07 10:25:56 ----D---- C:\Documents and Settings\paul\Application Data\LimeWire
2009-11-06 18:43:06 ----D---- C:\Program Files\RedSnow
2009-11-06 03:01:01 ----A---- C:\WINDOWS\imsins.BAK
2009-11-06 01:36:21 ----A---- C:\WINDOWS\system32\MRT.exe
2009-10-30 16:43:20 ----D---- C:\Documents and Settings\paul\Application Data\Skype
2009-10-30 16:39:20 ----D---- C:\Documents and Settings\paul\Application Data\skypePM
2009-10-29 17:58:30 ----D---- C:\Program Files\Java
2009-10-24 13:15:07 ----D---- C:\Program Files\Xvid
2009-10-23 03:00:50 ----D---- C:\Program Files\Internet Explorer
2009-10-22 17:19:04 ----N---- C:\WINDOWS\system32\mshtml.dll
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.7.5.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-08-04 21361]
R3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2003-03-04 145408]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys [2009-04-30 25624]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-04-14 1897408]
R3 RT73;RT73 USB Wireless LAN Card Driver; C:\WINDOWS\system32\DRIVERS\rt73.sys [2008-01-15 459520]
R3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-09-17 732928]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-01-27 260352]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
S3 mbr;mbr; \??\C:\DOCUME~1\paul\LOCALS~1\Temp\mbr.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 PID_PEPI;Logitech QuickCam IM(PID_PEPI); C:\WINDOWS\system32\DRIVERS\LV302V32.SYS [2009-04-30 2687512]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD); C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2007-08-31 12212864]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-14 121984]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 a2free;a-squared Free Service; D:\Program Files\a-squared Free\a2service.exe [2007-06-26 224888]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 YahooAUService;Yahoo! Updater; C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-10 602392]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-10-28 545568]
S2 LVPrcSrv;Process Monitor; C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-04-30 227864]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-08-05 732672]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\NCS\Sync\NetSvc.exe [2003-03-03 221184]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 991232]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------
Thanks!
Hi again,
Uninstall Ask Toolbar if not installed on purpose.
See if you are able to launch Spybot now. If not, uninstall it temporarily until we've finished the cleaning.
Start hjt, do a system scan, check (if found):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Close browsers and fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?p=347742#post347742
Collect::
c:\windows\temp\wincyvid.exe
c:\windows\temp\pmsj.exe
c:\windows\temp\ciuowh.exe
c:\docume~1\paul\LOCALS~1\Temp\fvbt.exe
c:\docume~1\paul\LOCALS~1\Temp\winrjvty.exe
c:\docume~1\paul\LOCALS~1\Temp\uafwf.exe
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\TEMP\\pmsj.exe"=-
"c:\\WINDOWS\\TEMP\\ciuowh.exe"=-
"c:\\WINDOWS\\TEMP\\wincyvid.exe"=-
"c:\\DOCUME~1\\paul\\LOCALS~1\\Temp\\fvbt.exe"=-
"c:\\DOCUME~1\\paul\\LOCALS~1\\Temp\\winrjvty.exe"=-
"c:\\DOCUME~1\\paul\\LOCALS~1\\Temp\\uafwf.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"=-
"5060:UDP"=-
"5070:UDP"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Check here (http://www.adobe.com/software/flash/about/) to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 17 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh rsit log and above mentioned ComboFix resultant log.
yourallthesame
2009-11-21, 08:10
Hi Blade.
When I double click ATF Cleaner, sometimes it doesn't open, or it will open for a few seconds then just disappear. I'm also getting a message on my computer saying "Microsoft Visual C++ RunTime Library: Runtime Error! Program: C:\pro R6002 -floating point not supported"
On top of that I can't open any of the Kaspersky websites... not the online scanner, nor their home website, period. Browser says: Firefox can't find the server at www.kaspersky.com
Thanks!
Are you able to access thru this (http://www.hidemyass.com/)?
yourallthesame
2009-11-22, 12:30
Hi Blade,
Can't get it through that website either.
Hi,
Upload these files to http://www.virustotal.com and post back the results:
c:\windows\explorer.exe
c:\windows\system32\ctfmon.exe
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\svchost.exe
yourallthesame
2009-11-22, 13:11
Can't load that page either. Any idea what's blocking these sites? I can access these sites on my laptop which is using the same wireless network.
yourallthesame
2009-11-22, 13:44
Just did a scan NoVirusThanks for all three of those and they turned up clean.
yourallthesame
2009-11-22, 13:49
Hi Blade,
here is the fresh RSIT log:
Logfile of random's system information tool 1.06 (written by random/random)
Run by paul at 2009-11-22 19:45:29
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 22 GB (29%) free of 78 GB
Total RAM: 255 MB (19% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:45 PM, on 11/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\TEMP\nnju.exe
C:\WINDOWS\TEMP\wphgta.exe
C:\WINDOWS\TEMP\winmbudpk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EDIMAX\Common\RaUI.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Documents and Settings\paul\Desktop\RSIT.exe
C:\Program Files\trend micro\paul.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Wireless Utility.lnk = C:\Program Files\EDIMAX\Common\RaUI.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 6680 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\RegCure Program Check.job
C:\WINDOWS\tasks\RegCure.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2009-07-31 909040]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-11-21 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-11-21 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2009-07-31 159472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2009-07-31 909040]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-23 185584]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-09-05 491520]
"LogitechQuickCamRibbon"=C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2009-05-08 2854160]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 109424]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 1004920]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-10-28 215328]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-11-21 218912]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2009-10-11 320832]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [2009-02-23 185584]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1768960]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
C:\WINDOWS\FixCamera.exe [2007-07-11 20480]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
C:\WINDOWS\vsnp2std.exe [2007-05-10 344064]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe [2004-10-14 1482752]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
C:\WINDOWS\tsnp2std.exe [2007-05-12 344064]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Wireless Utility.lnk - C:\Program Files\EDIMAX\Common\RaUI.exe
C:\Documents and Settings\paul\Start Menu\Programs\Startup
OpenOffice.org 3.1.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Analog Devices\Core\smax4pnp.exe"="C:\Program Files\Analog Devices\Core\smax4pnp.exe:*:Enabled:ipsec"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Adobe\Adobe Bridge CS3\Bridge.exe"="C:\Program Files\Adobe\Adobe Bridge CS3\Bridge.exe:*:Enabled:Adobe Bridge CS3"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Logitech\Logitech Vid\Vid.exe"="C:\Program Files\Logitech\Logitech Vid\Vid.exe:*:Enabled:Logitech Vid"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:ipsec"
"C:\Program Files\QuickTime\QTTask.exe"="C:\Program Files\QuickTime\QTTask.exe:*:Enabled:ipsec"
"C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe:*:Enabled:ipsec"
"C:\WINDOWS\system32\dmremote.exe"="C:\WINDOWS\system32\dmremote.exe:*:Enabled:ipsec"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:ipsec"
"C:\WINDOWS\system32\wscntfy.exe"="C:\WINDOWS\system32\wscntfy.exe:*:Enabled:ipsec"
"C:\Documents and Settings\paul\Application Data\mjusbsp\cdloader2.exe"="C:\Documents and Settings\paul\Application Data\mjusbsp\cdloader2.exe:*:Enabled:ipsec"
"C:\Program Files\Java\jre6\bin\jusched.exe"="C:\Program Files\Java\jre6\bin\jusched.exe:*:Enabled:ipsec"
"C:\Documents and Settings\paul\Application Data\mjusbsp\magicJack.exe"="C:\Documents and Settings\paul\Application Data\mjusbsp\magicJack.exe:*:Enabled:magicJack"
"C:\Program Files\iTunes\iTunesHelper.exe"="C:\Program Files\iTunes\iTunesHelper.exe:*:Enabled:ipsec"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe"="C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe:*:Enabled:ipsec"
"C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe"="C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe:*:Enabled:ipsec"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"D:\Program Files\RegCure\RegCure.exe"="d:\Program Files\RegCure\RegCure.exe:*:Enabled:ipsec"
"C:\WINDOWS\PEV.exe"="C:\WINDOWS\PEV.exe:*:Enabled:ipsec"
"C:\Program Files\OpenOffice.org 3\program\soffice.bin"="C:\Program Files\OpenOffice.org 3\program\soffice.bin:*:Enabled:ipsec"
"C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe"="C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe:*:Enabled:ipsec"
"C:\Program Files\OpenOffice.org 3\program\soffice.exe"="C:\Program Files\OpenOffice.org 3\program\soffice.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\hkre.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\hkre.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\winkrxfpw.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\winkrxfpw.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\opou.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\opou.exe:*:Enabled:ipsec"
"C:\DOCUME~1\paul\LOCALS~1\Temp\ddoqjd.exe"="C:\DOCUME~1\paul\LOCALS~1\Temp\ddoqjd.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\eiak.exe"="C:\WINDOWS\TEMP\eiak.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winlfsy.exe"="C:\WINDOWS\TEMP\winlfsy.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\fmchb.exe"="C:\WINDOWS\TEMP\fmchb.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winhnqhba.exe"="C:\WINDOWS\TEMP\winhnqhba.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winvngq.exe"="C:\WINDOWS\TEMP\winvngq.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\gueh.exe"="C:\WINDOWS\TEMP\gueh.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winceoi.exe"="C:\WINDOWS\TEMP\winceoi.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winjkkjyv.exe"="C:\WINDOWS\TEMP\winjkkjyv.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winnxts.exe"="C:\WINDOWS\TEMP\winnxts.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winogabgl.exe"="C:\WINDOWS\TEMP\winogabgl.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winjisqt.exe"="C:\WINDOWS\TEMP\winjisqt.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\wingpcvek.exe"="C:\WINDOWS\TEMP\wingpcvek.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\jxsv.exe"="C:\WINDOWS\TEMP\jxsv.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\vlwdck.exe"="C:\WINDOWS\TEMP\vlwdck.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winnrnvfa.exe"="C:\WINDOWS\TEMP\winnrnvfa.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\pwxc.exe"="C:\WINDOWS\TEMP\pwxc.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winjwpu.exe"="C:\WINDOWS\TEMP\winjwpu.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winamwlu.exe"="C:\WINDOWS\TEMP\winamwlu.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\oaww.exe"="C:\WINDOWS\TEMP\oaww.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winqgkcqt.exe"="C:\WINDOWS\TEMP\winqgkcqt.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winsoxfe.exe"="C:\WINDOWS\TEMP\winsoxfe.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winiuqpm.exe"="C:\WINDOWS\TEMP\winiuqpm.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\rvuc.exe"="C:\WINDOWS\TEMP\rvuc.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\xhiq.exe"="C:\WINDOWS\TEMP\xhiq.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\rcptfx.exe"="C:\WINDOWS\TEMP\rcptfx.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winfiyxj.exe"="C:\WINDOWS\TEMP\winfiyxj.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\wineuti.exe"="C:\WINDOWS\TEMP\wineuti.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\jwaadd.exe"="C:\WINDOWS\TEMP\jwaadd.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\rifdk.exe"="C:\WINDOWS\TEMP\rifdk.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winfski.exe"="C:\WINDOWS\TEMP\winfski.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winjxdxux.exe"="C:\WINDOWS\TEMP\winjxdxux.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winfdxsv.exe"="C:\WINDOWS\TEMP\winfdxsv.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\fxxcvx.exe"="C:\WINDOWS\TEMP\fxxcvx.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winaqrkd.exe"="C:\WINDOWS\TEMP\winaqrkd.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winrnue.exe"="C:\WINDOWS\TEMP\winrnue.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\wincbad.exe"="C:\WINDOWS\TEMP\wincbad.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winrdojwq.exe"="C:\WINDOWS\TEMP\winrdojwq.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\wineymkgu.exe"="C:\WINDOWS\TEMP\wineymkgu.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winiufjn.exe"="C:\WINDOWS\TEMP\winiufjn.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winyqparl.exe"="C:\WINDOWS\TEMP\winyqparl.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\fbof.exe"="C:\WINDOWS\TEMP\fbof.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\qvfwal.exe"="C:\WINDOWS\TEMP\qvfwal.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\lnilbm.exe"="C:\WINDOWS\TEMP\lnilbm.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\kdwj.exe"="C:\WINDOWS\TEMP\kdwj.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winotejw.exe"="C:\WINDOWS\TEMP\winotejw.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winwnfb.exe"="C:\WINDOWS\TEMP\winwnfb.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winkpvas.exe"="C:\WINDOWS\TEMP\winkpvas.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winuhok.exe"="C:\WINDOWS\TEMP\winuhok.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winacmbvk.exe"="C:\WINDOWS\TEMP\winacmbvk.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winowey.exe"="C:\WINDOWS\TEMP\winowey.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winrdeuek.exe"="C:\WINDOWS\TEMP\winrdeuek.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\sumu.exe"="C:\WINDOWS\TEMP\sumu.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\rhcnys.exe"="C:\WINDOWS\TEMP\rhcnys.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winafhfhg.exe"="C:\WINDOWS\TEMP\winafhfhg.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\oxwcw.exe"="C:\WINDOWS\TEMP\oxwcw.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winlnknmk.exe"="C:\WINDOWS\TEMP\winlnknmk.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winowxqa.exe"="C:\WINDOWS\TEMP\winowxqa.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\yrakp.exe"="C:\WINDOWS\TEMP\yrakp.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winaylld.exe"="C:\WINDOWS\TEMP\winaylld.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\wintyury.exe"="C:\WINDOWS\TEMP\wintyury.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winyfmjrh.exe"="C:\WINDOWS\TEMP\winyfmjrh.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winwdfaq.exe"="C:\WINDOWS\TEMP\winwdfaq.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winddwsv.exe"="C:\WINDOWS\TEMP\winddwsv.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\shkdv.exe"="C:\WINDOWS\TEMP\shkdv.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\nnju.exe"="C:\WINDOWS\TEMP\nnju.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\wphgta.exe"="C:\WINDOWS\TEMP\wphgta.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winmbudpk.exe"="C:\WINDOWS\TEMP\winmbudpk.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\winhwstst.exe"="C:\WINDOWS\TEMP\winhwstst.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\wingnmhu.exe"="C:\WINDOWS\TEMP\wingnmhu.exe:*:Enabled:ipsec"
"C:\WINDOWS\TEMP\windfkjq.exe"="C:\WINDOWS\TEMP\windfkjq.exe:*:Enabled:ipsec"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
======List of files/folders created in the last 1 months======
2009-11-22 19:04:18 ----D---- C:\Documents and Settings\paul\Application Data\WinPatrol
2009-11-22 19:04:07 ----D---- C:\Program Files\BillP Studios
2009-11-21 13:58:37 ----A---- C:\WINDOWS\system32\javaws.exe
2009-11-21 13:58:37 ----A---- C:\WINDOWS\system32\javaw.exe
2009-11-21 13:58:37 ----A---- C:\WINDOWS\system32\java.exe
2009-11-21 12:52:59 ----D---- C:\WINDOWS\temp
2009-11-21 12:52:56 ----A---- C:\ComboFix.txt
2009-11-18 20:11:59 ----A---- C:\Boot.bak
2009-11-18 20:11:53 ----RASHD---- C:\cmdcons
2009-11-18 20:07:33 ----A---- C:\WINDOWS\PEV.exe
2009-11-18 20:07:33 ----A---- C:\WINDOWS\NIRCMD.exe
2009-11-18 20:07:33 ----A---- C:\WINDOWS\MBR.exe
2009-11-18 20:07:32 ----A---- C:\WINDOWS\zip.exe
2009-11-18 20:07:32 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-11-18 20:07:32 ----A---- C:\WINDOWS\SWSC.exe
2009-11-18 20:07:32 ----A---- C:\WINDOWS\SWREG.exe
2009-11-18 20:07:32 ----A---- C:\WINDOWS\sed.exe
2009-11-18 20:07:32 ----A---- C:\WINDOWS\grep.exe
2009-11-18 20:03:30 ----D---- C:\Qoobox
2009-11-17 20:05:01 ----D---- C:\rsit
2009-11-14 07:18:18 ----A---- C:\WINDOWS\system32\tmp.txt
2009-11-14 07:18:06 ----A---- C:\rapport.txt
2009-11-12 07:39:12 ----D---- C:\WINDOWS\ERDNT
2009-11-12 07:31:31 ----D---- C:\Program Files\Trend Micro
2009-11-11 22:10:14 ----A---- C:\WINDOWS\rootkitno.ini
2009-11-11 22:06:45 ----D---- C:\WINDOWS\Minidump
2009-11-11 21:49:28 ----A---- C:\WINDOWS\system32\PARTIZAN.TXT
2009-11-11 21:48:01 ----D---- C:\RootkitNO
2009-11-11 21:35:21 ----D---- C:\Documents and Settings\paul\Application Data\Help
2009-11-11 21:33:19 ----RASHOT---- C:\WINDOWS\winstart.bat
2009-11-11 21:05:25 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2009-11-11 20:11:01 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-10 17:25:05 ----D---- C:\Documents and Settings\paul\Application Data\mjusbsp
2009-11-10 07:39:43 ----D---- C:\Program Files\iPod
2009-11-10 07:39:21 ----D---- C:\Program Files\iTunes
2009-11-08 23:01:08 ----D---- C:\WINDOWS\.jagex_cache_32
2009-11-07 10:54:52 ----A---- C:\sqlite3.dll
2009-10-29 22:35:48 ----A---- C:\SharePod.exe
2009-10-29 22:07:58 ----A---- C:\Readme.txt
======List of files/folders modified in the last 1 months======
2009-11-22 19:04:07 ----RD---- C:\Program Files
2009-11-22 18:26:43 ----D---- C:\Program Files\Mozilla Firefox
2009-11-22 16:51:26 ----D---- C:\WINDOWS\Prefetch
2009-11-22 05:35:59 ----D---- C:\WINDOWS\system32\drivers
2009-11-22 05:35:11 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-21 13:58:37 ----D---- C:\WINDOWS\system32
2009-11-21 13:58:21 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-11-21 13:58:20 ----SHD---- C:\WINDOWS\Installer
2009-11-21 13:58:16 ----D---- C:\Program Files\Java
2009-11-21 12:52:59 ----D---- C:\WINDOWS
2009-11-21 12:48:40 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-21 12:41:37 ----A---- C:\WINDOWS\system.ini
2009-11-21 12:39:27 ----D---- C:\WINDOWS\system32\config
2009-11-21 12:34:01 ----D---- C:\WINDOWS\AppPatch
2009-11-21 12:33:57 ----D---- C:\Program Files\Common Files
2009-11-19 05:53:51 ----HD---- C:\WINDOWS\inf
2009-11-18 21:08:18 ----D---- C:\WINDOWS\repair
2009-11-18 20:37:47 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-18 20:11:59 ----RASH---- C:\boot.ini
2009-11-17 20:33:33 ----SD---- C:\Documents and Settings\paul\Application Data\Microsoft
2009-11-14 07:42:20 ----SD---- C:\WINDOWS\Tasks
2009-11-11 13:35:53 ----HD---- C:\WINDOWS\$hf_mig$
2009-11-10 21:28:08 ----D---- C:\Documents and Settings
2009-11-10 07:39:41 ----D---- C:\Program Files\Common Files\Apple
2009-11-10 07:33:10 ----D---- C:\WINDOWS\WinSxS
2009-11-08 05:07:39 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-11-08 05:07:04 ----D---- C:\Documents and Settings\paul\Application Data\Adobe
2009-11-08 05:03:23 ----D---- C:\Program Files\Common Files\Adobe
2009-11-08 05:02:34 ----D---- C:\Program Files\Adobe
2009-11-07 10:25:56 ----D---- C:\Documents and Settings\paul\Application Data\LimeWire
2009-11-06 18:43:06 ----D---- C:\Program Files\RedSnow
2009-11-06 03:01:01 ----A---- C:\WINDOWS\imsins.BAK
2009-11-06 01:36:21 ----A---- C:\WINDOWS\system32\MRT.exe
2009-10-30 16:43:20 ----D---- C:\Documents and Settings\paul\Application Data\Skype
2009-10-30 16:39:20 ----D---- C:\Documents and Settings\paul\Application Data\skypePM
2009-10-24 13:15:07 ----D---- C:\Program Files\Xvid
2009-10-23 03:00:50 ----D---- C:\Program Files\Internet Explorer
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.7.5.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-08-04 21361]
R3 asc3360pr;asc3360pr; \??\C:\WINDOWS\system32\drivers\nqokln.sys []
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2003-03-04 145408]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys [2009-04-30 25624]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-04-14 1897408]
R3 RT73;RT73 USB Wireless LAN Card Driver; C:\WINDOWS\system32\DRIVERS\rt73.sys [2008-01-15 459520]
R3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-09-17 732928]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-01-27 260352]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 PID_PEPI;Logitech QuickCam IM(PID_PEPI); C:\WINDOWS\system32\DRIVERS\LV302V32.SYS [2009-04-30 2687512]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD); C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2007-08-31 12212864]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-14 121984]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 a2free;a-squared Free Service; D:\Program Files\a-squared Free\a2service.exe [2007-06-26 224888]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-11-21 153376]
R2 LVPrcSrv;Process Monitor; C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-04-30 227864]
R2 YahooAUService;Yahoo! Updater; C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-10 602392]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-10-28 545568]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-08-05 732672]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\NCS\Sync\NetSvc.exe [2003-03-03 221184]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 991232]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------
Combofix log:
ComboFix 09-11-18.07 - paul 11/21/2009 12:28.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.112 [GMT 8:00]
Running from: c:\documents and settings\paul\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\paul\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASC3360PR
-------\Service_asc3360pr
((((((((((((((((((((((((( Files Created from 2009-10-21 to 2009-11-21 )))))))))))))))))))))))))))))))
.
2009-11-19 11:19 . 2009-11-19 11:19 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-18 12:37 . 2008-04-14 12:00 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-18 12:37 . 2008-04-14 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-17 20:52 . 2009-11-17 20:53 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Adobe
2009-11-17 12:05 . 2009-11-17 12:05 -------- d-----w- C:\rsit
2009-11-15 05:24 . 2009-11-15 05:24 -------- d-sh--w- c:\documents and settings\Guest\PrivacIE
2009-11-15 05:24 . 2009-11-15 05:24 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\AskToolbar
2009-11-14 20:16 . 2009-11-14 20:16 1 ----a-w- c:\documents and settings\Guest\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-14 20:14 . 2009-11-14 20:14 -------- d-----w- c:\documents and settings\Guest\Application Data\OpenOffice.org
2009-11-11 23:31 . 2009-11-19 13:45 -------- d-----w- c:\program files\Trend Micro
2009-11-11 13:48 . 2009-11-11 13:48 -------- d-----w- C:\RootkitNO
2009-11-11 13:35 . 2009-11-11 13:35 -------- d-----w- c:\documents and settings\paul\Local Settings\Application Data\Help
2009-11-11 13:33 . 2009-11-11 13:33 2 --shatr- c:\windows\winstart.bat
2009-11-11 13:32 . 2008-12-22 07:56 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-11-11 12:11 . 2009-11-21 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-10 17:20 . 2009-11-10 17:20 -------- d-sh--w- c:\documents and settings\Guest\IETldCache
2009-11-10 13:31 . 2009-11-10 13:31 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Yahoo
2009-11-10 13:29 . 2009-11-10 13:29 16504 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-10 12:00 . 2009-08-01 16:16 6326232 ---ha-w- c:\documents and settings\paul\Application Data\mjusbsp\in00000\setup.exe
2009-11-10 12:00 . 2009-08-01 16:16 6330328 ---ha-w- c:\documents and settings\paul\Application Data\mjusbsp\Upgrade\setup1.exe
2009-11-10 12:00 . 2009-08-01 16:12 798232 ---ha-w- c:\documents and settings\paul\Application Data\mjusbsp\Upgrade\install1.exe
2009-11-10 11:57 . 2009-11-10 12:00 7690776 ---h--w- c:\documents and settings\paul\Application Data\mjusbsp\ar00000\upgrade.exe
2009-11-10 09:25 . 2009-11-10 12:00 -------- d-----w- c:\documents and settings\paul\Application Data\mjusbsp
2009-11-09 23:39 . 2009-11-09 23:39 -------- d-----w- c:\program files\iPod
2009-11-09 23:39 . 2009-11-09 23:40 -------- d-----w- c:\program files\iTunes
2009-11-09 23:19 . 2009-11-09 23:19 152872 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-08 15:01 . 2009-11-08 15:01 -------- d-----w- c:\windows\.jagex_cache_32
2009-11-07 02:54 . 2009-11-07 02:54 504038 ----a-w- C:\sqlite3.dll
2009-10-29 14:35 . 2009-10-29 14:35 5595136 ----a-w- C:\SharePod.exe
2009-10-29 09:55 . 2009-10-29 09:55 152576 ----a-w- c:\documents and settings\paul\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-23 15:05 . 2009-10-23 15:05 -------- d-----w- c:\documents and settings\paul\Local Settings\Application Data\Identities
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 12:41 . 2009-08-26 23:21 1 ----a-w- c:\documents and settings\paul\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-17 12:33 . 2009-11-17 12:33 2015 ---h--r- c:\windows\system32\drivers\hosts
2009-11-15 05:24 . 2009-11-10 13:28 -------- d--h--r- c:\documents and settings\Guest\Application Data\yahoo!
2009-11-09 23:39 . 2009-09-10 22:55 -------- d-----w- c:\program files\Common Files\Apple
2009-11-07 21:03 . 2009-08-04 07:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-07 02:25 . 2009-08-06 12:08 -------- d-----w- c:\documents and settings\paul\Application Data\LimeWire
2009-11-06 10:43 . 2009-10-06 02:27 -------- d-----w- c:\program files\RedSnow
2009-10-30 08:43 . 2009-08-06 08:32 -------- d-----w- c:\documents and settings\paul\Application Data\Skype
2009-10-30 08:39 . 2009-08-06 08:35 -------- d-----w- c:\documents and settings\paul\Application Data\skypePM
2009-10-29 09:58 . 2009-08-05 06:59 -------- d-----w- c:\program files\Java
2009-10-24 05:15 . 2009-08-27 12:22 -------- d-----w- c:\program files\Xvid
2009-10-14 02:56 . 2009-10-14 02:56 -------- d-----w- c:\documents and settings\paul\Application Data\SharePod
2009-10-11 09:22 . 2009-10-06 01:38 -------- d-----w- c:\documents and settings\paul\Application Data\DivX
2009-10-06 01:26 . 2009-10-06 01:25 -------- d-----w- c:\program files\DivX
2009-10-06 01:25 . 2009-10-06 01:25 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-03 08:27 . 2009-10-03 08:27 -------- d-----w- c:\program files\RedSnow iTouch Jailbreak
2009-10-03 07:03 . 2009-10-03 07:03 -------- d-----w- c:\program files\hi join
2009-10-03 07:01 . 2009-08-04 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-10-03 03:54 . 2009-08-05 05:54 16504 ----a-w- c:\documents and settings\paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-03 03:44 . 2009-10-03 03:44 -------- d-----w- c:\program files\MSBuild
2009-10-03 03:44 . 2009-10-03 03:44 -------- d-----w- c:\program files\Reference Assemblies
2009-10-02 23:38 . 2009-09-10 23:04 -------- d-----w- c:\documents and settings\paul\Application Data\Apple Computer
2009-09-26 02:04 . 2009-08-06 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-25 02:13 . 2009-09-22 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-09-11 14:18 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-28 11:42 . 2009-09-10 22:56 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 11:42 . 2009-09-10 22:56 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2008-04-14 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-18_12.24.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-21 04:25 . 2009-11-21 04:25 16384 c:\windows\temp\Perflib_Perfdata_954.dat
+ 2009-11-21 04:40 . 2009-04-30 08:01 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
- 2009-11-18 12:23 . 2009-04-30 08:01 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 185584]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1768960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 185584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 491520]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2854160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 109424]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 1004920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 215328]
c:\documents and settings\Guest\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 457728]
c:\documents and settings\paul\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 457728]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Utility.lnk - c:\program files\EDIMAX\Common\RaUI.exe [2009-8-4 786432]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Adobe\\Adobe Bridge CS3\\Bridge.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"=
"c:\\WINDOWS\\system32\\dmremote.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Documents and Settings\\paul\\Application Data\\mjusbsp\\cdloader2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Documents and Settings\\paul\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"c:\\Program Files\\Logitech\\Logitech WebCam Software\\LWS.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\RegCure\\RegCure.exe"= d:\\Program Files\\RegCure\\RegCure.exe
"c:\\WINDOWS\\PEV.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"=
"c:\\Program Files\\Common Files\\LogiShrd\\LVMVFM\\LVPrcSrv.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.exe"=
"c:\\DOCUME~1\\paul\\LOCALS~1\\Temp\\hkre.exe"=
"c:\\DOCUME~1\\paul\\LOCALS~1\\Temp\\winkrxfpw.exe"=
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ASC3360PR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
2009-11-21 c:\windows\Tasks\RegCure Program Check.job
- d:\program files\RegCure\RegCure.exe [2008-04-21 12:46]
2009-11-19 c:\windows\Tasks\RegCure.job
- d:\program files\RegCure\RegCure.exe [2008-04-21 12:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\paul\Application Data\Mozilla\Firefox\Profiles\5uoghj58.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.ph/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-21 12:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(4028)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\docume~1\paul\LOCALS~1\Temp\hkre.exe
c:\docume~1\paul\LOCALS~1\Temp\winkrxfpw.exe
.
**************************************************************************
.
Completion time: 2009-11-21 12:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-21 04:52
ComboFix2.txt 2009-11-19 13:42
ComboFix3.txt 2009-11-18 13:09
Pre-Run: 23,076,749,312 bytes free
Post-Run: 22,965,518,336 bytes free
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - BA06D15BE1E2610E4C09FDB03CC03D44
Upload these files to Virustotal and post back the results:
C:\WINDOWS\TEMP\nnju.exe
C:\WINDOWS\TEMP\wphgta.exe
C:\WINDOWS\TEMP\winmbudpk.exe
Also, post contents of c:\combofix\ComboFix2.txt file.
yourallthesame
2009-11-22, 14:17
By the way, I can't use Virustotal, just as I can't use Kaspersky, cuz the page won't open either. So, I used
http://scanner.novirusthanks.org/index.php
NNJU.exe <---- Infected
winmbudpk.exe <---- Infected
wphgta.exe <---- Infected
Combofix2.txt:
ComboFix 09-11-18.07 - paul 11/19/2009 21:15.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.118 [GMT 8:00]
Running from: c:\documents and settings\paul\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASC3360PR
-------\Service_asc3360pr
((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.
2009-11-19 11:19 . 2009-11-19 11:19 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-18 12:37 . 2008-04-14 12:00 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-18 12:37 . 2008-04-14 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-17 20:52 . 2009-11-17 20:53 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Adobe
2009-11-17 12:05 . 2009-11-17 12:05 -------- d-----w- C:\rsit
2009-11-15 05:24 . 2009-11-15 05:24 -------- d-sh--w- c:\documents and settings\Guest\PrivacIE
2009-11-15 05:24 . 2009-11-15 05:24 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\AskToolbar
2009-11-14 20:16 . 2009-11-14 20:16 1 ----a-w- c:\documents and settings\Guest\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-14 20:14 . 2009-11-14 20:14 -------- d-----w- c:\documents and settings\Guest\Application Data\OpenOffice.org
2009-11-11 23:31 . 2009-11-17 12:05 -------- d-----w- c:\program files\Trend Micro
2009-11-11 13:48 . 2009-11-11 13:48 -------- d-----w- C:\RootkitNO
2009-11-11 13:35 . 2009-11-11 13:35 -------- d-----w- c:\documents and settings\paul\Local Settings\Application Data\Help
2009-11-11 13:33 . 2009-11-11 13:33 2 --shatr- c:\windows\winstart.bat
2009-11-11 13:32 . 2008-12-22 07:56 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-11-11 12:11 . 2009-11-18 11:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-10 17:20 . 2009-11-10 17:20 -------- d-sh--w- c:\documents and settings\Guest\IETldCache
2009-11-10 13:31 . 2009-11-10 13:31 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Yahoo
2009-11-10 13:29 . 2009-11-10 13:29 16504 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-10 12:00 . 2009-08-01 16:16 6326232 ---ha-w- c:\documents and settings\paul\Application Data\mjusbsp\in00000\setup.exe
2009-11-10 12:00 . 2009-08-01 16:16 6330328 ---ha-w- c:\documents and settings\paul\Application Data\mjusbsp\Upgrade\setup1.exe
2009-11-10 12:00 . 2009-08-01 16:12 798232 ---ha-w- c:\documents and settings\paul\Application Data\mjusbsp\Upgrade\install1.exe
2009-11-10 11:57 . 2009-11-10 12:00 7690776 ---h--w- c:\documents and settings\paul\Application Data\mjusbsp\ar00000\upgrade.exe
2009-11-10 09:25 . 2009-11-10 12:00 -------- d-----w- c:\documents and settings\paul\Application Data\mjusbsp
2009-11-09 23:39 . 2009-11-09 23:39 -------- d-----w- c:\program files\iPod
2009-11-09 23:39 . 2009-11-09 23:40 -------- d-----w- c:\program files\iTunes
2009-11-09 23:19 . 2009-11-09 23:19 152872 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-08 15:01 . 2009-11-08 15:01 -------- d-----w- c:\windows\.jagex_cache_32
2009-11-07 02:54 . 2009-11-07 02:54 504038 ----a-w- C:\sqlite3.dll
2009-10-29 14:35 . 2009-10-29 14:35 5595136 ----a-w- C:\SharePod.exe
2009-10-29 09:55 . 2009-10-29 09:55 152576 ----a-w- c:\documents and settings\paul\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-23 15:05 . 2009-10-23 15:05 -------- d-----w- c:\documents and settings\paul\Local Settings\Application Data\Identities
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 12:41 . 2009-08-26 23:21 1 ----a-w- c:\documents and settings\paul\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-17 12:33 . 2009-11-17 12:33 2015 ---h--r- c:\windows\system32\drivers\hosts
2009-11-15 05:24 . 2009-11-10 13:28 -------- d--h--r- c:\documents and settings\Guest\Application Data\yahoo!
2009-11-11 13:54 . 2009-08-04 06:17 -------- d-----w- c:\program files\Ask.com
2009-11-09 23:39 . 2009-09-10 22:55 -------- d-----w- c:\program files\Common Files\Apple
2009-11-07 21:03 . 2009-08-04 07:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-07 02:25 . 2009-08-06 12:08 -------- d-----w- c:\documents and settings\paul\Application Data\LimeWire
2009-11-06 10:43 . 2009-10-06 02:27 -------- d-----w- c:\program files\RedSnow
2009-10-30 08:43 . 2009-08-06 08:32 -------- d-----w- c:\documents and settings\paul\Application Data\Skype
2009-10-30 08:39 . 2009-08-06 08:35 -------- d-----w- c:\documents and settings\paul\Application Data\skypePM
2009-10-29 09:58 . 2009-08-05 06:59 -------- d-----w- c:\program files\Java
2009-10-24 05:15 . 2009-08-27 12:22 -------- d-----w- c:\program files\Xvid
2009-10-14 02:56 . 2009-10-14 02:56 -------- d-----w- c:\documents and settings\paul\Application Data\SharePod
2009-10-11 09:22 . 2009-10-06 01:38 -------- d-----w- c:\documents and settings\paul\Application Data\DivX
2009-10-06 01:26 . 2009-10-06 01:25 -------- d-----w- c:\program files\DivX
2009-10-06 01:25 . 2009-10-06 01:25 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-03 08:27 . 2009-10-03 08:27 -------- d-----w- c:\program files\RedSnow iTouch Jailbreak
2009-10-03 07:03 . 2009-10-03 07:03 -------- d-----w- c:\program files\hi join
2009-10-03 07:01 . 2009-08-04 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-10-03 03:54 . 2009-08-05 05:54 16504 ----a-w- c:\documents and settings\paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-03 03:44 . 2009-10-03 03:44 -------- d-----w- c:\program files\MSBuild
2009-10-03 03:44 . 2009-10-03 03:44 -------- d-----w- c:\program files\Reference Assemblies
2009-10-02 23:38 . 2009-09-10 23:04 -------- d-----w- c:\documents and settings\paul\Application Data\Apple Computer
2009-09-26 02:04 . 2009-08-06 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-25 02:13 . 2009-09-22 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-09-22 04:02 . 2009-09-22 03:41 -------- d-----w- c:\program files\Common Files\logishrd
2009-09-22 04:01 . 2009-09-22 03:35 -------- d-----w- c:\program files\Logitech
2009-09-11 14:18 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-28 11:42 . 2009-09-10 22:56 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 11:42 . 2009-09-10 22:56 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2008-04-14 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-18_12.24.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-19 13:30 . 2009-11-19 13:30 16384 c:\windows\temp\wincyvid.exe
+ 2009-11-19 13:30 . 2009-11-19 13:30 11264 c:\windows\temp\pmsj.exe
+ 2009-11-19 13:30 . 2009-11-19 13:30 7680 c:\windows\temp\ciuowh.exe
+ 2009-11-19 13:26 . 2009-04-30 08:01 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
- 2009-11-18 12:23 . 2009-04-30 08:01 109080 c:\windows\temp\logishrd\LVPrcInj01.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-10 09:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 185584]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1768960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 185584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 491520]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2854160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 109424]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 1004920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 215328]
c:\documents and settings\Guest\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 457728]
c:\documents and settings\paul\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 457728]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Utility.lnk - c:\program files\EDIMAX\Common\RaUI.exe [2009-8-4 786432]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Adobe\\Adobe Bridge CS3\\Bridge.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"=
"c:\\WINDOWS\\system32\\dmremote.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Documents and Settings\\paul\\Application Data\\mjusbsp\\cdloader2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Documents and Settings\\paul\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"c:\\Program Files\\Logitech\\Logitech WebCam Software\\LWS.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\RegCure\\RegCure.exe"= d:\\Program Files\\RegCure\\RegCure.exe
"c:\\WINDOWS\\PEV.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"=
"c:\\Program Files\\Common Files\\LogiShrd\\LVMVFM\\LVPrcSrv.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.exe"=
"c:\\WINDOWS\\TEMP\\pmsj.exe"=
"c:\\WINDOWS\\TEMP\\ciuowh.exe"=
"c:\\WINDOWS\\TEMP\\wincyvid.exe"=
"c:\\DOCUME~1\\paul\\LOCALS~1\\Temp\\fvbt.exe"=
"c:\\DOCUME~1\\paul\\LOCALS~1\\Temp\\winrjvty.exe"=
"c:\\DOCUME~1\\paul\\LOCALS~1\\Temp\\uafwf.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:443
"5060:UDP"= 5060:UDP:5060
"5070:UDP"= 5070:UDP:5070
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ASC3360PR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
2009-11-19 c:\windows\Tasks\RegCure Program Check.job
- d:\program files\RegCure\RegCure.exe [2008-04-21 12:46]
2009-11-19 c:\windows\Tasks\RegCure.job
- d:\program files\RegCure\RegCure.exe [2008-04-21 12:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\paul\Application Data\Mozilla\Firefox\Profiles\5uoghj58.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.ph/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 21:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2732)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\TEMP\pmsj.exe
c:\windows\TEMP\ciuowh.exe
c:\windows\TEMP\wincyvid.exe
c:\windows\system32\wscntfy.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\docume~1\paul\LOCALS~1\Temp\fvbt.exe
c:\docume~1\paul\LOCALS~1\Temp\winrjvty.exe
c:\docume~1\paul\LOCALS~1\Temp\uafwf.exe
.
**************************************************************************
.
Completion time: 2009-11-19 21:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-19 13:42
ComboFix2.txt 2009-11-18 13:09
Pre-Run: 23,563,599,872 bytes free
Post-Run: 23,444,729,856 bytes free
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 9ABE832FC4BAC3C1C4900874C4218908
Thanks!
I need to see detailed results for those files - which scanners detected and what was the detected infections.
yourallthesame
2009-11-22, 14:41
Here are the logs from novirusthanks...
NNJU.EXE:
Report Generated: 22.11.2009 at 13.39.00 (GMT 1)
Time for scan: 72 seconds
File Name: nnju.exe
File Size: 11264
MD5 Hash: 4a719b328bfbca567f29f49784f6159d
SHA1 Hash: 29161890FE4DDAB8E2C75885ED3DAF337D138B71
Detection Rate: 21 on 24 (87.5%)
Status: INFECTED
Antivirus Sig version Engine Version Result
a-squared 22/11/2009 4.5.0.8 Virus.Win32.Sality!IK
Avira AntiVir 7.10.1.43 7.6.0.59 BDS/Backdoor.Gen
Avast 091121-1 4.8.1229 Win32:Agent-QNK [Trj]
AVG 270.14.76/2518 8.0.0.0 Agent2.MAN
BitDefender 22/11/2009 7.0.0.2555 Backdoor.Agent.AAFO
ClamAV 22/11/2009 0.95.1 Trojan.Downloader-69585
Comodo 2993 3.12.560 TrojWare.Win32.Trojan.Agent.~EZH
Dr.Web 22/11/2009 5.0 Trojan.DownLoad1.5719
Ewido 22/11/2009 4.0.0.2 -
F-PROT6 20091121 4.5.1.85 W32/Trojan3.ATP
G-Data 19.8942 2.0.7309.847 Trojan-Downloader.Win32.Agent.bqbt A
Ikarus T3 22/11/2009 1001074 Virus.Win32.Sality
Kaspersky 22/11/2009 8.0.0.357 Trojan-Downloader.Win32.Agent.bqbt
McAfee 21/11/2009 5.1.0.0 Generic Proxy trojan
NOD32 v3 4627 3.0.677 Win32/Agent.HLU
Norman 2009/11/03 5.92.08 Trojan W32/Horst.gen33
Panda 20/10/2009 9.5.1.00 Trj/Spammer.AND
QuickHeal 22/11/2009 10.0 Trojan.Agent.ATV
Solo Antivirus 22/11/2009 8.0 TrojanDownloader.Win32.Agent.Bqbt
Sophos 22/11/2009 4.32.0 Mal/Inet-Fam
TrendMicro 643(664300) 1.1-1001 -
VBA32 22/11/2009 3.12.0.300 Trojan-Downloader.Win32.Agent.bqbt
VirusBuster 10.113.25 1.4.3 Trojan.DL.Agent.JFCI
ZonerAntivirus 22/11/2009 0.2.0 -
Extra Information
CRC32: 1645985912
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
PDF Exploit Scan: Nothing found
HTML Exploit Scan: Nothing found
ASCII Strings: View
winmbudpk.exe :
Report Generated: 22.11.2009 at 13.39.03 (GMT 1)
Time for scan: 72 seconds
File Name: winmbudpk.exe
File Size: 16384
MD5 Hash: b75f33928dbb1dbbb5953a0eea0dfe1e
SHA1 Hash: D575D9B0E8C7C89F8B13E33822DAD9FD25AB24F5
Detection Rate: 20 on 24 (83.33%)
Status: INFECTED
Antivirus Sig version Engine Version Result
a-squared 22/11/2009 4.5.0.8 Virus.Win32.Sality!IK
Avira AntiVir 7.10.1.43 7.6.0.59 TR/Downloader.Gen
Avast 091121-1 4.8.1229 Win32:Malware-gen
AVG 270.14.76/2518 8.0.0.0 SpamTool.EII
BitDefender 22/11/2009 7.0.0.2555 Trojan.Generic.2582403
ClamAV 22/11/2009 0.95.1 Trojan.Spy-65689
Comodo 2993 3.12.560 TrojWare.Win32.PSW.Agent.nee0
Dr.Web 22/11/2009 5.0 Trojan.PWS.Sector.5
Ewido 22/11/2009 4.0.0.2 -
F-PROT6 20091121 4.5.1.85 W32/Keatep.B.gen!Eldorado
G-Data 19.8942 2.0.7309.847 Trojan-PSW.Win32.Agent.nxr A
Ikarus T3 22/11/2009 1001074 Virus.Win32.Sality
Kaspersky 22/11/2009 8.0.0.357 Trojan-PSW.Win32.Agent.nxr
McAfee 21/11/2009 5.1.0.0 Spam-Mailbot trojan
NOD32 v3 4627 3.0.677 Win32/TrojanDownloader.Sality.G
Norman 2009/11/03 5.92.08 Trojan W32/DLoader.ABHID
Panda 20/10/2009 9.5.1.00 Generic Trojan
QuickHeal 22/11/2009 10.0 Trojan.Agent.ATV
Solo Antivirus 22/11/2009 8.0 -
Sophos 22/11/2009 4.32.0 Mal/Keatep-A
TrendMicro 643(664300) 1.1-1001 -
VBA32 22/11/2009 3.12.0.300 Trojan-PSW.Win32.Agent.oie
VirusBuster 10.113.25 1.4.3 Trojan.PWS.Agent.PKQR
ZonerAntivirus 22/11/2009 0.2.0 -
Extra Information
CRC32: 1450295896
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
PDF Exploit Scan: Nothing found
HTML Exploit Scan: Nothing found
ASCII Strings: View
wphgta.exe :
Report Generated: 22.11.2009 at 13.40.20 (GMT 1)
Time for scan: 72 seconds
File Name: wphgta.exe
File Size: 7680
MD5 Hash: 547d9e620f5163c598b49fcf13422b77
SHA1 Hash: DF6E268D6BAC928B4B8070C743747B630066298A
Detection Rate: 18 on 24 (75%)
Status: INFECTED
Antivirus Sig version Engine Version Result
a-squared 22/11/2009 4.5.0.8 Virus.Win32.Sality!IK
Avira AntiVir 7.10.1.43 7.6.0.59 TR/Spy.Gen
Avast 091121-1 4.8.1229 Win32:Neptunia-ADC [Trj]
AVG 270.14.76/2518 8.0.0.0 DNSChanger.AG
BitDefender 22/11/2009 7.0.0.2555 Trojan.Generic.2642380
ClamAV 22/11/2009 0.95.1 Trojan.Agent-128412
Comodo 2993 3.12.560 TrojWare.Win32.Trojan.Agent.clss0
Dr.Web 22/11/2009 5.0 Trojan.Siggen.21376
Ewido 22/11/2009 4.0.0.2 -
F-PROT6 20091121 4.5.1.85 W32/Trojan-Sml-IWW!Eldorado
G-Data 19.8942 2.0.7309.847 Trojan.Win32.Agent.clss A
Ikarus T3 22/11/2009 1001074 Virus.Win32.Sality
Kaspersky 22/11/2009 8.0.0.357 Trojan.Win32.Agent.clss
McAfee 21/11/2009 5.1.0.0 Generic PWS.f trojan
NOD32 v3 4627 3.0.677 Win32/SpamTool.Agent.NAR
Norman 2009/11/03 5.92.08 -
Panda 20/10/2009 9.5.1.00 Trj/Downloader.MDW
QuickHeal 22/11/2009 10.0 Trojan.Agent.ATV
Solo Antivirus 22/11/2009 8.0 -
Sophos 22/11/2009 4.32.0 Mal/TinyDL-T
TrendMicro 643(664300) 1.1-1001 -
VBA32 22/11/2009 3.12.0.300 Trojan.Win32.Agent.clss
VirusBuster 10.113.25 1.4.3 -
ZonerAntivirus 22/11/2009 0.2.0 -
Extra Information
CRC32: 894198638
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
PDF Exploit Scan: Nothing found
HTML Exploit Scan: Nothing found
ASCII Strings: View
Just what I feared. You've been hit by a file infector and in this case it's Sality. In Sality/Virut cases I have only one piece of advice: reformat.
yourallthesame
2009-11-22, 15:03
Damn. How do I reformat, and will I need a recovery disk?
Thanks!
Tutorial for reformatting can be found here (http://spyware-free.us/tutorials/reformat/). If you have used external usb storage drives with infected system then those have to be reformatted too since Sality spreads thru flash memory drives too.
As a sidenote, I noticed you didn't have antivirus protection there. Up-to-date protection might had prevented system from being hit this hard. I won't preach about p2p dangers again. Gave you a link about it earlier.
Good free antivirus programs are:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html)
Avast! (http://www.avast.com/eng/download-avast-home.html) and
AVG Free Antivirus (http://free.grisoft.com/ww.download-avg-anti-virus-free-edition)
Good commercial ones are from:
Kaspersky (http://www.kaspersky.com/homeuser) and
ESET (http://www.eset.com/products/index.php)
It's recommended to install antivirus program to fresh reformatted system.
yourallthesame
2009-11-22, 15:18
Ok, thanks a whole bunch for all your help. I appreciate it. Take care!
Paul