I am infected with Virtumonde. Please Help!

[ledfoot]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:37 AM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Transcode360\Transcode360Tray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\War-ftpd\WarTrayIcon.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Transcode360] C:\Program Files\Transcode360\Transcode360Tray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [88c697d5] rundll32.exe "C:\WINDOWS\system32\xbhkclyb.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5327] command /c del "C:\WINDOWS\system32\oeqknhax.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1215] cmd /c del "C:\WINDOWS\system32\oeqknhax.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [SpybotDeletingB6460] command /c del "C:\WINDOWS\system32\oeqknhax.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1019] cmd /c del "C:\WINDOWS\system32\oeqknhax.dll_old"
O4 - HKUS\S-1-5-21-2052111302-515967899-839522115-1007\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'warftpd-user')
O4 - Startup: War FTPD Tray icon.lnk = C:\Program Files\War-ftpd\WarTrayIcon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177625970453
O20 - AppInit_DLLs: cncqpg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: WARSVR - Jgaa's Internet (www.jgaa.com) - C:\Program Files\War-ftpd\war-ftpd.exe

--
End of file - 9937 bytes

 

[Blade81]

Hi ledfoot

If you still need help with this post a fresh hjt log, please. The one you posted is quite outdated now.

 

[ledfoot]

Still need help

Here is the updated log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:22 PM, on 1/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Transcode360\Transcode360Tray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Transcode360] C:\Program Files\Transcode360\Transcode360Tray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [88c697d5] rundll32.exe "C:\WINDOWS\system32\niqagcuf.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-2052111302-515967899-839522115-1007\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'warftpd-user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177625970453
O20 - AppInit_DLLs: cncqpg.dll mxxwzn.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: WARSVR - Jgaa's Internet (www.jgaa.com) - C:\Program Files\War-ftpd\war-ftpd.exe

--
End of file - 9682 bytes

Thanks.

 

[Blade81]

Hi

Go to C:\Program Files\Trend Micro\HijackThis folder and rename HijackThis.exe file there to something.exe. After renaming post a fresh hjt log.

 

[ledfoot]

Log you requested.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:22 PM, on 1/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Transcode360\Transcode360Tray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Transcode360] C:\Program Files\Transcode360\Transcode360Tray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [88c697d5] rundll32.exe "C:\WINDOWS\system32\niqagcuf.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-2052111302-515967899-839522115-1007\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'warftpd-user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177625970453
O20 - AppInit_DLLs: cncqpg.dll mxxwzn.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: WARSVR - Jgaa's Internet (www.jgaa.com) - C:\Program Files\War-ftpd\war-ftpd.exe

--
End of file - 9682 bytes

 

[Blade81]

Hi

Looks like you didn't rename the HijackThis.exe file. Let's do that in steps
1. Go to C:\Program Files\Trend Micro\HijackThis folder
2. Click on HijackThis.exe file to make it highlighted.
3. Press F2 and rename file to something.exe.
4. Double click something.exe to start renamed HijackThis.
5. Create a log and post it back here.

 

[ledfoot]

Sorry

Sorry I ran the file off the desktop icon instead. Here you go:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:41 AM, on 1/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Transcode360\Transcode360Tray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\something.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: {b24eda37-5357-e439-f3a4-c520b3b74e46} - {64e47b3b-025c-4a3f-934e-753573ade42b} - C:\WINDOWS\system32\ygpavq.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\cbXoLDWm.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {D8D020BC-13F2-4B37-BDB2-1A7CCD13E540} - C:\WINDOWS\system32\ssqRIyYO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Transcode360] C:\Program Files\Transcode360\Transcode360Tray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [88c697d5] rundll32.exe "C:\WINDOWS\system32\niqagcuf.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-2052111302-515967899-839522115-1007\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'warftpd-user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177625970453
O20 - AppInit_DLLs: cncqpg.dll ygpavq.dll
O20 - Winlogon Notify: cbXoLDWm - C:\WINDOWS\SYSTEM32\cbXoLDWm.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: WARSVR - Jgaa's Internet (www.jgaa.com) - C:\Program Files\War-ftpd\war-ftpd.exe

--
End of file - 10237 bytes

 

[Blade81]

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Azureus


I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Program Files\Azureus

Empty Recycle Bin.

After that:



Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

 

[ledfoot]

Logs

ComboFix 09-01-13.03 - Vushbag 2009-01-13 11:25:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.888 [GMT -8:00]
Running from: c:\documents and settings\Vushbag\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Vushbag\LOCALS~1\Temp\tmp1.tmp
c:\documents and settings\Vushbag\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\bpsodgen.dll
c:\windows\system32\bylckhbx.ini
c:\windows\system32\cbXoLDWm.dll
c:\windows\system32\cncqpg.dll
c:\windows\system32\cwhjafyh.ini
c:\windows\system32\eqziuy.dll
c:\windows\system32\esrraydq.dll
c:\windows\system32\fcqrbsjq.dll
c:\windows\system32\fucgaqin.ini
c:\windows\system32\gwbxqypp.dll
c:\windows\system32\jyjthfyq.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mxxwzn.dll
c:\windows\system32\ncsipcmf.ini
c:\windows\system32\negdospb.ini
c:\windows\system32\niqagcuf.dll
c:\windows\system32\OYyIRqss.ini
c:\windows\system32\OYyIRqss.ini2
c:\windows\system32\ppyqxbwg.ini
c:\windows\system32\qwsdwoxa.dll
c:\windows\system32\qyfhtjyj.dll
c:\windows\system32\recyyh.dll
c:\windows\system32\rloknmqt.dll
c:\windows\system32\ssqRIyYO.dll
c:\windows\system32\wrgyjeei.dll
c:\windows\system32\xahnkqeo.ini
c:\windows\system32\ygpavq.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-06 18:43 . 2009-01-06 18:43 <DIR> d-------- c:\documents and settings\Vushbag\Application Data\McAfee
2009-01-06 12:44 . 2009-01-13 11:30 10,269 --a------ c:\windows\system32\Config.MPF
2009-01-06 12:42 . 2009-01-06 12:42 <DIR> d-------- c:\program files\McAfee.com
2009-01-06 12:42 . 2009-01-06 15:47 <DIR> d-------- c:\program files\McAfee
2009-01-06 12:42 . 2009-01-06 12:42 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-06 12:42 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-06 12:42 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-01-06 12:42 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-06 12:42 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-01-06 12:42 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-06 12:42 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-01-06 12:38 . 2009-01-06 18:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-06 09:08 . 2009-01-06 09:08 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 02:54 . 2009-01-06 02:54 <DIR> d-------- C:\VundoFix Backups
2008-12-18 01:52 . 2008-12-18 01:52 <DIR> d-------- c:\program files\DVD Flick
2008-12-18 01:52 . 2008-12-18 09:25 <DIR> d-------- c:\documents and settings\Vushbag\Application Data\DVD Flick
2008-12-18 01:52 . 2004-03-09 00:00 662,288 --a------ c:\windows\system32\mscomct2.ocx
2008-12-18 01:52 . 2004-03-09 00:00 212,240 --a------ c:\windows\system32\richtx32.ocx
2008-12-18 01:52 . 1998-06-24 00:00 164,144 --a------ c:\windows\system32\comct232.ocx
2008-12-18 01:52 . 2003-01-26 13:41 40,960 --a------ c:\windows\system32\ssubtmr6.dll
2008-12-18 01:52 . 2007-08-31 18:36 36,864 --a------ c:\windows\system32\trayicon_handler.ocx
2008-12-18 01:52 . 2008-08-31 13:27 28,672 --a------ c:\windows\system32\mousewheel.ocx
2008-12-17 14:45 . 2008-12-17 14:57 <DIR> d-------- c:\documents and settings\Vushbag\Application Data\BSplayer PRO
2008-12-17 04:51 . 2008-12-17 04:51 <DIR> d-------- C:\OpenCandy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 19:29 --------- d-----w c:\program files\Transcode360
2009-01-13 19:27 --------- d-----w c:\program files\War-ftpd
2009-01-13 19:14 --------- d-----w c:\documents and settings\Vushbag\Application Data\Azureus
2009-01-06 20:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 20:36 --------- d-----w c:\program files\Common Files\Network Associates
2009-01-06 17:29 --------- d-----w c:\program files\PokerOffice
2008-12-17 22:54 --------- d-----w c:\program files\Webteh
2008-12-17 22:51 --------- d-----w c:\program files\Google
2008-12-17 12:51 --------- d-----w c:\program files\Red Kawa
2008-12-12 21:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-12 21:25 --------- d-----w c:\documents and settings\Vushbag\Application Data\My Games
2008-12-11 19:58 --------- d-----w c:\program files\Java
2008-12-07 20:13 --------- d-----w c:\program files\PokerStars
2008-11-21 18:09 --------- d-----w c:\program files\iTunes
2008-11-21 18:09 --------- d-----w c:\program files\iPod
2008-11-21 18:09 --------- d-----w c:\program files\Common Files\Apple
2008-11-21 18:09 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 18:07 --------- d-----w c:\program files\QuickTime
2008-11-20 01:25 --------- d-----w c:\documents and settings\Vushbag\Application Data\LimeWire
2008-11-17 11:15 --------- d-----w c:\documents and settings\Vushbag\Application Data\Ahead
2007-09-11 20:17 56,912 ----a-w c:\documents and settings\Vushbag\g2mdlhlpx.exe
2008-08-03 02:21 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080220080803\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"Google Update"="c:\documents and settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-12 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"POEngine"="c:\program files\PokerOffice\POEngine.exe" [2007-02-22 475136]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"Transcode360"="c:\program files\Transcode360\Transcode360Tray.exe" [2006-05-02 192512]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=cncqpg.dll ygpavq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\ssqRIyYO

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian Pro\\trillian.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\KaraokeMP3-Mirc260\\mIRC_KaraokeMp3z.exe"=
"c:\\Program Files\\War-ftpd\\war-ftpd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Documents and Settings\\Vushbag\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Vushbag\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"<NO NAME>"=

R4 WARSVR;WARSVR;c:\program files\War-ftpd\war-ftpd.exe [2007-08-29 544768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-515967899-839522115-1003.job
- c:\documents and settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 23:54]

2009-01-06 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-06 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-13 c:\windows\Tasks\myhdooiy.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{64e47b3b-025c-4a3f-934e-753573ade42b} - c:\windows\system32\ygpavq.dll
BHO-{D8D020BC-13F2-4B37-BDB2-1A7CCD13E540} - c:\windows\system32\ssqRIyYO.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Vushbag\Application Data\Mozilla\Firefox\Profiles\fzyjxb4n.default\
FF - plugin: c:\documents and settings\Vushbag\Application Data\Mozilla\Firefox\Profiles\fzyjxb4n.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\Vushbag\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Vushbag\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 11:30:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\program files\PokerOffice\bin\javaw.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\RMSvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
c:\windows\ehome\McrdSvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-01-13 11:33:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-13 19:33:32

Pre-Run: 62,902,767,616 bytes free
Post-Run: 63,151,468,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /NOEXECUTE=OPTIN /FASTDETECT /USEPMTIMER

255 --- E O F --- 2008-12-14 05:28:24

---------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:20 AM, on 1/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Transcode360\Transcode360Tray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\PokerOffice\bin\javaw.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\something.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Transcode360] C:\Program Files\Transcode360\Transcode360Tray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-2052111302-515967899-839522115-1007\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'warftpd-user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177625970453
O20 - AppInit_DLLs: cncqpg.dll ygpavq.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: WARSVR - Jgaa's Internet (www.jgaa.com) - C:\Program Files\War-ftpd\war-ftpd.exe

--
End of file - 9480 bytes

 

[Blade81]

Hi

Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
• Scroll down to where it says
  The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
  
• Click the
  Download
  button to the right.
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\Tasks\myhdooiy.job

Folder::
c:\documents and settings\Vushbag\Application Data\Azureus
c:\documents and settings\Vushbag\Application Data\LimeWire

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

 

[ledfoot]

Kapersky keeps freezing

I've run the Kapersky scanner 3 times now and it keeps freezing. The timer continues to count but no further scanning is being done. What do you recommend?

 

[Blade81]

Hi

First make sure McAfee is turned off during the scan. Defrag hard drive too if not done lately.

 

[ledfoot]

Still Freezing

I have uninstalled McAfee and my drive is defragmented and it still continues to freeze.

 

[Blade81]

Hi

In that case let's use other scanner instead.

* Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic, along with other requested logs

 

[ledfoot]

Requested Logs

ComboFix 09-01-13.04 - Vushbag 2009-01-14 11:41:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1496 [GMT -8:00]
Running from: c:\documents and settings\Vushbag\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Vushbag\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\Tasks\myhdooiy.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Vushbag\LOCALS~1\Temp\tmp1.tmp
c:\documents and settings\Vushbag\Application Data\Azureus
c:\documents and settings\Vushbag\Application Data\Azureus\.certs
c:\documents and settings\Vushbag\Application Data\Azureus\.keystore
c:\documents and settings\Vushbag\Application Data\Azureus\.lock
c:\documents and settings\Vushbag\Application Data\Azureus\active\0550352E7A780B7C61241B4A70FB62C083D1D7C8.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\0550352E7A780B7C61241B4A70FB62C083D1D7C8.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\077E56AF70AA32B94C6FB3318D624957C0AD1B58.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\077E56AF70AA32B94C6FB3318D624957C0AD1B58.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\0EAC26AA337A10A5A7690ACC71E731749F78CE72.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\0EAC26AA337A10A5A7690ACC71E731749F78CE72.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\35CCC316B265F7992CFDC14F4915B9E9A285B249.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\35CCC316B265F7992CFDC14F4915B9E9A285B249.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\617813CBFE3D105A9A3CA7F1C05C85C2417544D5.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\617813CBFE3D105A9A3CA7F1C05C85C2417544D5.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\693F483DE79BF122433B279A184FCEE4F4BE6C1E.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\693F483DE79BF122433B279A184FCEE4F4BE6C1E.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\6B3DD03558D38C5149E9BE3F84E38F557D507FED.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\6B3DD03558D38C5149E9BE3F84E38F557D507FED.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\873A03D6FDCA88C3D55D72A9647C028531CBDF1D.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\873A03D6FDCA88C3D55D72A9647C028531CBDF1D.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\97ECE021316894A0C838E2D3DEDC59FDA2E67ABB.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\97ECE021316894A0C838E2D3DEDC59FDA2E67ABB.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\9A8C3A167DCA820BFB11B621CBBD5D058DB21E8C.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\9A8C3A167DCA820BFB11B621CBBD5D058DB21E8C.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\9D431DF5A8F2EEFE1263F275883892D1CDB7FE02.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\9D431DF5A8F2EEFE1263F275883892D1CDB7FE02.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\A4DD573C7DC06F01ED5CE383B1E894B1B49E1BD1.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\A4DD573C7DC06F01ED5CE383B1E894B1B49E1BD1.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\AAEABC1509F97482B01518D1F91F5FE2E844BFAE.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\AAEABC1509F97482B01518D1F91F5FE2E844BFAE.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\cache.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\CB8059E5660BEF39FD3267E9F7CEB68E57DE0EF5.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\CB8059E5660BEF39FD3267E9F7CEB68E57DE0EF5.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\CCD6332A3F759F0C82E601B3BF0BFA65520328A6.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\CCD6332A3F759F0C82E601B3BF0BFA65520328A6.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\CFD2EEF9894DD721D83E2DE27305A644091349F7.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\CFD2EEF9894DD721D83E2DE27305A644091349F7.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\D2BB9D316CA3F20E2F6521836550C969E03DA813.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\D2BB9D316CA3F20E2F6521836550C969E03DA813.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\D62A9032E9C47168DAF610806FFC75330C4793FF.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\D62A9032E9C47168DAF610806FFC75330C4793FF.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\E2A207837EA527CB8EF15868FEC67C4B091C2E0B.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\E2A207837EA527CB8EF15868FEC67C4B091C2E0B.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\E367409FB14B5BF81717E5031BD5727BFCFE6980.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\E367409FB14B5BF81717E5031BD5727BFCFE6980.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\EDB50C147621C697F98E0015784FAF7373E0F27A.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\EDB50C147621C697F98E0015784FAF7373E0F27A.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\F60DA232E78B19ED092EA37E9BED21B0A5B09B15.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\F60DA232E78B19ED092EA37E9BED21B0A5B09B15.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\active\FE07F3979A569D9878F73234EDAD038BC3CB2D8A.dat
c:\documents and settings\Vushbag\Application Data\Azureus\active\FE07F3979A569D9878F73234EDAD038BC3CB2D8A.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\azureus.config
c:\documents and settings\Vushbag\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Vushbag\Application Data\Azureus\azureus.statistics
c:\documents and settings\Vushbag\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Vushbag\Application Data\Azureus\banips.config
c:\documents and settings\Vushbag\Application Data\Azureus\banips.config.bak
c:\documents and settings\Vushbag\Application Data\Azureus\debug\image-0.jpg
c:\documents and settings\Vushbag\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Vushbag\Application Data\Azureus\dht\block.dat
c:\documents and settings\Vushbag\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Vushbag\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Vushbag\Application Data\Azureus\dht\general.dat
c:\documents and settings\Vushbag\Application Data\Azureus\dht\version.dat
c:\documents and settings\Vushbag\Application Data\Azureus\downloads.config
c:\documents and settings\Vushbag\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Vushbag\Application Data\Azureus\filters.config
c:\documents and settings\Vushbag\Application Data\Azureus\friends.config
c:\documents and settings\Vushbag\Application Data\Azureus\friends.config.bak
c:\documents and settings\Vushbag\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Vushbag\Application Data\Azureus\logs\alerts_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\AutoSpeed_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\clientid_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\debug_2.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\Friends_2.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\MetaSearch_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\NetStatus_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_alerts_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_AutoSpeed_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_AutoSpeedSearchHistory_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_clientid_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_debug_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_debug_2.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_Friends_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_Friends_2.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_MetaSearch_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_NetStatus_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_seltrace_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_seltrace_2.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_SpeedMan_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_SpeedMan_2.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_Subscriptions_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_Subscriptions_2.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_thread_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_thread_2.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_v3.ads_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_v3.CMsgr_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_v3.emp_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_v3.Friends_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_v3.Friends_2.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_v3.MD_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_v3.PMsgr_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_v3.PMsgr_2.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\save\1231437842726_v3.Stream_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\seltrace_2.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\SpeedMan_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\SpeedMan_2.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\Subscriptions_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\Subscriptions_2.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\thread_2.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\v3.ads_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\v3.emp_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\v3.Friends_2.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\v3.MD_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\v3.PMsgr_2.log
c:\documents and settings\Vushbag\Application Data\Azureus\logs\v3.Stream_1.log
c:\documents and settings\Vushbag\Application Data\Azureus\metasearch.config
c:\documents and settings\Vushbag\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\Vushbag\Application Data\Azureus\net\pm_33651.dat
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_1.7.4.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_1.7.4.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_1.8.4.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_1.8.4.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_1.9.0.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_1.9.0.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_1.9.11.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_1.9.11.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_1.9.6.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_1.9.6.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_2.0.11.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_2.0.11.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_2.0.14.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_2.0.14.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_2.0.16.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_2.0.16.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_2.0.28.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_2.0.28.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_2.0.30.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_2.0.30.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_2.0.32.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azemp_2.0.32.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azmplay.exe
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\azmplay.exe.bak
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\cp1250-a.raw
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\cp1250-a.raw.bak
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\cp1250-b.raw
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\cp1250-b.raw.bak
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\font.desc
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\font.desc.bak
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\libInfoGetter.dll
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\mplayer\config
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\osd-mplayer-a.raw
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\osd-mplayer-a.raw.bak
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\osd-mplayer-b.raw
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\osd-mplayer-b.raw.bak
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\plugin.properties
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\plugin.properties_1.7.4
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\plugin.properties_1.8.4
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\plugin.properties_1.9.0
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\plugin.properties_1.9.11
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\plugin.properties_1.9.6
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.11
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.14
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.16
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.28
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.30
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azemp\plugin.properties_2.0.32
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.2.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.2.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.3.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.3.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.6.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.6.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.7.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\azupnpav_0.1.7.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.0.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.0.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.1.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.1.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.2.jar
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\azupnpav_0.2.2.zip
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\plugin.properties
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.2
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.3
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.6
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.1.7
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.0
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.1
c:\documents and settings\Vushbag\Application Data\Azureus\plugins\azupnpav\plugin.properties_0.2.2
c:\documents and settings\Vushbag\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Vushbag\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\Vushbag\Application Data\Azureus\subs\01FE0E4954FEEB299706.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\01FE0E4954FEEB299706.vuze.3
c:\documents and settings\Vushbag\Application Data\Azureus\subs\026FBDD82B2F2AEA49A8.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\026FBDD82B2F2AEA49A8.vuze.1
c:\documents and settings\Vushbag\Application Data\Azureus\subs\07ABDD32A54D704B48FE.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\07ABDD32A54D704B48FE.vuze.2
c:\documents and settings\Vushbag\Application Data\Azureus\subs\09B584381E122A0F9A8F.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\09B584381E122A0F9A8F.vuze.2
c:\documents and settings\Vushbag\Application Data\Azureus\subs\0F193C9F601B15C4EFFE.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\0F193C9F601B15C4EFFE.vuze.1
c:\documents and settings\Vushbag\Application Data\Azureus\subs\12533BF9649105ABA27A.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\12533BF9649105ABA27A.vuze.1
c:\documents and settings\Vushbag\Application Data\Azureus\subs\186D0E57232DEE8DC2FD.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\186D0E57232DEE8DC2FD.vuze.1
c:\documents and settings\Vushbag\Application Data\Azureus\subs\1E5DADD6DAFE0C72EBE6.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\1E5DADD6DAFE0C72EBE6.vuze.1
c:\documents and settings\Vushbag\Application Data\Azureus\subs\327F4762CCB7C9C5102D.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\327F4762CCB7C9C5102D.vuze.1
c:\documents and settings\Vushbag\Application Data\Azureus\subs\47B6C9B058D0AB3DE916.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\47B6C9B058D0AB3DE916.vuze.2
c:\documents and settings\Vushbag\Application Data\Azureus\subs\47D01B51E6FACC969E1D.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\47D01B51E6FACC969E1D.vuze.1
c:\documents and settings\Vushbag\Application Data\Azureus\subs\581765478D3517627C73.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\581765478D3517627C73.vuze.2
c:\documents and settings\Vushbag\Application Data\Azureus\subs\62FE6A1CAD12849F5889.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\62FE6A1CAD12849F5889.vuze.1
c:\documents and settings\Vushbag\Application Data\Azureus\subs\632A20E73961F1C133F2.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\632A20E73961F1C133F2.vuze.2
c:\documents and settings\Vushbag\Application Data\Azureus\subs\829E59C40EFFE22EB406.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\829E59C40EFFE22EB406.vuze.2
c:\documents and settings\Vushbag\Application Data\Azureus\subs\83F9D7CFBA5E7496ACC5.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\83F9D7CFBA5E7496ACC5.vuze.2
c:\documents and settings\Vushbag\Application Data\Azureus\subs\87E23B1872099785E348.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\87E23B1872099785E348.vuze.1
c:\documents and settings\Vushbag\Application Data\Azureus\subs\A94CE2992E955B3D29E2.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\A94CE2992E955B3D29E2.vuze.4
c:\documents and settings\Vushbag\Application Data\Azureus\subs\C3E61C3B30E803D1A549.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\C3E61C3B30E803D1A549.vuze.2
c:\documents and settings\Vushbag\Application Data\Azureus\subs\C868FF325124E3D0D58F.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\C868FF325124E3D0D58F.vuze.1
c:\documents and settings\Vushbag\Application Data\Azureus\subs\CB6608B3D871E133A25F.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\CB6608B3D871E133A25F.vuze.2
c:\documents and settings\Vushbag\Application Data\Azureus\subs\DB8EBA0A8243FAC1DD16.vuze
c:\documents and settings\Vushbag\Application Data\Azureus\subs\DB8EBA0A8243FAC1DD16.vuze.1
c:\documents and settings\Vushbag\Application Data\Azureus\subscriptions.config
c:\documents and settings\Vushbag\Application Data\Azureus\subscriptions.config.bak
c:\documents and settings\Vushbag\Application Data\Azureus\tables.config
c:\documents and settings\Vushbag\Application Data\Azureus\tables.config.bak
c:\documents and settings\Vushbag\Application Data\Azureus\tmp\AZU2068563831448907144.tmp
c:\documents and settings\Vushbag\Application Data\Azureus\tmp\AZU2945302685594816056.tmp
c:\documents and settings\Vushbag\Application Data\Azureus\tmp\AZU401263082696043309.tmp
c:\documents and settings\Vushbag\Application Data\Azureus\tmp\AZU4862713403444215080.tmp
c:\documents and settings\Vushbag\Application Data\Azureus\tmp\AZU4916955499823762814.tmp
c:\documents and settings\Vushbag\Application Data\Azureus\tmp\AZU4925852752151494150.tmp
c:\documents and settings\Vushbag\Application Data\Azureus\tmp\AZU5770163308831491840.tmp
c:\documents and settings\Vushbag\Application Data\Azureus\tmp\AZU655449681357336285.tmp
c:\documents and settings\Vushbag\Application Data\Azureus\tmp\AZU7951397781918559058.tmp
c:\documents and settings\Vushbag\Application Data\Azureus\tmp\AZU7983808652013630271.tmp
c:\documents and settings\Vushbag\Application Data\Azureus\torrents\Nero_7_Premium_Full_CD.torrent
c:\documents and settings\Vushbag\Application Data\Azureus\tracker.config
c:\documents and settings\Vushbag\Application Data\Azureus\tracker.config.bak
c:\documents and settings\Vushbag\Application Data\Azureus\unsentdata.config
c:\documents and settings\Vushbag\Application Data\Azureus\unsentdata.config.bak
c:\documents and settings\Vushbag\Application Data\Azureus\update.log
c:\documents and settings\Vushbag\Application Data\Azureus\update.properties
c:\documents and settings\Vushbag\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Vushbag\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\Vushbag\Application Data\Azureus\VuzeActivities.config
c:\documents and settings\Vushbag\Application Data\Azureus\VuzeActivities.config.bak
c:\documents and settings\Vushbag\Application Data\LimeWire
c:\documents and settings\Vushbag\Application Data\LimeWire\.AppSpecialShare\Pineapple.Express.2008.DVDSCR.XviD-HEFTY.torrent
c:\documents and settings\Vushbag\Application Data\LimeWire\.AppSpecialShare\Sara Bareilles - Little Voice [2007][CD+SkidVid_XviD+Cov].torrent
c:\documents and settings\Vushbag\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Vushbag\Application Data\LimeWire\downloads.dat
c:\documents and settings\Vushbag\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Vushbag\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Vushbag\Application Data\LimeWire\filters.props
c:\documents and settings\Vushbag\Application Data\LimeWire\gnutella.net
c:\documents and settings\Vushbag\Application Data\LimeWire\installation.props
c:\documents and settings\Vushbag\Application Data\LimeWire\library.dat
c:\documents and settings\Vushbag\Application Data\LimeWire\limewire.props
c:\documents and settings\Vushbag\Application Data\LimeWire\mojito.props
c:\documents and settings\Vushbag\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Vushbag\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Vushbag\Application Data\LimeWire\questions.props
c:\documents and settings\Vushbag\Application Data\LimeWire\responses.cache
c:\documents and settings\Vushbag\Application Data\LimeWire\simpp.xml
c:\documents and settings\Vushbag\Application Data\LimeWire\spam.dat
c:\documents and settings\Vushbag\Application Data\LimeWire\tables.props
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme.lwtp
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\01_star.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\02_star.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\03_star.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\04_star.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\05_star.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\chat.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\dir_closed.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\dir_open.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\forward_dn.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\forward_up.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\kill.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\kill_on.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\lime.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\lw_logo.png
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\pause_dn.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\pause_up.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\play_dn.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\play_up.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\question.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\rewind_dn.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\rewind_up.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\stop_dn.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\stop_up.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\theme.txt
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\version.txt
c:\documents and settings\Vushbag\Application Data\LimeWire\themes\limewirePro_theme\warning.gif
c:\documents and settings\Vushbag\Application Data\LimeWire\ttrees.cache
c:\documents and settings\Vushbag\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Vushbag\Application Data\LimeWire\version.xml
c:\documents and settings\Vushbag\Application Data\LimeWire\versions.props
c:\documents and settings\Vushbag\Application Data\LimeWire\xml\data\audio.sxml2
c:\windows\system32\win32hlp.cnf
c:\windows\Tasks\myhdooiy.job

.
((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-14 11:38 . 2009-01-14 11:38 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-14 11:29 . 2009-01-14 11:29 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-14 11:28 . 2009-01-14 11:28 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-14 05:07 . 2009-01-14 05:07 <DIR> d-------- c:\documents and settings\LocalService\Application Data\McAfee
2009-01-14 05:07 . 2009-01-14 11:35 4 --a------ c:\windows\dmucpphs
2009-01-14 05:00 . 2009-01-14 05:00 25,088 --a------ c:\windows\system32\drivers\phqghume.sys
2009-01-14 00:39 . 2009-01-14 00:39 31,232 --a------ c:\windows\system32\pcload.exe
2009-01-13 16:29 . 2009-01-13 16:29 25,088 --a------ c:\windows\system32\drivers\lcldxjxd.sys
2009-01-13 16:29 . 2009-01-14 05:01 2,816 --a------ c:\windows\bsskyjho
2009-01-06 18:43 . 2009-01-06 18:43 <DIR> d-------- c:\documents and settings\Vushbag\Application Data\McAfee
2009-01-06 12:44 . 2009-01-14 11:35 11,159 --a------ c:\windows\system32\Config.MPF
2009-01-06 12:42 . 2009-01-06 12:42 <DIR> d-------- c:\program files\McAfee.com
2009-01-06 12:42 . 2009-01-06 15:47 <DIR> d-------- c:\program files\McAfee
2009-01-06 12:42 . 2009-01-06 12:42 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-06 12:42 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-06 12:42 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-01-06 12:42 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-06 12:42 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-01-06 12:42 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-06 12:42 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-01-06 12:38 . 2009-01-06 18:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-06 09:08 . 2009-01-06 09:08 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 02:54 . 2009-01-06 02:54 <DIR> d-------- C:\VundoFix Backups
2008-12-18 01:52 . 2008-12-18 01:52 <DIR> d-------- c:\program files\DVD Flick
2008-12-18 01:52 . 2008-12-18 09:25 <DIR> d-------- c:\documents and settings\Vushbag\Application Data\DVD Flick
2008-12-18 01:52 . 2004-03-09 00:00 662,288 --a------ c:\windows\system32\mscomct2.ocx
2008-12-18 01:52 . 2004-03-09 00:00 212,240 --a------ c:\windows\system32\richtx32.ocx
2008-12-18 01:52 . 1998-06-24 00:00 164,144 --a------ c:\windows\system32\comct232.ocx
2008-12-18 01:52 . 2003-01-26 13:41 40,960 --a------ c:\windows\system32\ssubtmr6.dll
2008-12-18 01:52 . 2007-08-31 18:36 36,864 --a------ c:\windows\system32\trayicon_handler.ocx
2008-12-18 01:52 . 2008-08-31 13:27 28,672 --a------ c:\windows\system32\mousewheel.ocx
2008-12-17 14:45 . 2008-12-17 14:57 <DIR> d-------- c:\documents and settings\Vushbag\Application Data\BSplayer PRO
2008-12-17 04:51 . 2008-12-17 04:51 <DIR> d-------- C:\OpenCandy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 19:38 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-14 19:38 --------- d-----w c:\program files\Java
2009-01-14 19:36 --------- d-----w c:\program files\Transcode360
2009-01-14 19:09 --------- d-----w c:\program files\War-ftpd
2009-01-06 20:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 20:36 --------- d-----w c:\program files\Common Files\Network Associates
2009-01-06 17:29 --------- d-----w c:\program files\PokerOffice
2008-12-17 22:54 --------- d-----w c:\program files\Webteh
2008-12-17 22:51 --------- d-----w c:\program files\Google
2008-12-17 12:51 --------- d-----w c:\program files\Red Kawa
2008-12-12 21:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-12 21:25 --------- d-----w c:\documents and settings\Vushbag\Application Data\My Games
2008-12-07 20:13 --------- d-----w c:\program files\PokerStars
2008-11-21 18:09 --------- d-----w c:\program files\iTunes
2008-11-21 18:09 --------- d-----w c:\program files\iPod
2008-11-21 18:09 --------- d-----w c:\program files\Common Files\Apple
2008-11-21 18:09 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 18:07 --------- d-----w c:\program files\QuickTime
2008-11-17 11:15 --------- d-----w c:\documents and settings\Vushbag\Application Data\Ahead
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2007-09-11 20:17 56,912 ----a-w c:\documents and settings\Vushbag\g2mdlhlpx.exe
2008-08-03 02:21 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080220080803\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-13_11.32.34.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 23:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2009-01-13 19:22:07 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-14 19:12:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-13 19:22:07 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-14 19:12:45 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-14 19:12:45 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-14 00:12:38 26,112 -c--a-w c:\windows\system32\dllcache\userinit.exe
+ 2008-04-14 00:12:38 26,112 ----a-w c:\windows\system32\init32.exe
- 2008-11-10 13:43:37 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-01-14 19:38:18 144,792 ----a-w c:\windows\system32\java.exe
- 2008-11-10 13:43:38 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-14 19:38:19 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-11-10 13:43:39 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-14 19:38:19 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-14 08:39:39 46,080 ----a-w c:\windows\Temp\ntdll64.dll
+ 2009-01-14 19:36:27 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_9fc.dat
+ 2009-01-14 19:38:32 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_ea8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"Google Update"="c:\documents and settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-12 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"POEngine"="c:\program files\PokerOffice\POEngine.exe" [2007-02-22 475136]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"Transcode360"="c:\program files\Transcode360\Transcode360Tray.exe" [2006-05-02 192512]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-14 136600]
"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian Pro\\trillian.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\KaraokeMP3-Mirc260\\mIRC_KaraokeMp3z.exe"=
"c:\\Program Files\\War-ftpd\\war-ftpd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Documents and Settings\\Vushbag\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Vushbag\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"<NO NAME>"=

R4 WARSVR;WARSVR;c:\program files\War-ftpd\war-ftpd.exe [2007-08-29 544768]
S0 aylnlfdx;aylnlfdx;c:\windows\system32\drivers\phqghume.sys [2009-01-14 25088]
S0 bsskyjho;bsskyjho;c:\windows\system32\drivers\lcldxjxd.sys [2009-01-13 25088]
S0 dmucpphs;dmucpphs;c:\windows\system32\drivers\zkllksim.sys []

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-515967899-839522115-1003.job
- c:\documents and settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 23:54]

2009-01-06 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-06 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\TEMP\ntdll64.dll
FF - ProfilePath - c:\documents and settings\Vushbag\Application Data\Mozilla\Firefox\Profiles\fzyjxb4n.default\
FF - plugin: c:\documents and settings\Vushbag\Application Data\Mozilla\Firefox\Profiles\fzyjxb4n.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\Vushbag\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Vushbag\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 11:43:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\system32\drivers\zkllksim.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2009-01-14 11:44:24
ComboFix-quarantined-files.txt 2009-01-14 19:44:17
ComboFix2.txt 2009-01-14 13:12:45
ComboFix3.txt 2009-01-13 19:33:40

Pre-Run: 63,207,714,816 bytes free
Post-Run: 63,185,076,224 bytes free

550 --- E O F --- 2008-12-14 05:28:24

---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:42 PM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Transcode360\Transcode360Tray.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\something.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Transcode360] C:\Program Files\Transcode360\Transcode360Tray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-2052111302-515967899-839522115-1007\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'warftpd-user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177625970453
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: WARSVR - Jgaa's Internet (www.jgaa.com) - C:\Program Files\War-ftpd\war-ftpd.exe

--
End of file - 8304 bytes

--------------------------------------------------

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3769 (20090115)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=f56705b63ebfb043ac931437e1747813
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-01-16 01:59:03
# local_time=2009-01-15 05:59:03 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=293364
# found=12
# scan_time=1937
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\InternetSpeedMonitor.zip Win32/Bagle.gen.zip worm C760BC19F0172FE7F9AE8ADD3CE2479B
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip Win32/Bagle.gen.zip worm 07D95BAC0D73EA9031DE66644EBCCC1F
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VsSpy4.zip Win32/Bagle.gen.zip worm 4C5DDE24CFA3F4F17E37CF11FB994120
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentamwr1.zip Win32/Bagle.gen.zip worm 57C02533D27EC90FEEC987C272169C69
C:\Qoobox\Quarantine\C\WINDOWS\system32\frmwrk32.exe.vir Win32/TrojanDownloader.FakeAlert.VY trojan AB0DC0FA9F939F8894A4BDE2D4009029
C:\Qoobox\Quarantine\C\WINDOWS\system32\hrwldveu.dll.vir Win32/Adware.SuperJuan application BE07976F78D074203115599E70448F46
C:\Qoobox\Quarantine\C\WINDOWS\system32\niqagcuf.dll.vir a variant of Win32/Kryptik.DM trojan 5EED9D64D8300C40CB5188A875CA5617
C:\Qoobox\Quarantine\C\WINDOWS\system32\rggnbapi.dll.vir Win32/Adware.Virtumonde application CE72B93FAD6F2928FF3AE03C204863CE
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekamlvbhvcp.dll.vir Win32/Agent.ORL trojan 27E697F7A2162F3EDEBADEE320B9F6EE
C:\Qoobox\Quarantine\C\WINDOWS\system32\ybsfeq.dll.vir Win32/Adware.SuperJuan application BE07976F78D074203115599E70448F46
C:\WINDOWS\system32\pcload.exe Win32/TrojanDownloader.FakeAlert.VY trojan AB0DC0FA9F939F8894A4BDE2D4009029
F:\Jason Mraz\Jason Mraz - We Sing, We Dance, We Steal Things [2008] full\08 Jason Mraz - Coyotes.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan CDC7098DF2C65A0CB6A5C8CEFD611551

 

[Blade81]

Hi again,


Download LSPFix to your system. Run it (unzip to your desktop first if you downloaded the zip file).

See is there ntdll64.dll found in left box. If there is then check 'I know what I'm doing' -option, highlight ntdll64.dll and click button which arrows point right. After that ntdll64.dll should appear in right box. Click 'finish'.


Open notepad and copy/paste the text in the quotebox below into it:

Driver::
aylnlfdx
bsskyjho
dmucpphs

File::
c:\windows\dmucpphs
c:\windows\system32\drivers\phqghume.sys
c:\windows\system32\pcload.exe
c:\windows\system32\drivers\lcldxjxd.sys
c:\windows\bsskyjho
c:\windows\system32\drivers\zkllksim.sys
c:\windows\TEMP\ntdll64.dll
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\InternetSpeedMonitor.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VsSpy4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentamwr1.zip
F:\Jason Mraz\Jason Mraz - We Sing, We Dance, We Steal Things [2008] full\08 Jason Mraz - Coyotes.mp3

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log. How's the system running?


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[ledfoot]

ntdll64.dll not found. Logs

ComboFix 09-01-15.01 - Vushbag 2009-01-16 10:50:51.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1277 [GMT -8:00]
Running from: c:\documents and settings\Vushbag\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Vushbag\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\InternetSpeedMonitor.zip
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VsSpy4.zip
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentamwr1.zip
c:\windows\bsskyjho
c:\windows\dmucpphs
c:\windows\system32\drivers\lcldxjxd.sys
c:\windows\system32\drivers\phqghume.sys
c:\windows\system32\drivers\zkllksim.sys
c:\windows\system32\pcload.exe
c:\windows\TEMP\ntdll64.dll
f:\jason mraz\Jason Mraz - We Sing, We Dance, We Steal Things [2008] full\08 Jason Mraz - Coyotes.mp3
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Vushbag\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Vushbag\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\InternetSpeedMonitor.zip
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VsSpy4.zip
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentamwr1.zip
c:\windows\bsskyjho
c:\windows\dmucpphs
c:\windows\system32\drivers\lcldxjxd.sys
c:\windows\system32\drivers\phqghume.sys
c:\windows\system32\pcload.exe
c:\windows\system32\win32hlp.cnf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BSSKYJHO
-------\Legacy_DMUCPPHS
-------\Service_aylnlfdx
-------\Service_bsskyjho
-------\Service_dmucpphs


((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-15 17:23 . 2009-01-15 17:59 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-01-15 08:57 . 2009-01-15 08:57 127 --a------ c:\windows\system32\MRT.INI
2009-01-14 11:38 . 2009-01-14 11:38 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-14 11:29 . 2009-01-14 11:29 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-14 11:28 . 2009-01-14 11:28 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-14 05:07 . 2009-01-14 05:07 <DIR> d-------- c:\documents and settings\LocalService\Application Data\McAfee
2009-01-14 05:00 . 2009-01-14 05:00 25,088 --a------ c:\windows\system32\drivers\zkllksim.sys
2009-01-06 18:43 . 2009-01-15 08:53 <DIR> d-------- c:\documents and settings\Vushbag\Application Data\McAfee
2009-01-06 12:38 . 2009-01-15 09:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-06 09:08 . 2009-01-06 09:08 <DIR> d-------- c:\program files\Trend Micro
2009-01-06 02:54 . 2009-01-06 02:54 <DIR> d-------- C:\VundoFix Backups
2008-12-18 01:52 . 2008-12-18 01:52 <DIR> d-------- c:\program files\DVD Flick
2008-12-18 01:52 . 2008-12-18 09:25 <DIR> d-------- c:\documents and settings\Vushbag\Application Data\DVD Flick
2008-12-18 01:52 . 2004-03-09 00:00 662,288 --a------ c:\windows\system32\mscomct2.ocx
2008-12-18 01:52 . 2004-03-09 00:00 212,240 --a------ c:\windows\system32\richtx32.ocx
2008-12-18 01:52 . 1998-06-24 00:00 164,144 --a------ c:\windows\system32\comct232.ocx
2008-12-18 01:52 . 2003-01-26 13:41 40,960 --a------ c:\windows\system32\ssubtmr6.dll
2008-12-18 01:52 . 2007-08-31 18:36 36,864 --a------ c:\windows\system32\trayicon_handler.ocx
2008-12-18 01:52 . 2008-08-31 13:27 28,672 --a------ c:\windows\system32\mousewheel.ocx
2008-12-17 14:45 . 2008-12-17 14:57 <DIR> d-------- c:\documents and settings\Vushbag\Application Data\BSplayer PRO
2008-12-17 04:51 . 2008-12-17 04:51 <DIR> d-------- C:\OpenCandy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 18:52 --------- d-----w c:\program files\War-ftpd
2009-01-16 09:24 --------- d-----w c:\program files\PokerStars
2009-01-15 17:52 --------- d-----w c:\program files\Transcode360
2009-01-14 19:38 --------- d-----w c:\program files\Java
2009-01-06 20:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 20:36 --------- d-----w c:\program files\Common Files\Network Associates
2009-01-06 17:29 --------- d-----w c:\program files\PokerOffice
2008-12-17 22:54 --------- d-----w c:\program files\Webteh
2008-12-17 22:51 --------- d-----w c:\program files\Google
2008-12-17 12:51 --------- d-----w c:\program files\Red Kawa
2008-12-12 21:25 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-12 21:25 --------- d-----w c:\documents and settings\Vushbag\Application Data\My Games
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-21 18:09 --------- d-----w c:\program files\iTunes
2008-11-21 18:09 --------- d-----w c:\program files\iPod
2008-11-21 18:09 --------- d-----w c:\program files\Common Files\Apple
2008-11-21 18:09 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 18:07 --------- d-----w c:\program files\QuickTime
2008-11-17 11:15 --------- d-----w c:\documents and settings\Vushbag\Application Data\Ahead
2007-09-11 20:17 56,912 ----a-w c:\documents and settings\Vushbag\g2mdlhlpx.exe
2008-08-03 02:21 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080220080803\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-13_11.32.34.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 23:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2009-01-13 19:22:07 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-15 13:26:06 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-13 19:22:07 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-15 13:26:06 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-15 13:26:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-10 13:43:30 410,984 ----a-w c:\windows\system32\deploytk.dll
+ 2009-01-14 19:38:18 410,984 ----a-w c:\windows\system32\deploytk.dll
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-04-14 00:12:38 26,112 -c--a-w c:\windows\system32\dllcache\userinit.exe
+ 2008-04-14 00:12:38 26,112 ----a-w c:\windows\system32\init32.exe
- 2008-11-10 13:43:37 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-01-14 19:38:18 144,792 ----a-w c:\windows\system32\java.exe
- 2008-11-10 13:43:38 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-14 19:38:19 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-11-10 13:43:39 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-14 19:38:19 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2007-07-27 23:49:02 196,683 ----a-w c:\windows\system32\lnod32apiA.dll
+ 2007-07-27 23:49:02 225,355 ----a-w c:\windows\system32\lnod32apiW.dll
+ 2005-12-06 04:25:22 139,264 ----a-w c:\windows\system32\lnod32umc.dll
+ 2005-12-05 21:37:10 106,496 ----a-w c:\windows\system32\lnod32upd.dll
- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2007-08-03 02:11:28 253,952 ----a-w c:\windows\system32\OnlineScannerDLLA.dll
+ 2007-08-03 02:11:14 241,664 ----a-w c:\windows\system32\OnlineScannerDLLW.dll
+ 2007-08-06 21:17:40 19,456 ----a-w c:\windows\system32\OnlineScannerLang.dll
+ 2007-06-13 19:10:34 77,824 ----a-w c:\windows\system32\OnlineScannerUninstaller.exe
+ 2004-12-07 19:11:34 258,352 ----a-w c:\windows\system32\unicows.dll
+ 2009-01-16 18:53:58 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_114.dat
+ 2009-01-16 18:53:58 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7d4.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"Google Update"="c:\documents and settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-12 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"POEngine"="c:\program files\PokerOffice\POEngine.exe" [2007-02-22 475136]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"Transcode360"="c:\program files\Transcode360\Transcode360Tray.exe" [2006-05-02 192512]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-14 136600]
"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian Pro\\trillian.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\KaraokeMP3-Mirc260\\mIRC_KaraokeMp3z.exe"=
"c:\\Program Files\\War-ftpd\\war-ftpd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Documents and Settings\\Vushbag\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Vushbag\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"<NO NAME>"=

R4 WARSVR;WARSVR;c:\program files\War-ftpd\war-ftpd.exe [2007-08-29 544768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2009-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052111302-515967899-839522115-1003.job
- c:\documents and settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 23:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Vushbag\Application Data\Mozilla\Firefox\Profiles\fzyjxb4n.default\
FF - plugin: c:\documents and settings\Vushbag\Application Data\Mozilla\Firefox\Profiles\fzyjxb4n.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\Vushbag\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Vushbag\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 10:54:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\RMSvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\ehome\McrdSvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\PokerOffice\bin\javaw.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
.
**************************************************************************
.
Completion time: 2009-01-16 10:57:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-16 18:57:05
ComboFix2.txt 2009-01-14 19:44:25
ComboFix3.txt 2009-01-14 13:12:45
ComboFix4.txt 2009-01-13 19:33:40

Pre-Run: 63,184,797,696 bytes free
Post-Run: 63,229,497,344 bytes free

253 --- E O F --- 2009-01-15 16:58:03


-----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:49 AM, on 1/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Transcode360\Transcode360Tray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\something.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Transcode360] C:\Program Files\Transcode360\Transcode360Tray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-2052111302-515967899-839522115-1007\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'warftpd-user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177625970453
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: WARSVR - Jgaa's Internet (www.jgaa.com) - C:\Program Files\War-ftpd\war-ftpd.exe

--
End of file - 8391 bytes

 

[Blade81]

Hi

Delete c:\windows\system32\drivers\zkllksim.sys file if found, post a fresh hjt log and then let me know how's the system running.

 

[ledfoot]

I deleted the file and the system seems to be running smoothly now.


Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:38 PM, on 1/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Transcode360\Transcode360Tray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\PokerOffice\bin\javaw.exe
C:\Program Files\PokerStars\PokerStars.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\Program Files\Trend Micro\HijackThis\something.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [POEngine] "C:\Program Files\PokerOffice\POEngine.exe" C:\Program Files\PokerOffice
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Transcode360] C:\Program Files\Transcode360\Transcode360Tray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Vushbag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-2052111302-515967899-839522115-1007\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'warftpd-user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177625970453
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: WARSVR - Jgaa's Internet (www.jgaa.com) - C:\Program Files\War-ftpd\war-ftpd.exe

--
End of file - 8470 bytes

 

[Blade81]

Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK

Please download OTMoveIt3 and save it to desktop.

• Double-click OTMoveIt3.exe.
• Click the CleanUp! button.
• Select Yes when the
  Begin cleanup Process?
  prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

• hosts file:
  • Every version of windows has a hosts file as part of them.
  • In a very basic sense, they are used to locate webpages.
  • We can customize a hosts file so that it blocks certain webpages.
  • However, it can slow down certain computers.
  • This is why using a hosts file is optional!!
  Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
  If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok
• Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
  Antivir
  Avast!
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
  If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).
  
• recommended Firefox addons
  
  Adblock Plus and NoScript

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade