Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Virtumonde, need help!

  1. #1
    Junior Member
    Join Date
    Aug 2008
    Posts
    6

    Unhappy Virtumonde, need help!

    for the past 3 or 4 days my internet had been going on and off but it would always be show as connected so i thought i might have a virus or something so i installed spybot s&d and ran the scan and got some stuff that was Virtumonde. i was so happy at that point because i thought i got rid of it and would finally be able to use the internet but no luck. the internet still didn't work. i ran the scan again but nothing showed up. i tried again the next day and i got more Virtumonde files picked up by the scan so it just keeps on coming back. i have tried using spybot s&d and avg but neither is able to completely remove the infection so i came here. i hope someone will be able to help me!

    here is the log file from hijack this:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:51:55 PM, on 8/29/2008
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\DynDNS Updater\DynTray.exe
    C:\Program Files\AVG\AVG8\avgtray.exe
    C:\Windows\system32\Taskmgr.exe
    C:\Windows\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\AVG\AVG8\avgui.exe
    C:\Program Files\AVG\AVG8\avgscanx.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\SearchFilterHost.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 130.94.23.113:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {6A811C6D-6E8E-4493-AD5C-16C082ABC747} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {8B6E45C1-FF1C-48D5-80BF-1AF56BE1B1BB} - (no file)
    O2 - BHO: (no name) - {8EB8B0AE-B706-419A-A5D6-E39C5E888AE8} - (no file)
    O2 - BHO: (no name) - {9BC896DC-6B85-47D8-B17A-1B06885F3557} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {BC868FB8-2AE4-493B-94F7-D5C3FF537ABF} - C:\Windows\system32\fcccAqnm.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
    O2 - BHO: (no name) - {DD4A967A-4118-4C29-B14D-3BF2FCC61EF4} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [BM996a6d7b] Rundll32.exe "C:\Windows\system32\bdnhcyyt.dll",s
    O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
    O4 - Global Startup: BOINC System Tray.lnk = C:\Windows\boinctray.exe
    O4 - Global Startup: DynDNS Updater Tray Icon.lnk = C:\Program Files\DynDNS Updater\DynTray.exe
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - https://www.cchs.net/onlinelearning/...s7/awswaxd.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E98B2F9B-0B31-4490-802B-98347199046A}: NameServer = 192.168.0.1,192.168.1.1
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll oqwinn.dll tiotbc.dll
    O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
    O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
    O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
    O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: BOINC - Space Sciences Laboratory - C:\Program Files\BOINC\boinc.exe
    O23 - Service: DynDNS Updater - Unknown owner - C:\Program Files\DynDNS Updater\DynUpSvc.exe
    O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

    --
    End of file - 6251 bytes

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
    This can be a tough infection to remove and that is compounded by the fact that many tools will not run on Vista. I can only promise to do my best.

    1) I do not see TeaTimer running, we need it disabled if it is:
    We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
    * Run Spybot-S&D in Advanced Mode.
    * If it is not already set to do this Go to the Mode menu select "Advanced Mode"
    * On the left hand side, Click on Tools
    * Then click on the Resident Icon in the List
    * Uncheck "Resident TeaTimer" and OK any prompts.
    * Restart your computer.
    (leave TT disabled until we finish)


    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

    2) Remove any old copies of combofix before you proceed.

    Thanks to sUBs and anyone else who helped with this fix.

    It is important that it is saved directly to your Desktop.

    Download ComboFix from Here to your Desktop
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Post the combofix log and a new HJT log.

    Tutorial
    http://www.bleepingcomputer.com/comb...o-use-combofix

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    Junior Member
    Join Date
    Aug 2008
    Posts
    6

    Question i tried

    i tried to follow the tutorial that u provided a link to but when i run combofix here is what it says:

    Please wait.
    ComboFix is preparing to run.
    1 file<s> moved.
    2008-08-30 was unexpected at this time.

    one thing i don't understand about this is that it isn't even august 30, it is the 31. then it just doesn't do anything. in the tutorial, it says to drag a file into the combofix icon but that file is for xp. is there a file for vista that i would have to drag into the icon because i am just double clicking on the combofix icon directly. and right now i had to use the virtual pc app to use my virtual pc to access the internet because most web pages just won't load including the one with the tutorial. thanks for your help.

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    If you clock is not set to the correct time, set it.

    The tutorial is important in the overall instructions, but most important is this:

    Make sure you are running combofix as administrator since this is Vista, then follow these directions.

    It is important that it is saved directly to your Desktop.

    Download ComboFix from Here to your Desktop
    Double click combofix.exe and follow the prompts.
    When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Post the combofix log and a new HJT log.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  5. #5
    Junior Member
    Join Date
    Aug 2008
    Posts
    6

    Default

    i still keep on getting the same error. i made sure the time was right by synchronizing with time.microsoft.com. the user account i am using is the only user account i have on the system and it is and administrator account. i have combofix on the desktop and i tried double clicking on it and by right clicking and selecting run as administrator but with the same result. if u want i will let u remote control my computer suing a program called teamviewer so that u can see exactly what is happening and show me what i am doing wrong because i can't seem to find any errors in what i am doing. if you would like to do this then email me at and i will give u the information u would need to access my comp or else we will just continue our communication on this forum. Thanks again!
    Last edited by pskelley; 2008-09-01 at 13:16. Reason: remove the active email addy

  6. #6
    Junior Member
    Join Date
    Aug 2008
    Posts
    6

    Default

    just disregard my last reply, it finally worked although i didn't do anything different this time. well anyways here is the combofix log:

    ComboFix 08-08-30.03 - Owner 2008-09-01 0:18:25.1 - NTFSx86
    Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1307 [GMT -4:00]
    Running from: C:\Users\Owner\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Users\Owner\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3DDNFZLT\bin.clearspring.com
    C:\Users\Owner\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3DDNFZLT\bin.clearspring.com\clearspring.sol
    C:\Users\Owner\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3DDNFZLT\interclick.com
    C:\Users\Owner\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3DDNFZLT\interclick.com\ud.sol
    C:\Users\Owner\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
    C:\Users\Owner\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
    C:\Users\Owner\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
    C:\Users\Owner\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
    C:\Windows\system32\bdnhcyyt.dll
    C:\Windows\system32\hkwoegrg.dll
    C:\Windows\System32\Jmnmonpo.ini
    C:\Windows\System32\Jmnmonpo.ini2
    C:\Windows\system32\jxibvjqa.dll
    C:\Windows\system32\mdgommeq.dll
    C:\Windows\system32\mnqAcccf.ini
    C:\Windows\System32\mnqAcccf.ini2
    C:\Windows\system32\nvlhgcgs.dll
    C:\Windows\System32\nWvCJSBc.ini
    C:\Windows\System32\nWvCJSBc.ini2
    C:\Windows\system32\oqwinn.dll
    C:\Windows\System32\phifqpbo.ini
    C:\Windows\system32\qemmogdm.ini
    C:\Windows\system32\rehmmipu.exe
    C:\Windows\system32\sgcghlvn.ini
    C:\Windows\system32\tiotbc.dll
    C:\Windows\System32\twwvyGgh.ini
    C:\Windows\System32\twwvyGgh.ini2
    C:\Windows\System32\ueolbkhj.ini
    C:\Windows\system32\uhpnxphf.dll
    C:\Windows\System32\vseysakc.ini
    C:\Windows\System32\vulqaged.ini
    C:\Windows\System32\vxmalilg.ini

    .
    ((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
    .

    2008-08-28 23:24 . 2008-08-28 23:24 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-28 19:30 . 2008-08-28 19:30 93,696 --------- C:\Windows\System32\lsrmiavt.cay
    2008-08-28 15:50 . 2008-08-28 15:50 <DIR> d-------- C:\Users\All Users\CrypKey
    2008-08-28 15:50 . 2008-08-28 15:50 <DIR> d-------- C:\ProgramData\CrypKey
    2008-08-28 15:50 . 2008-08-28 16:04 2,240 --a------ C:\Windows\System32\esnecil.nlp
    2008-08-28 15:50 . 2008-08-28 18:39 2,240 --a------ C:\Windows\System32\esnecil.ind
    2008-08-28 15:50 . 2008-08-28 18:39 4 --a------ C:\Windows\vx86036.dat
    2008-08-28 15:44 . 2008-08-28 15:44 <DIR> d-------- C:\Program Files\VW
    2008-08-28 15:43 . 2008-08-28 15:43 <DIR> d-------- C:\Users\All Users\InstallShield
    2008-08-28 15:43 . 2008-08-28 15:43 <DIR> d-------- C:\ProgramData\InstallShield
    2008-08-28 15:42 . 1999-06-18 17:49 165,888 --a------ C:\Windows\Ckconfig.exe
    2008-08-28 15:42 . 2007-03-14 19:56 122,880 --a------ C:\Windows\System32\Crypserv.exe
    2008-08-28 15:42 . 2006-01-09 22:47 31,846 --a------ C:\Windows\System32\Ckldrv.sys
    2008-08-28 15:42 . 1996-05-03 13:21 27,648 -ra------ C:\Windows\Setup_ck.exe
    2008-08-28 15:42 . 1996-05-03 11:36 18,432 --a------ C:\Windows\Setup_ck.dll
    2008-08-28 15:42 . 1995-07-04 14:33 11,776 --a------ C:\Windows\Ckrfresh.exe
    2008-08-28 15:42 . 2008-08-28 15:42 46 --a------ C:\Windows\Crypkey.ini
    2008-08-28 15:41 . 2008-08-28 18:39 <DIR> d-------- C:\Program Files\ZoomText 9.1
    2008-08-28 15:40 . 2008-02-25 14:18 122,880 --a------ C:\Windows\System32\Zosf.dll
    2008-08-28 15:40 . 2008-02-25 14:18 86,016 --a------ C:\Windows\System32\Ai2XOR.dll
    2008-08-27 16:14 . 2008-08-27 16:14 <DIR> d-------- C:\Users\Owner\dwhelper
    2008-08-26 19:36 . 2008-08-26 19:36 91 --a------ C:\Windows\wininit.ini
    2008-08-26 19:09 . 2008-08-26 19:21 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
    2008-08-26 19:09 . 2008-08-26 19:21 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
    2008-08-26 19:09 . 2008-08-26 19:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-08-26 19:07 . 2008-08-26 19:07 <DIR> d-------- C:\VundoFix Backups
    2008-08-26 18:38 . 2008-08-26 18:38 33,832 --a------ C:\Windows\System32\ayzqnwqd.exe
    2008-08-26 16:37 . 2008-08-26 16:37 <DIR> d-------- C:\Program Files\MSXML 4.0
    2008-08-24 14:38 . 2008-08-24 14:38 <DIR> d-------- C:\Users\Owner\AppData\Roaming\Template
    2008-08-24 14:38 . 2008-08-24 18:43 120 --a------ C:\Users\Owner\AppData\Roaming\wklnhst.dat
    2008-08-22 18:55 . 2008-08-22 18:55 0 --a------ C:\Windows\System32\Setup_ver1.1645.0
    2008-08-22 14:20 . 2008-07-19 01:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
    2008-08-22 14:20 . 2008-07-18 23:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
    2008-08-22 14:20 . 2008-07-19 01:09 563,912 --a------ C:\Windows\System32\wuapi.dll
    2008-08-22 14:20 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
    2008-08-22 14:20 . 2008-07-18 23:44 83,456 --a------ C:\Windows\System32\wudriver.dll
    2008-08-22 14:20 . 2008-07-19 01:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
    2008-08-22 14:20 . 2008-07-19 01:10 45,768 --a------ C:\Windows\System32\wups2.dll
    2008-08-22 14:20 . 2008-07-19 01:10 36,552 --a------ C:\Windows\System32\wups.dll
    2008-08-22 14:20 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
    2008-08-21 23:55 . 2008-08-21 23:55 <DIR> d-------- C:\Users\Owner\AppData\Roaming\WNR
    2008-08-21 17:49 . 2008-08-21 17:49 <DIR> d-------- C:\Program Files\Zoo Digital Publishing
    2008-08-21 12:19 . 2008-08-21 12:22 <DIR> d-------- C:\Capitalism II
    2008-08-18 23:11 . 2008-08-18 23:00 2,552,676 --a------ C:\Users\Public\firenet3_win.zip
    2008-08-18 23:06 . 2008-08-18 23:12 <DIR> d-------- C:\Program Files\Unibrain
    2008-08-18 23:04 . 2008-08-18 23:00 22,500,695 --a------ C:\Users\Public\ubCorePro32_080808.exe
    2008-08-16 21:48 . 2008-08-16 21:48 <DIR> d-------- C:\Program Files\Cornelsen
    2008-08-15 13:35 . 2008-08-15 13:35 <DIR> d-------- C:\Users\All Users\TEMP
    2008-08-15 13:35 . 2008-08-15 13:35 <DIR> d-------- C:\ProgramData\TEMP
    2008-08-15 13:33 . 2008-08-20 20:57 <DIR> d-------- C:\Program Files\Badaboom
    2008-08-14 00:58 . 2008-08-14 00:58 <DIR> d-------- C:\Users\Public\DVD2
    2008-08-13 23:17 . 2008-08-13 23:17 <DIR> d-------- C:\Users\Owner\AppData\Roaming\LEAPS
    2008-08-13 23:14 . 2008-08-13 23:14 <DIR> d-------- C:\Program Files\Pegasys Inc
    2008-08-13 14:43 . 2008-08-13 14:43 <DIR> d-------- C:\Windows\System32\URTTEMP
    2008-08-13 14:40 . 2008-08-13 14:40 <DIR> d-------- C:\Program Files\Sonic
    2008-08-13 14:36 . 2008-08-13 14:36 <DIR> d-------- C:\Users\Owner\dvd4
    2008-08-13 14:31 . 2008-08-13 14:31 <DIR> d-------- C:\Users\Owner\dvd3
    2008-08-13 14:29 . 2008-08-13 14:29 <DIR> d-------- C:\Users\Owner\dvd1
    2008-08-13 14:17 . 2008-08-13 14:17 <DIR> d-------- C:\Users\Owner\.thumb
    2008-08-13 13:56 . 2008-08-13 13:56 107 --a------ C:\Windows\IfoEdit.INI
    2008-08-13 13:21 . 2008-08-13 16:34 <DIR> d-------- C:\Projects
    2008-08-13 13:18 . 2008-08-14 13:42 <DIR> d-------- C:\Program Files\DVDlabPro2
    2008-08-13 10:51 . 2008-08-25 18:56 <DIR> d-------- C:\Users\Owner\AppData\Roaming\Folding@home-gpu
    2008-08-13 10:51 . 2008-08-13 10:51 <DIR> d-------- C:\Program Files\Folding@home
    2008-08-13 10:38 . 2008-08-13 10:17 7,937,396 --a------ C:\Users\Public\Badaboom_v0.9.exe
    2008-08-12 23:42 . 2008-08-12 23:42 <DIR> d-------- C:\Users\Owner\AppData\Roaming\Pegasys Inc
    2008-08-12 23:34 . 2008-08-12 23:32 145,504 --a------ C:\Windows\System32\bgsvcgen.exe
    2008-08-12 23:34 . 2008-08-12 23:32 59,488 --a------ C:\Windows\System32\GenSvcInst.exe
    2008-08-12 23:34 . 2008-08-12 23:32 33,408 --a------ C:\Windows\System32\drivers\CDRBSDRV.SYS
    2008-08-12 23:30 . 2008-08-13 21:44 104 --a------ C:\Windows\Muxman.ini
    2008-08-12 22:59 . 2008-08-14 12:13 <DIR> d-------- C:\Program Files\Super_DVD_Creator_9.8
    2008-08-12 15:46 . 2008-08-12 15:46 <DIR> d-------- C:\Windows\System32\AGEIA
    2008-08-12 15:46 . 2008-08-12 15:46 <DIR> d-------- C:\Program Files\AGEIA Technologies
    2008-08-12 15:45 . 2008-08-12 15:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-08-12 15:08 . 2008-08-12 15:51 <DIR> d-------- C:\Users\Public\Sid & Krishna
    2008-08-12 14:12 . 2008-07-15 21:32 2,048 --a------ C:\Windows\System32\tzres.dll
    2008-08-12 14:01 . 2008-06-26 21:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
    2008-08-12 14:01 . 2008-06-27 00:15 827,392 --a------ C:\Windows\System32\wininet.dll
    2008-08-12 14:01 . 2008-06-18 23:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
    2008-08-12 14:01 . 2008-04-18 01:48 269,312 --a------ C:\Windows\System32\es.dll
    2008-08-12 13:59 . 2008-04-10 01:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
    2008-08-12 13:56 . 2008-08-12 13:56 <DIR> d-------- C:\Users\All Users\Ahead
    2008-08-12 13:56 . 2008-08-12 13:56 <DIR> d-------- C:\ProgramData\Ahead
    2008-08-10 20:33 . 2008-08-10 20:33 0 --a------ C:\Users\Owner\jagex_runescape_preferences.dat
    2008-08-10 20:09 . 2008-08-10 20:09 <DIR> d-------- C:\Windows\.jagex_cache_32
    2008-08-07 16:14 . 2008-08-07 16:14 647,168 --a------ C:\Windows\System32\FireiX.dll
    2008-08-06 17:23 . 2008-08-06 17:23 393,216 --a------ C:\Windows\System32\CFiCamera.dll
    2008-08-06 17:21 . 2008-08-06 17:21 1,482,752 --a------ C:\Windows\System32\ubShared.dll
    2008-08-06 17:21 . 2008-08-06 17:21 253,952 --a------ C:\Windows\System32\FiCommon.dll
    2008-08-06 17:17 . 2008-08-06 17:17 692,224 --a------ C:\Windows\System32\ubUI.dll
    2008-08-06 15:59 . 2008-08-06 15:59 1,130,496 --a------ C:\Windows\System32\UB1394.dll
    2008-08-06 15:34 . 2008-08-06 15:34 233,472 --a------ C:\Windows\System32\ubVideo.dll
    2008-08-06 13:53 . 2008-08-06 13:53 39,424 --a------ C:\Windows\System32\drivers\UBUMAPI.sys
    2008-08-06 13:52 . 2008-08-06 13:52 100,352 --a------ C:\Windows\System32\drivers\UB1394.sys
    2008-08-06 13:52 . 2008-08-06 13:52 17,408 --a------ C:\Windows\System32\drivers\UBSBM.sys
    2008-08-06 13:48 . 2008-08-06 13:48 114,688 --a------ C:\Windows\System32\drivers\ubohci.sys
    2008-08-06 08:26 . 2008-08-06 08:26 124,928 --a------ C:\Windows\System32\drivers\Rtlh86.sys
    2008-08-06 08:26 . 2008-08-06 08:26 9,728 --a------ C:\Windows\System32\RtNicProp32.dll
    2008-08-01 11:05 . 2008-08-01 11:05 70,936 --a------ C:\Windows\System32\PhysXLoader.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-01 03:06 --------- d-----w C:\Users\Owner\AppData\Roaming\Free Download Manager
    2008-08-31 20:16 --------- d-----w C:\Program Files\BOINC
    2008-08-31 03:47 --------- d-----w C:\Users\Owner\AppData\Roaming\uTorrent
    2008-08-30 02:02 --------- d-----w C:\Users\Owner\AppData\Roaming\Any Video Converter
    2008-08-30 02:02 --------- d-----w C:\Program Files\Any Video Converter
    2008-08-28 19:56 97,928 ----a-w C:\Windows\system32\drivers\avgldx86.sys
    2008-08-28 19:46 --------- d-----w C:\Program Files\Trillian
    2008-08-28 19:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-28 19:43 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-08-24 18:36 --------- d-----w C:\Program Files\Microsoft Works
    2008-08-19 03:16 --------- d-----w C:\ProgramData\NVIDIA
    2008-08-19 03:15 --------- d-----w C:\Program Files\Microsoft Silverlight
    2008-08-16 15:30 --------- d-----w C:\Users\Owner\AppData\Roaming\Apple Computer
    2008-08-14 17:48 --------- d-----w C:\Users\Owner\AppData\Roaming\OpenOffice.org2
    2008-08-14 17:42 --------- d-----w C:\Program Files\Google
    2008-08-14 17:41 --------- d-----w C:\Program Files\Coupons
    2008-08-14 14:53 --------- d-----w C:\Users\Owner\AppData\Roaming\dvdcss
    2008-08-13 14:43 --------- d-----w C:\Program Files\Windows Mail
    2008-08-12 19:06 --------- d-----w C:\Users\Owner\AppData\Roaming\Download Manager
    2008-08-12 18:13 --------- d-----w C:\ProgramData\Microsoft Help
    2008-08-12 17:56 --------- d-----w C:\Users\Owner\AppData\Roaming\Ahead
    2008-08-02 16:20 7,314,528 ----a-w C:\Windows\system32\drivers\nvlddmkm.sys
    2008-07-31 01:19 --------- d-----w C:\Program Files\Java
    2008-07-29 03:25 --------- d-----w C:\ProgramData\Apple Computer
    2008-07-29 03:25 --------- d-----w C:\Program Files\QuickTime
    2008-07-29 03:25 --------- d-----w C:\Program Files\iTunes
    2008-07-29 03:25 --------- d-----w C:\Program Files\iPod
    2008-07-29 03:24 --------- d-----w C:\Program Files\Apple Software Update
    2008-07-29 03:23 --------- d-----w C:\ProgramData\Apple
    2008-07-29 03:23 --------- d-----w C:\Program Files\Common Files\Apple
    2008-07-26 16:22 --------- d-----w C:\Program Files\DiskTrix
    2008-07-26 15:16 --------- d-----w C:\Program Files\PConPoint
    2008-07-21 18:41 --------- d-----w C:\Users\Owner\AppData\Roaming\Atari
    2008-07-21 17:14 --------- d-----w C:\Users\Owner\AppData\Roaming\Leadertech
    2008-07-21 17:14 --------- d-----w C:\Program Files\Common Files\PocketSoft
    2008-07-21 17:11 --------- d-----w C:\Program Files\Atari
    2008-07-20 22:58 --------- d-----w C:\Program Files\FreeRIP3
    2008-07-19 02:11 --------- d-----w C:\ProgramData\FreeRIP
    2008-07-14 03:50 --------- d-----w C:\ProgramData\DFX
    2008-07-10 03:35 --------- d-----w C:\Program Files\Microsoft SQL Server
    2008-07-07 19:33 --------- d-----w C:\Users\Owner\AppData\Roaming\ImgBurn
    2008-07-07 19:09 --------- d-----w C:\Program Files\Opera
    2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
    2008-04-16 22:13 174 --sha-w C:\Program Files\desktop.ini
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BOINC Manager.lnk]
    path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\BOINC Manager.lnk
    backup=C:\Windows\pss\BOINC Manager.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BOINC System Tray.lnk]
    path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\BOINC System Tray.lnk
    backup=C:\Windows\pss\BOINC System Tray.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DynDNS Updater Tray Icon.lnk]
    path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\DynDNS Updater Tray Icon.lnk
    backup=C:\Windows\pss\DynDNS Updater Tray Icon.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
    backup=C:\Windows\pss\Run Google Web Accelerator.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^Owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
    backup=C:\Windows\pss\OpenOffice.org 2.3.lnk.Startup
    backupExtension=.Startup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9a595ee7
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yodm3D

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
    --a------ 2007-12-22 03:20 222080 C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    --a------ 2008-07-10 09:47 116040 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
    --a------ 2008-04-01 05:39 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
    --a------ 2008-01-19 03:33 125952 C:\Windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-07-10 10:51 289064 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
    --a------ 2008-01-19 03:33 1233920 C:\Program Files\Windows Sidebar\sidebar.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    -rahs---- 2008-08-18 18:41 1832272 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD]
    -rahs---- 2008-07-07 09:42 4891472 C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    --a------ 2008-04-11 23:48 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
    --a------ 2008-01-19 03:36 2153472 C:\Windows\System32\oobefldr.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "BM996a6d7b"=Rundll32.exe "C:\Windows\system32\bdnhcyyt.dll",s
    "9a595ee7"=rundll32.exe "C:\Windows\system32\obpqfihp.dll",b

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "{CD64D2D4-93F2-4318-BDCC-601A8B4544A5}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
    "{7E28A8E6-2F35-4A71-B5C3-3D58EED75E62}"= UDP:C:\Windows\System32\lxbkcoms.exe:Lexmark Communications System
    "{CCF40B32-7C52-4752-B472-4E4EE2F59D9A}"= TCP:C:\Windows\System32\lxbkcoms.exe:Lexmark Communications System
    "{DC473CFF-5769-4F26-9049-3C3C8540AE35}"= UDP:C:\Windows\System32\lxbkcoms.exe:Lexmark Communications System
    "{0B89A884-778D-4014-82D9-9C851D96B0DA}"= TCP:C:\Windows\System32\lxbkcoms.exe:Lexmark Communications System
    "{0783D837-0366-43FD-A798-5ACA815C64F0}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
    "{11A73F3D-7827-453D-93D9-DCF1C23A5443}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
    "{5F99581A-D182-4EC5-877C-491F6E045BC3}"= UDP:3388:Remote1
    "{FDCE5609-0199-42AA-A9B2-473C86A930D1}"= TCP:3388:Remote2
    "{2518543C-0EF2-4B76-9577-D609427AE2B8}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
    "{75DECBF9-F993-4CB4-90A3-77DB6EB87A2B}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
    "TCP Query User{80617137-2AE9-4AD5-802E-4D6BF36663CC}C:\\program files\\videolan\\vlc\\vlc.exe"= UDP:C:\program files\videolan\vlc\vlc.exe:VLC media player
    "UDP Query User{0B4E6D2B-E457-4FE7-953F-B49EC48EA2C3}C:\\program files\\videolan\\vlc\\vlc.exe"= TCP:C:\program files\videolan\vlc\vlc.exe:VLC media player
    "{47580A17-9798-4659-A7D1-5009C5E50E00}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
    "TCP Query User{2E09C2A0-9D01-4D97-B1C1-C2FF3B32BDE7}C:\\program files\\trillian\\trillian.exe"= UDP:C:\program files\trillian\trillian.exe:Trillian
    "UDP Query User{C9D24377-E0D8-4491-AB83-B45AECDBE992}C:\\program files\\trillian\\trillian.exe"= TCP:C:\program files\trillian\trillian.exe:Trillian
    "{0269879B-E4BA-4717-9011-1804FAE0A0A8}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
    "{4BD4AAF2-F92D-4048-8250-67A007120672}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
    "{11D06650-4A0B-4A02-AD54-E49ECB91CF09}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
    "{F26BF8DA-1937-4F0F-8988-4FA6EF1242AE}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
    "{EBC38C1A-1DAE-4C8F-8C2E-763F61CD6E01}"= UDP:1111:uTorrent
    "{8EBFDA2C-CFA3-4DB7-85A3-8EFF5823B9D5}"= TCP:1111:uTorrent
    "TCP Query User{07303089-A745-494F-B855-B1E6C9EC56DD}C:\\program files\\opera\\opera.exe"= UDP:C:\program files\opera\opera.exe:Opera Internet Browser
    "UDP Query User{5EE7B230-24C7-43E2-A239-5292D1554EE4}C:\\program files\\opera\\opera.exe"= TCP:C:\program files\opera\opera.exe:Opera Internet Browser
    "{195BEE22-C78A-4148-9109-6D553CDBFD39}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
    "{3256AA87-2305-4381-AFDA-E11B4ED2E833}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
    "{137FBA08-E403-4BD5-B17E-FDD66CC36ABD}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
    "{1DBFBFF2-F86A-4590-AFC3-A76981A54339}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
    "{EC04B904-08B6-41F5-8908-B96FF8C7F7C8}"= UDP:9420:Red Swoosh
    "{F8C6F8AA-B28D-44DA-AA71-0F0F8E6337C3}"= TCP:5000:Red Swoosh
    "TCP Query User{D85F165A-C7C3-454A-B4DD-5D5930564260}C:\\capitalism ii\\cap2.exe"= UDP:C:\capitalism ii\cap2.exe:cap2
    "UDP Query User{AFC90AF3-3BAE-4F80-A46E-55FE626B5BBC}C:\\capitalism ii\\cap2.exe"= TCP:C:\capitalism ii\cap2.exe:cap2
    "{F158E2D6-0580-4C92-823A-DF8C98356F62}"= UDP:C:\Program Files\ZoomText 9.1\Zt.exe:ZoomText 9.1
    "{F2B55368-CEDE-4BF7-8263-3E2C279ECD17}"= TCP:C:\Program Files\ZoomText 9.1\Zt.exe:ZoomText 9.1
    "{4EE3B194-A907-4BAD-BB9E-BDB791CDDE46}"= UDP:C:\Program Files\ZoomText 9.1\Zt.exe:ZoomText 9.1
    "{336C7B72-A41D-4355-9E34-36264180DEB3}"= TCP:C:\Program Files\ZoomText 9.1\Zt.exe:ZoomText 9.1
    "TCP Query User{31A4C956-BF96-44EB-B31B-6D20D774C230}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
    "UDP Query User{C84FC2A3-743E-4BCC-AA10-98CE2791B524}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
    "EnableFirewall"= 0 (0x0)
    "DoNotAllowExceptions"= 0 (0x0)

    R1 Ai2sXP;Ai2sXP;C:\Windows\system32\drivers\Ai2sXP.sys [2008-02-25 13:54]
    R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-08-28 15:56]
    R2 DynDNS Updater;DynDNS Updater;C:\Program Files\DynDNS Updater\DynUpSvc.exe [2008-04-23 12:57]
    R2 lxbk_device;lxbk_device;C:\Windows\system32\lxbkcoms.exe [2008-02-19 09:12]
    R2 ubsbm;Unibrain 1394 SBM Driver;C:\Windows\system32\DRIVERS\ubsbm.sys [2008-08-06 13:52]
    R2 ubumapi;Unibrain 1394 FireAPI Driver;C:\Windows\system32\DRIVERS\ubumapi.sys [2008-08-06 13:53]
    R3 Ai2Mmpd;Ai2Mmpd;C:\Windows\system32\DRIVERS\Ai2Mmpd.sys [2008-02-25 13:54]
    R3 ubohci;Unibrain 1394 OHCI Driver;C:\Windows\system32\DRIVERS\ubohci.sys [2008-08-06 13:48]
    S2 BOINC;BOINC;C:\Program Files\BOINC\boinc.exe [2008-03-04 14:00]
    S2 Parclass;Parclass;C:\Windows\system32\Drivers\Parclass.sys [2003-02-10 14:30]
    S3 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 15:56]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-02-22 18:39]
    S4 msvsmon90;Visual Studio 2008 Remote Debugger;C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-11-07 08:58]
    S4 TeamViewer;TeamViewer 3;C:\Program Files\TeamViewer3\TeamViewer_Host.exe [2008-05-15 09:17]
    S4 ZoomText Helper Service;ZoomText Helper Service;C:\Program Files\ZoomText 9.1\ZoomTextHelperService.exe [2008-02-25 14:07]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93d1c94f-2c44-11dd-89b8-001a4d548aae}]
    \shell\AutoRun\command - H:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f6acdfd-08f6-11dd-a428-001a4d548aae}]
    \shell\AutoRun\command - E:\Capinst.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3f484be-0739-11dd-9db8-001a4d548aae}]
    \shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
    %SystemRoot%\system32\soundschemes.exe /AddRegistration
    .
    Contents of the 'Scheduled Tasks' folder

    2008-09-01 C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{3A8D0A97-79A8-4155-B346-13E0D06FABA1} - C:\Windows\system32\fcccAqnm.dll
    HKLM-Run-BM996a6d7b - C:\Windows\system32\uhpnxphf.dll
    MSConfigStartUp-BM996a6d7b - C:\Windows\system32\uhpnxphf.dll


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\1c49wcx2.default\
    FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.1.0.30401.0.dll
    FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\np32asw.dll
    FF -: plugin - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\1c49wcx2.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
    FF -: plugin - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-01 00:30:47
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Windows\System32\nvvsvc.exe
    C:\Windows\System32\audiodg.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\Windows\System32\VSSVC.exe
    C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe
    C:\Windows\System32\iashost.exe
    C:\Program Files\ZoomText 9.1\ZtUac.exe
    C:\Windows\System32\wbem\unsecapp.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\dllhost.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-01 0:37:27 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-01 04:37:22

    Pre-Run: 26,217,922,560 bytes free
    Post-Run: 25,553,182,720 bytes free

    364 --- E O F --- 2008-08-26 21:21:41





    and the hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 00:38, on 2008-09-01
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\ZoomText 9.1\ZtUac.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\Explorer.exe
    C:\Windows\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 130.94.23.113:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
    O13 - Gopher Prefix:
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - https://www.cchs.net/onlinelearning/...s7/awswaxd.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E98B2F9B-0B31-4490-802B-98347199046A}: NameServer = 192.168.0.1,192.168.1.1
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
    O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
    O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
    O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: BOINC - Space Sciences Laboratory - C:\Program Files\BOINC\boinc.exe
    O23 - Service: DynDNS Updater - Unknown owner - C:\Program Files\DynDNS Updater\DynUpSvc.exe
    O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

    --
    End of file - 5277 bytes



    Hope this helps and i am so glad it worked this time! Thanks again!

  7. #7
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Not a good idea to post your email addy, spambots look for those.

    Thanks for returning your information, follow the directions carefully:

    Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    Run DISK CLEANUP: ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > DISK CLEANUP

    Download Malwarebytes' Anti-Malware to your Desktop
    http://www.besttechie.net/tools/mbam-setup.exe

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform FULL SCAN, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
    * Please post contents of that file & a new HJT log in your next reply.

    Let me know how the computer is running now.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  8. #8
    Junior Member
    Join Date
    Aug 2008
    Posts
    6

    Default

    the computer seems to be running better now since the internet is no longer being block. here are the log files:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:14, on 2008-09-01
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18000)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\ZoomText 9.1\ZtUac.exe
    C:\Program Files\ZoomText 9.1\ZtUac.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 130.94.23.113:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
    O13 - Gopher Prefix:
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - https://www.cchs.net/onlinelearning/...s7/awswaxd.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
    O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
    O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
    O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: BOINC - Space Sciences Laboratory - C:\Program Files\BOINC\boinc.exe
    O23 - Service: DynDNS Updater - Unknown owner - C:\Program Files\DynDNS Updater\DynUpSvc.exe
    O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

    --
    End of file - 5079 bytes




    Malwarebytes' Anti-Malware 1.25
    Database version: 1103
    Windows 6.0.6001 Service Pack 1

    13:12:52 2008-09-01
    mbam-log-09-01-2008 (13-12-52).txt

    Scan type: Full Scan (C:\|F:\|)
    Objects scanned: 305827
    Time elapsed: 1 hour(s), 35 minute(s), 42 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 10

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\QooBox\Quarantine\C\Windows\System32\bdnhcyyt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\Windows\System32\hkwoegrg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\Windows\System32\jxibvjqa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\Windows\System32\mdgommeq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\Windows\System32\nvlhgcgs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\Windows\System32\oqwinn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\Windows\System32\rehmmipu.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\Windows\System32\tiotbc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\Windows\System32\uhpnxphf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Windows\System32\lsrmiavt.cay (Trojan.Vundo) -> Quarantined and deleted successfully.


    Thanks again!

  9. #9
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for returning your information and the feedback. The junk MBAM found is in the combofix quarantine, except for the last item, and it will go with combofix.

    Remove combofix from the computer like this:

    Click START then RUN
    Now type or copy Combofix /u in the runbox and click OK.
    Note the space between the X and the U, it needs to be there.



    I am not seeing AVG 8 in Running Processes? Do you have it turned off or something...you must have a realtime antivirus program running.

    Have a look at this tutorial a friend sent me in case you can benefit from it.
    How to Install Free version AVG 8.0 without LinkScanner feature
    http://russelltexas.com/tutorials/avg8install.htm

    What I would like you to do at this point, is make sure AVG 8 is updated and run a system scan, remove what it finds and let me know how the computer is running at that point.

    Thanks...Phil
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  10. #10
    Junior Member
    Join Date
    Aug 2008
    Posts
    6

    Default

    i had turned off avg when i ran the combofix and then forgot to turn it back on. thanks for reminding me. i ran the scan and it found some tracking cookies. the computer is working fine now. thanks for all your help!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •