Hiya
Okay let's see what we have there. Please post a fresh HijackThis log...
Hiya
Okay let's see what we have there. Please post a fresh HijackThis log...
Here's the log after a fresh boot.
-----------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:05 PM, on 6/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\games\steam\steam.exe
C:\Program Files\Executor\executor.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
G:\AWC (Auto Wallpaper Changer)\AWC.exe
C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot\SpybotSD.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tuvuuss - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
--
End of file - 5544 bytes
Ok this is going to look like a replay but something came back....
We will begin with ComboFix. (again )
Please download ComboFix from one of these locations:
Link 1
Link 2
Link 3
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
If you need help, see this link:
http://www.bleepingcomputer.com/comb...o-use-combofix
Here's my logs.
Steve
---------------------------
ComboFix 09-06-07.02 - Steve 06/07/2009 16:38.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1503 [GMT -5:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
.
2009-06-07 01:51 . 1999-03-23 05:00 401484 ----a-w- c:\windows\system32\msvcrtd.dll
2009-06-03 23:03 . 2009-06-03 23:03 -------- d-----w- c:\program files\GameTap Web Player
2009-06-03 23:03 . 2009-06-03 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\GameTap Web Player
2009-06-03 23:03 . 2009-05-06 00:05 462848 ----a-w- c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\GameTap@gametap.com\plugins\npGameTapWebUpdater.dll
2009-06-01 17:53 . 2009-06-01 17:53 390664 ----a-w- c:\documents and settings\Steve\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-24 15:36 . 2009-05-24 15:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-20 05:32 . 2009-05-20 05:32 -------- d-----w- c:\program files\Trend Micro
2009-05-20 04:30 . 2009-05-20 04:31 -------- d-----w- c:\program files\RegBackup ERUNT
2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-05-19 02:47 . 2009-04-06 20:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-19 02:47 . 2009-04-06 20:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 02:46 . 2009-05-19 02:46 -------- d-----w- c:\documents and settings\Steve\Application Data\Safer Networking
2009-05-19 02:24 . 2009-05-19 02:45 -------- d-----w- c:\program files\Safer Networking
2009-05-19 00:42 . 2009-05-19 00:42 -------- d-----w- c:\program files\ProcessExplorer
2009-05-17 21:35 . 2009-05-17 21:35 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-05-17 21:35 . 2009-05-17 21:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-16 21:48 . 2009-05-16 21:57 -------- d-----w- c:\windows\SxsCaPendDel
2009-05-15 22:01 . 2008-04-14 05:42 26112 ----a-w- c:\windows\system32\USERINIT.EXE
2009-05-13 22:17 . 2009-05-13 22:17 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2009-05-13 21:53 . 2009-05-14 00:55 -------- d-----w- c:\documents and settings\Steve\Application Data\ptidle
2009-05-13 20:41 . 2009-05-13 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SimCity Societies
2009-05-12 02:57 . 2009-05-12 02:57 -------- d-----w- c:\windows\system32\KB905474
2009-05-12 02:57 . 2009-03-11 03:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-05-12 02:57 . 2009-03-11 03:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-05-11 00:06 . 2009-05-11 00:28 98304 ----a-w- c:\documents and settings\Steve\Application Data\Soldat\BattlEye\BEClient.dll
2009-05-11 00:06 . 2009-05-11 00:06 -------- d-----w- c:\documents and settings\Steve\Application Data\Soldat
2009-05-11 00:06 . 2009-03-29 00:52 94208 ----a-w- c:\documents and settings\Steve\Application Data\Soldat\BattlEye\BEServer.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-07 21:23 . 2009-03-29 22:46 -------- d-----w- c:\program files\Mozilla Sunbird
2009-06-07 01:52 . 2005-01-30 21:40 246 ----a-w- c:\windows\PowerReg.dat
2009-06-07 01:50 . 2004-07-25 12:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-05 16:42 . 2007-06-17 22:30 98304 ----a-w- c:\windows\System32CmdLineExt.dll
2009-06-04 23:06 . 2007-03-13 20:38 64 ----a-w- c:\windows\popcinfot.dat
2009-06-03 22:24 . 2004-09-22 14:40 84592 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 13:48 . 2009-02-01 02:50 -------- d-----w- c:\program files\Spybot
2009-05-27 23:37 . 2008-08-07 00:46 -------- d-----w- c:\documents and settings\Steve\Application Data\OpenOffice.org2
2009-05-27 23:36 . 2008-08-16 13:46 1 ----a-w- c:\documents and settings\Steve\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-05-27 23:35 . 2008-01-25 01:18 -------- d-----w- c:\program files\MSECACHE
2009-05-20 01:46 . 2009-03-08 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-13 13:31 . 2008-12-13 16:32 -------- d-----w- c:\program files\Stardock Games
2009-05-10 19:58 . 2009-04-30 21:25 -------- d-----w- c:\documents and settings\Steve\Application Data\Mumble
2009-05-04 23:10 . 2009-05-04 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Ironclad Games
2009-05-03 18:08 . 2009-03-08 22:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-03 18:08 . 2009-03-08 22:46 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-03 18:08 . 2009-03-08 22:46 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-03 18:08 . 2009-03-08 22:46 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-27 03:19 . 2008-02-12 19:09 -------- d-----w- c:\documents and settings\Steve\Application Data\WTablet
2009-04-25 20:20 . 2009-02-17 18:36 -------- d-----w- c:\documents and settings\Steve\Application Data\Winamp
2009-04-22 05:20 . 2009-04-22 05:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-22 05:20 . 2009-04-22 05:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-19 16:07 . 2007-09-15 21:17 189072 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-04-14 23:29 . 2009-04-14 23:29 3638 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\NewShortcut11_12BC79CA813840C5870CC7F821C0C143.exe
2009-04-14 23:29 . 2009-04-14 23:29 3638 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\NewShortcut1_12BC79CA813840C5870CC7F821C0C143.exe
2009-04-14 23:29 . 2009-04-14 23:29 10134 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\ARPPRODUCTICON.exe
2009-03-30 22:54 . 2009-03-17 22:30 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-03-25 23:10 . 2007-09-15 21:17 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-25 23:10 . 2007-09-15 21:17 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-03-21 21:31 . 2004-07-29 01:10 80058 ----a-w- c:\windows\War3Unin.dat
2009-03-10 17:09 . 2004-07-26 22:15 1725 ----a-w- c:\windows\eReg.dat
2008-03-23 19:04 . 2008-03-23 19:04 0 ----a-w- c:\program files\temp01
2005-04-16 16:11 . 2005-04-16 16:11 0 ----a-w- c:\program files\error.dat
2003-12-18 17:33 . 2004-11-01 00:44 20102 ----a-w- c:\program files\Readme.txt
2003-09-03 13:46 . 2004-11-01 00:44 10960 ----a-w- c:\program files\EULA.txt
2003-07-29 06:15 . 2009-02-06 03:54 307200 ----a-w- c:\program files\internet explorer\plugins\djvu0407.dll
2003-07-29 06:15 . 2009-02-06 03:54 303104 ----a-w- c:\program files\internet explorer\plugins\djvu0409.dll
2003-07-29 06:15 . 2009-02-06 03:54 311296 ----a-w- c:\program files\internet explorer\plugins\djvu040c.dll
2003-07-29 06:15 . 2009-02-06 03:54 299008 ----a-w- c:\program files\internet explorer\plugins\djvu0411.dll
2003-07-29 06:15 . 2009-02-06 03:54 299008 ----a-w- c:\program files\internet explorer\plugins\djvu0412.dll
2003-07-29 06:15 . 2009-02-06 03:54 290816 ----a-w- c:\program files\internet explorer\plugins\djvu0804.dll
2003-07-29 06:15 . 2009-02-06 03:54 122880 ----a-w- c:\program files\internet explorer\plugins\DjVuCntl.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-22_00.25.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-10 22:19 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
- 2007-08-10 22:19 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2009-05-27 23:36 . 2009-05-27 23:36 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-06-03 22:25 . 2009-06-03 22:25 56320 c:\windows\assembly\NativeImages_v2.0.50727_32\Stardock.Central.Se#\5385eb9f34ad209ba7ea87cac00e1a64\Stardock.Central.Security.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 81920 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Uninstall\bcb8554f6f9d1fac5114830ff6c1d4bc\Sd.Uninstall.ni.dll
+ 2004-07-24 18:01 . 2009-05-28 11:56 296456 c:\windows\system32\FNTCACHE.DAT
+ 2009-06-03 22:25 . 2009-06-03 22:25 284672 c:\windows\assembly\NativeImages_v2.0.50727_32\VistaBridgeLibrary\1a7da1bd1409cb8aae83d12985e91785\VistaBridgeLibrary.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 485888 c:\windows\assembly\NativeImages_v2.0.50727_32\VDialog\b9f93ab4e871202f08bacb2eea45619f\VDialog.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd\b763c29a1b5ab7f3a4db1563af682177\Sd.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 422912 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Web\c71283976332f42816bf8eef4862aa2a\Sd.Web.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 155648 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.UI\3e7f2d58806d187d104688c6646cf0f4\Sd.UI.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 804352 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Irc\91e6d500574d1ef15828dcdbc154e44e\Sd.Irc.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 296960 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.InstallManager\3b63000c351829ab07838317ca9a3643\Sd.InstallManager.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 564224 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Common.XmlSerial#\ae0f4540e4c7dbed2820722ac3eed7da\Sd.Common.XmlSerializers.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 788480 c:\windows\assembly\NativeImages_v2.0.50727_32\sd.central.cvp.serv#\b6e8a38d3cfc48123b5715b7cd18b6e1\sd.central.cvp.server.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 128512 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Central.Archive\8101eb83b90821af4b7c6eab2024a41f\Sd.Central.Archive.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 345600 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Central.Archive.#\aca17957fd7012185f82679a35a18b0f\Sd.Central.Archive.XmlSerializers.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 326144 c:\windows\assembly\NativeImages_v2.0.50727_32\MyDock.Util\523977d5edec6266fcc0c7588e361cd5\MyDock.Util.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 100864 c:\windows\assembly\NativeImages_v2.0.50727_32\Interop.IWshRuntime#\b57a1fe2527d40aae9b62b10f57be9b8\Interop.IWshRuntimeLibrary.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 726016 c:\windows\assembly\NativeImages_v2.0.50727_32\ICSharpCode.SharpZi#\5c1a3278ff6412107322a65dee39790d\ICSharpCode.SharpZipLib.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 1308160 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Common\d0463aaf422bc51e171f0cad7a6775e1\Sd.Common.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 6175232 c:\windows\assembly\NativeImages_v2.0.50727_32\Impulse\162b482fdd3a7302192bf6d202561efd\Impulse.ni.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="d:\games\steam\steam.exe" [2009-05-22 1217784]
"Executor"="c:\program files\Executor\executor.exe" [2008-05-19 1052672]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-04 185896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]
c:\documents and settings\Steve\Start Menu\Programs\Startup\
AWC.lnk - g:\awc (auto wallpaper changer)\AWC.exe [2009-4-1 1261568]
ImpulseNow.lnk - c:\program files\Stardock\Impulse\Now\ImpulseNow.exe [2009-5-4 356352]
Mozilla Sunbird.lnk - c:\program files\Mozilla Sunbird\sunbird.exe [2009-3-29 6354540]
Shortcut to Ut3 Map TO DOs.lnk - c:\documents and settings\Steve\Desktop\TO DO.txt [2008-8-13 6087]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-12-14 528384]
Spybot - Search & Destroy.lnk - c:\program files\Spybot\SpybotSD.exe [2009-1-31 5365592]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 18:08 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvuuss]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=ctwdm32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^ImpulseNow.lnk]
path=c:\documents and settings\Steve\Start Menu\Programs\Startup\ImpulseNow.lnk
backup=c:\windows\pss\ImpulseNow.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Ventrilo Server.lnk]
path=c:\documents and settings\Steve\Start Menu\Programs\Startup\Ventrilo Server.lnk
backup=c:\windows\pss\Ventrilo Server.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DGPN"=2 (0x2)
"TabletServiceWacom"=2 (0x2)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Brother XP spl Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Games\\Steam\\SteamApps\\battlebotv82\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo Server\\ventrilo_srv.exe"=
"d:\\Games\\WarHammer 40,000 Dawn of War\\Dark Crusade\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"d:\\Games\\Earth 2160\\Earth2160_NO_SSE.exe"=
"d:\\Games\\Earth 2160\\Earth2160_SSE.exe"=
"d:\\Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"d:\\Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Games\\World in Conflict\\wic.exe"=
"d:\\Games\\World in Conflict\\wic_online.exe"=
"d:\\Games\\World in Conflict\\wic_ds.exe"=
"d:\\Games\\Quake Wars - Enemy Territory\\etqwded.exe"=
"d:\\Games\\Quake Wars - Enemy Territory\\etqw.exe"=
"d:\\Games\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"d:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"g:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"g:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
"g:\\Games\\Universe At War Earth Assault\\UAWEA.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\brothers in arms earned in blood\\System\\EiB.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\stalker shadow of chernobyl\\bin\\XR_3DA.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\prince of persia the warrior within\\PrinceOfPersia.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\roboblitz\\Binaries\\RoboLaunch.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\eets\\Eets.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\ghost recon advanced warfighter\\graw.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\ghost recon\\GhostRecon.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\ghost recon advanced warfighter 2\\graw2.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\multiwinia\\multiwinia.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\wallace and gromit demo\\WallaceGromitDemo.exe"=
"g:\\Games\\Spellforce 2 - Shadow Wars\\spellforce2.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\company of heroes\\RelicCOH.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\titan quest immortal throne\\Tqit.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\titan quest immortal throne\\help.htm"=
"d:\\Games\\Steam\\SteamApps\\common\\titan quest\\help.htm"=
"d:\\Games\\Sins of a Solar Empire\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/8/2009 5:46 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/8/2009 5:46 PM 108552]
R1 cdawdm;CDAWDM;c:\windows\system32\drivers\cdawdm.sys [11/22/2002 5:58 PM 48111]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/8/2009 5:45 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/8/2009 5:45 PM 298776]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [12/14/2006 4:50 PM 2368]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2/10/2008 1:49 PM 23040]
S3 Vsp;Vsp;\??\c:\windows\System32\drivers\Vsp.sys --> c:\windows\System32\drivers\Vsp.sys [?]
S4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2/12/2008 2:08 PM 1373480]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
2005-08-07 c:\windows\Tasks\cleanup-test.job
- d:\data\cleanup.bat [2004-09-07 02:12]
2009-05-04 c:\windows\Tasks\cleanup.job
- d:\data\cleanup.bat [2004-09-07 02:12]
2009-05-12 c:\windows\Tasks\DataOnly.job
- c:\windows\system32\ntbackup.exe [2004-08-04 00:12]
2009-06-07 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wrinsiders.com/Teens/?RP=SignIn
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\
FF - prefs.js: browser.startup.homepage - file:///d:/Data/HomePage/index.html
FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\GameTap@gametap.com\plugins\npGameTapWebUpdater.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\GameTap Web Player\bin\release\npGameTapWebPlayer.dll
FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-07 16:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-725345543-764733703-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"????????????????????????"=hex:63,a2,df,ea,77,f0,95,25,eb,6c,dc,66,29,e5,12,1d,
2c,29,70,2c,5c,5c,25,f7,2c,2c,5c,d1,25,c3,2e,2e,00,00,00,00,00,00,00,00,00,\
"???n"=hex:67,c5,3f,af,2f,06,f4,bd,6a,bc,3c,06,c9,a8,f3,94,cf,fc,28,65,23,1f,
51,a4,66,c3,ff,fd,10,6b,09,b0,09,00,c0,46,db,0a,6f,85,96,63,1a,e5,64,d4,d7,\
"?????"=hex:9b,9d,a9,7e,82,9e,bf,2c,e9,55,17,f0,77,5c,30,60
"???n"=hex:ca,7f,b1,85,35,af,19,95,9b,a8,37,7a,99,ab,d7,56,38,b0,d3,96,72,26,
af,0f,16,9e,d6,36,d2,33,4f,56,ef,d6,90,a9,11,dc,dd,ab,e0,b9,e6,2f,ab,b3,26,\
"??"=hex:1b,ee,fb,ee,5e,a8,db,76,e9,8e,a8,56,0f,22,bd,59,a7,f5,31,8b,68,3d,0d,
66,8f,a9,af,3a,cd,97,dd,26,b6,8f,e0,00,53,f0,17,e0,33,21,7c,c4,ec,bb,45,d6,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
[HKEY_USERS\S-1-5-21-725345543-764733703-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:60,0d,47,33,43,d6,05,78,97,20,41,75,fe,20,a2,c4,e6,c4,14,cd,72,
bc,80,4a,7f,c2,b8,b7,b8,67,45,6b,87,24,7d,2b,e6,ac,26,26,0f,b6,9f,85,ba,26,\
"rkeysecu"=hex:65,d6,a2,52,b5,22,4b,f2,49,55,2b,25,75,bf,64,56
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2304)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\MSVCP71.dll
c:\windows\system32\msi.dll
.
Completion time: 2009-06-07 16:41
ComboFix-quarantined-files.txt 2009-06-07 21:41
ComboFix2.txt 2009-05-22 23:57
ComboFix3.txt 2009-05-22 00:28
Pre-Run: 12,837,810,176 bytes free
Post-Run: 12,909,498,368 bytes free
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
294 --- E O F --- 2009-05-23 02:53
-------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:48:50 PM, on 6/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Executor\executor.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot\SpybotSD.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tuvuuss - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
--
End of file - 4928 bytes
-------------------------
Okey...
Backup Your Registry with ERUNT:
Note: to restore your registry, go to the backup folder and start ERDNT.exe
- Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip- Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
- Inside the new folder, double-click ERUNT.exe to start the program
- OK all the prompts to back up your registry to the default location.
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
Make sure there are NO blank lines before REGEDIT4REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvuuss]
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Then uninstall all previous versions of Malwarebytes' Anti-Malware (MBAM).
Restart the pc.
- Please download Malwarebytes' Anti-Malware and save it to a convenient location.
- Double click on mbam-setup.exe to install it.
- Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
- Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware- Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
- Select the Scanner tab. Click on Perform full scan, then click on Scan.
- Leave the default options as it is and click on Start Scan.
- When done, you will be prompted. Click OK, then click on Show Results.
- Checked (ticked) all items and click on Remove Selected.
- After it has removed the items, Notepad will open. Please post this log in your next reply along with a fresh HijackThis log. You can also find the log in the Logs tab. The bottom most log is the latest.
Malwarebytes' Anti-Malware 1.37
Database version: 2259
Windows 5.1.2600 Service Pack 3
6/10/2009 6:44:19 PM
mbam-log-2009-06-10 (18-44-19).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 752702
Time elapsed: 2 hour(s), 23 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 12
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
c:\documents and settings\Steve\Application Data\ptidle (Trojan.Downloader) -> Quarantined and deleted successfully.
Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\afnoinkdsfe.dll.vir (Trojan.Ertfor) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\ovfsthoexqsdnrniyyxyfkkjygtwtjlfjkdsxc.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\ovfsthqbtipejuamkumlrsdnvkffqtmddqhudu.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\ovfsthvhptehqbgkpdtfpphqkwyrvrdrccrukd.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\ovfsthdhberunpppqjtkrdqimylcfyhtpkcbfa.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2d1bca4f-b413-410a-8075-a3efb933ae76}\RP205\A0064886.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2d1bca4f-b413-410a-8075-a3efb933ae76}\RP205\A0064887.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210613.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210614.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210615.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210616.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210789.dll (Trojan.Ertfor) -> Quarantined and deleted successfully.
-----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:34 PM, on 6/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Executor\executor.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
G:\AWC (Auto Wallpaper Changer)\AWC.exe
C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\games\steam\steam.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot\SpybotSD.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
--
End of file - 4964 bytes
---------------------------------
Okay looks good now. How is the pc running now? Any symptoms?
It seems ok except sometimes google searches return links to different phishing sites. The most frequent one today is claiming to be sucleaner.com. However, clicking on the google link a second time properly goes to the site.
Here's my current hijackthis log:
Steve
================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:01 PM, on 6/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\games\steam\steam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
G:\Programs\Mumble\mumble.exe
G:\Programs\Mumble\dbus-daemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot\SpybotSD.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
--
End of file - 4754 bytes
Ok in that case we'll do some digging...
Please run a GMER Rootkit scan:
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.
Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") to download Silent Runners.
- Save it to the desktop.
- Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
- You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
- Once you receive the prompt "All Done!", double-click the new text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-21 19:27:34
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT sptd.sys ZwCreateKey [0xB9EBE0D0]
SSDT sptd.sys ZwEnumerateKey [0xB9EC3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xB9EC4340]
SSDT sptd.sys ZwOpenKey [0xB9EBE0B0]
SSDT sptd.sys ZwQueryKey [0xB9EC4418]
SSDT sptd.sys ZwQueryValueKey [0xB9EC4298]
SSDT sptd.sys ZwSetValueKey [0xB9EC44AA]
---- Kernel code sections - GMER 1.0.15 ----
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B8DB48AC 5 Bytes JMP 8AB596E0
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 0403A68D C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 0403A615 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 0403A711 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 0403A63D C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 0403A6B8 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 0403A662 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 0403A6E3 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 0403A5ED C:\Program Files\Winamp\Plugins\gen_jumpex.dll
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EBEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EBEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EBEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EBF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EBF61E] sptd.sys
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8AD591E8
Device \FileSystem\Udfs \UdfsCdRom 8AB8B410
Device \FileSystem\Udfs \UdfsDisk 8AB8B410
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbohci \Device\USBPDO-0 8AB571E8
Device \Driver\usbohci \Device\USBPDO-1 8AB571E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8ADCA1E8
Device \Driver\dmio \Device\DmControl\DmConfig 8ADCA1E8
Device \Driver\dmio \Device\DmControl\DmPnP 8ADCA1E8
Device \Driver\dmio \Device\DmControl\DmInfo 8ADCA1E8
Device \Driver\usbohci \Device\USBPDO-2 8AB571E8
Device \Driver\usbohci \Device\USBPDO-3 8AB571E8
Device \Driver\usbohci \Device\USBPDO-4 8AB571E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{C4E33733-79B1-408C-A9B5-239AFA3EF59B} 8951A1E8
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\prodrv06 \Device\ProDrv06 E2459938
Device \Driver\usbehci \Device\USBPDO-5 8AB171E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AD5B1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AD5B1E8
Device \Driver\Cdrom \Device\CdRom0 8AB091E8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8AD5B1E8
Device \Driver\Cdrom \Device\CdRom1 8AB091E8
Device \Driver\atapi \Device\Ide\IdePort0 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdePort1 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-1c sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdePort2 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdePort3 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-24 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\Ftdisk \Device\HarddiskVolume4 8AD5B1E8
Device \Driver\Cdrom \Device\CdRom2 8AB091E8
Device \Driver\Ftdisk \Device\HarddiskVolume5 8AD5B1E8
Device \Driver\prohlp02 \Device\ProHlp02 E1FD61F0
Device \Driver\NetBT \Device\NetBt_Wins_Export 8951A1E8
Device \Driver\NetBT \Device\NetbiosSmb 8951A1E8
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbohci \Device\USBFDO-0 8AB571E8
Device \Driver\usbohci \Device\USBFDO-1 8AB571E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8951C1E8
Device \Driver\usbohci \Device\USBFDO-2 8AB571E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8951C1E8
Device \Driver\usbohci \Device\USBFDO-3 8AB571E8
Device \Driver\usbohci \Device\USBFDO-4 8AB571E8
Device \Driver\Ftdisk \Device\FtControl 8AD5B1E8
Device \Driver\usbehci \Device\USBFDO-5 8AB171E8
Device \Driver\cdawdm \Device\Scsi\cdawdm1Port4Path0Target1Lun0 8AAD01E8
Device \Driver\cdawdm \Device\Scsi\cdawdm1Port4Path0Target1Lun0 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\cdawdm \Device\Scsi\cdawdm1 8AAD01E8
Device \Driver\cdawdm \Device\Scsi\cdawdm1 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\cdawdm \Device\Scsi\cdawdm1Port4Path0Target0Lun0 8AAD01E8
Device \Driver\cdawdm \Device\Scsi\cdawdm1Port4Path0Target0Lun0 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \FileSystem\Cdfs \Cdfs 8A881790
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk@imagepath \systemroot\system32\drivers\ovfsthdhberunpppqjtkrdqimylcfyhtpkcbfa.sys
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk@inst 0
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@ver sni060409
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@cid 01
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@bid 3838505566-725345543-764733703-1801674531
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@aid 998
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@sid 3
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@feed 0x22 0x64 0x78 0x36 ...
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@cmddelay 28801
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@logoffset 3726
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\delete
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\ff
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\ff@extension \\?\C:\Program Files\Mozilla Firefox\extensions\{09C632F2-2F51-49E2-9A4C-E0173025E9BC}
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\ff@version 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\injector
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\injector@iexplore.exe ovfsthwi.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\injector@explorer.exe ovfsthff.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\tasks
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsth.sys \systemroot\system32\drivers\ovfsthdhberunpppqjtkrdqimylcfyhtpkcbfa.sys
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsth.dll \systemroot\system32\ovfsthoexqsdnrniyyxyfkkjygtwtjlfjkdsxc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsthlog.dat \systemroot\system32\ovfsthokvbxvihlxhdejojsrmrqwyvkxxljxwb.dat
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsthwi.dll \systemroot\system32\ovfsthqbtipejuamkumlrsdnvkffqtmddqhudu.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsthff.dll \systemroot\system32\ovfsthvhptehqbgkpdtfpphqkwyrvrdrccrukd.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsth.dat \systemroot\system32\ovfstheuposgxodxgbmcnmkjawoinysysxtrpg.dat
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA5 0x02 0x67 0x67 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA5 0x02 0x67 0x67 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA5 0x02 0x67 0x67 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA5 0x02 0x67 0x67 ...
---- EOF - GMER 1.0.15 ----
-------------------------------------------------------
"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Steam" = ""d:\games\steam\steam.exe" -silent" ["Valve Corporation"]
"Executor" = ""C:\Program Files\Executor\executor.exe" -s" ["Martin Bresson"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = "C:\Program Files\Google\Gmail Notifier\gnotify.exe" ["Google Inc."]
"amd_dc_opt" = "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" ["AMD"]
"AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {HKLM...CLSID} = "Microsoft.AntiSpyware.ShellExecuteHook.1"
\InProcServer32\(Default) = "D:\Program Files\MS Antispyware\shellextension.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> avgrsstarter\DLLName = "avgrsstx.dll" ["AVG Technologies CZ, s.r.o."]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
MakeFile Class\(Default) = "{D8504558-278D-4A93-BCBC-75B142CAA3B3}"
-> {HKLM...CLSID} = "MakeFile Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\vdshell.dll" ["FarStone Technology Inc."]
SciTE\(Default) = "{120B94B5-2E6A-4F13-94D0-414BCB64FA0F}"
-> {HKLM...CLSID} = "SciTE"
\InProcServer32\(Default) = "C:\Program Files\Scintilla Text Editor\wscitecm.dll" ["Burgaud.com"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
FolderShell Class\(Default) = "{24C0824F-BC16-41DB-9845-DE545941C3B0}"
-> {HKLM...CLSID} = "FolderShell Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\vdshell.dll" ["FarStone Technology Inc."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Default executables:
--------------------
<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\DOCUME~1\Steve\LOCALS~1\Temp\AutoWall.bmp"
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Computer, Inc."]
iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Computer, Inc."]
iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Computer, Inc."]
iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Computer, Inc."]
PDVDPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\PowerDVD\PowerDVD.exe" "%L"" ["CyberLink Corp."]
RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]
RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]
RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]
RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]
RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]
VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "D:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]
VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "D:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]
WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]
Startup items in "Steve" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\Steve\Start Menu\Programs\Startup
"AWC" -> shortcut to: "G:\AWC (Auto Wallpaper Changer)\AWC.exe" ["Steve Murphy"]
"ImpulseNow" -> shortcut to: "C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe" ["Stardock Corporation"]
"Mozilla Sunbird" -> shortcut to: "C:\Program Files\Mozilla Sunbird\sunbird.exe" ["Mozilla"]
"Shortcut to Ut3 Map TO DOs" -> shortcut to: "C:\Documents and Settings\Steve\Desktop\TO DO.txt" [null data]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
"Spybot - Search & Destroy" -> shortcut to: "C:\Program Files\Spybot\SpybotSD.exe" ["Safer Networking Limited"]
Enabled Scheduled Tasks:
------------------------
"cleanup-test" -> launches: "D:\Data\cleanup.bat" [null data]
"cleanup" -> launches: "D:\Data\cleanup.bat" [null data]
"DataOnly" -> launches: "C:\WINDOWS\system32\ntbackup.exe backup "@C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\DataOnly.bks" /n "DataBackup.bkf created 8/7/2005 at 10:27 AM" /d "Set created 8/7/2005 at 10:27 AM" /v:yes /r:no /rs:no /hc:off /m normal /j "DataOnly" /l:s /f "F:\Backup of Data\DataBackup.bkf"" [MS]
"WGASetup" -> launches: "C:\WINDOWS\system32\KB905474\wgasetup.exe /autoauto" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG Free8 E-mail Scanner, avg8emc, "C:\PROGRA~1\AVG\AVG8\avgemc.exe" ["AVG Technologies CZ, s.r.o."]
AVG Free8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]
Net Driver HPZ12, Net Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZinw12.dll" ["Hewlett-Packard"]}
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZipm12.dll" ["Hewlett-Packard"]}
SecuROM User Access Service (V7), UserAccess7, "C:\WINDOWS\System32\UAService7.exe" ["Sony DADC Austria AG."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
PCL hpz3l5jy\Driver = "hpz3l5jy.dll" ["Hewlett-Packard Company"]
---------- (launch time: 2009-06-21 19:29:43)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 49 seconds, including 18 seconds for message boxes)
===================================
Here you go.
Steve