Unknown - Probably Infection

My final solution: Delete boot.ini. Now i've booted back into windows. I'm not going to try that again.

Any other ideas on what to do? I googled and found that SPTD.sys was had some incompatibility issues and sometimes prevents the loading of safe mode. I'm upgrading it right now, and going to try loading safe mode again.
 
Ok. Managed to delete mdelk.exe. Still cannot boot into safe mode, or run any antivirus. Deleted SPTD.sys, and now it restarts at MUP.sys without any warning when booting into safe mode.

I still don't see any suspicious virus behavior... but why would my antivirus suddenly not work after working fine for so long...
 
Here is the ESET log.




# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2873 (20080213)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=e230fc137e9ef54ba6c39410f434eb5d
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-02-14 09:20:13
# local_time=2008-02-14 01:20:13 (-0800, Pacific Standard Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=506544
# found=20
# scan_time=5061
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\3L24I2NQ\b64_1[1].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\3L24I2NQ\b64_31[1].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\K7932JCS\b64_1[1].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_1[1].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_1[2].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_1[3].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_2[1].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_2[2].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_31[1].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\MBR9UX0L\b64_31[2].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_1[1].jpg Win32/Bagle.LY worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_2[1].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_2[2].jpg Win32/Bagle.LF worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_31[1].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_31[2].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_31[3].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_31[4].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\TOZX91R1\b64_31[5].jpg a variant of Win32/Bagle worm (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\mdelk.exe a variant of Win32/Bagle worm (unable to clean - error while deleting) 771623BE7FBD00AAC125685BAA4A35EC
G:\vist\WGA.october.2007.(lildude) (v7).1.7.59.1\Windows Xp Sp2 Keygen with auto key changer\1) Windows XP SP2 Keygen\KeyGen.exe probably a variant of Win32/TrojanDownloader.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000



There must be some registry, as I know I deleted mdelk but it poped back up.
 
hi,

thanks for the info. iam starting to think its something more than malware now. corrupted registry and or files?
IE: the errors at boot up. you should start thinking about a reformat/reinstall of windows. just in case. you should pull off to cd/dvd, flash drive 2nd HD etc anything you dont want to lose.
i think you can enter safe mode, its the errors at bootup that are preventing it, why you can boot normally with no problems i have no idea. I also wouldnt edit the boot.ini file unless you are sure of what you are doing. could leave you with a door stop.
if you have the windows install cd you can try system file checker although it wont fix a corrupt registry.

run>start and type in sfc /scannow
there is space after the c and before the /
its worth a try anyway at this point.
 
Thanks for the help. I really hope its not a corrupt file system... I don't have any removable harddrives, that means I would have to upload all backups and everything to the internet, which firstly isn't safe for my files, and secondly I can't access them until I reinstall, and I have tons of school work right now that requires computer.

I'm going to try booting with the /sos switch and seeing the problem. I have already tried the Microsoft disk recovery service, and it requires a floppy that I don't have.

Thanks for all your help. I hope this will work out...
 
hi,

that last online scan dosnt really look to bad. so lets say you do get into safe mode and manage to clean up some files. if its a corrupt registry or files you will still have the same problem.
if you have the install cd you could try a repair of xp which should preserve your data. see links:

http://www.michaelstevenstech.com/XPrepairinstall.htm
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/doug92.mspx

in any case you should really backup what you can.
better to lose some data then all of it.
 
I would rather not be so hasty...

I just checked the boot sequence and error message from the boot using the /sos switch. The error appears to be:

0x0000007B(0xF7906528, 0xC0000034, 0x00000000, 0x00000000)

I'm posting this on the Microsoft support forum to see if anyone can make sense of it.

I will run sfc soon.

So, now instead of that problem, is there any way to remove the Bagel infection without going to safe mode? I tried Sopho's Bagel remover, which doesn't find it. Spyware S&D Can't load up. So....

Maybe could you also ask around the other helpers? Some of them might know something.
 
hi,
I would rather not be so hasty...
Click to expand...
its not about being hasty, more like being prepared, a just in case.

i think you have the "new" version of the worm. i think the tool you have is for the older versions.
i also think it may be part of a root kit. lets try gmer.

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit/Malware tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
-------------------------------------
 
GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-02-15 18:35:38
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwOpenProcess [0xBAEE831C]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwQuerySystemInformation [0xBAEEDC8A]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwSetInformationFile [0xBAEE841A]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtOpenProcess
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtQuerySystemInformation
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtSetInformationFile

---- Kernel code sections - GMER 1.0.14 ----



I'm skipping the kernel code sections because that section is huge. Also, hldrrr.exe was running as a hidden process, along with winitems.exe.

I can't find the log, so I'm going to try a rescan and post the log.
 
Ok. The important parts of the log, so the log is shortened from about 3 million characters to the limit of 20k characters.

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-02-15 19:05:38
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwOpenProcess [0xBAEE831C]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwQuerySystemInformation [0xBAEEDC8A]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwSetInformationFile [0xBAEE841A]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtOpenProcess
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtQuerySystemInformation
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtSetInformationFile


---- Processes - GMER 1.0.14 ----

Process C:\WINDOWS\system32\wintems.exe (*** hidden *** ) 3704 [Registry]

File C:\WINDOWS\system32\drivers\srosa.sys 112432 bytes <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\hldrrr.exe 746967 bytes
File C:\WINDOWS\system32\drivers\down

A Ton of C:\WINDOWS\system32\drivers\down\########.exe
632
File C:\WINDOWS\system32\wintems.exe 71172 bytes
File C:\WINDOWS\ime\SHARED 0 bytes
File C:\WINDOWS\ime\SHARED\imepaden.hlp 81368 bytes
File C:\WINDOWS\ime\SHARED\imepadsm.dll 102463 bytes
File C:\WINDOWS\ime\SHARED\imepadsv.exe 311359 bytes
File C:\WINDOWS\ime\SHARED\imlang.dll 102456 bytes
File C:\WINDOWS\ime\SHARED\RES 0 bytes
File C:\WINDOWS\ime\SHARED\RES\PADRS404.DLL 15872 bytes
File C:\WINDOWS\ime\SHARED\RES\padrs411.dll 36927 bytes
File C:\WINDOWS\ime\SHARED\RES\padrs412.dll 14336 bytes
File C:\WINDOWS\ime\SHARED\RES\padrs804.dll 15360 bytes

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\srosa.sys [SYSTEM] srosa <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----
 
hi,

ok good.

Run gmer app again.
Click the tab called Processes and click on the safe button. The computer will reboot and the Gmer screen will re-open.
Click on files and browse to these:

C:\WINDOWS\system32\drivers\srosa.sys
Now click Delete button

and get these two also:

C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\drivers\hldrrr.exe

Now click on the Services tab. Click the entries in red one by one with your right mouse button and click Delete... Answer Yes to all the warning windows.
When you've removed all the Service entries in red, reboot your computer.

Re-run gmer
post the new gmer log.
 
hi,

ok good you got rid of those processes - no items in red or warnings about rootkits when you reran gmer?
still unable to run anything? can you boot into safe mode?

ive been looking for more info on it. got some links, sometimes they may be helpful, sometimes not. these malware coders can come out with new variations to a infection overnight.

http://www.symantec.com/security_response/writeup.jsp?docid=2007-091411-1857-99&tabid=1

http://www.viruslist.com/en/viruses/encyclopedia?virusid=21780028
 
Yep. It's gone. There still is a registry key, invisible so I can't delete it, pointing to hldrrr.exe. However, it can't find the file, so it can't execute it.

This must be an updated version, because it's no longer hidr.exe.

I'm going to try reinstalling nod32 right now.


Thanks for all your help!

Also, the safe mode problem may not be caused by this at all.
 
New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:11 PM, on 17/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - G:\solidconverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Accessibility Toolbar - {11352A67-0178-46B1-8855-D50B2F81C054} - C:\PROGRA~1\WAT_EN\ACCESS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - G:\solidconverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DayMate] C:\Program Files\DayMate\daymate.exe
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet ×ê?′???÷ - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O15 - Trusted Zone: *.stumbleupon.com
O15 - Trusted Zone: http://www.talkaboutcanada.ca
O15 - Trusted Zone: http://s3.travian.com
O15 - Trusted Zone: http://s5.travian.com
O15 - Trusted Zone: http://s6.travian.com
O15 - Trusted Zone: http://www.travian.com
O15 - Trusted Zone: http://s3.travian.us
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00001025-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter25 Class) - http://download.netmarble.com/web/nmstarter/NMStarter25.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games ?Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble.jp/_common/cab/NMJTransX.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games ?Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8237.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games ?Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {EC824758-3CF5-4C32-BF22-D88413B45EFE} (O2runner Control) - http://o2jam.o2jam.com/ActiveX/o2runner.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 13453 bytes

THANK YOU SO MUCH!!! Now everything works again, I just have to re-dl it.
THANKS!
NB. when i get paypal I WILL donate.
 
hi jonathanasdf,

glad i could help. you should do a full scan with your updated antivirus and spybot.


start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe

O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe

careful what you download with bitcomet, there is plenty of malware on the networks. i have some p2p tips on my website.

post another hjt log. hows the safe mode problem?
 
Haven't quite tried safe mode yet. I used FreshUI and deleted Winitems + German from autorun. Also removed the registry files.

Spybot found some other random things. I couldn't find the log, so here's the data..

LOG!!

AdWatch found the remnants of Bagle and removed them.

Thanks a lot. Really.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:06 PM, on 18/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - G:\solidconverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program

Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft

Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download

Manager\iefdmcks.dll
O3 - Toolbar: &Accessibility Toolbar - {11352A67-0178-46B1-8855-D50B2F81C054} - C:\PROGRA~1\WAT_EN\ACCESS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} -

G:\solidconverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless

Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program

Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program

Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download

Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download

Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download

Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program

Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12

\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2

\Office12\ONBttnIE.dll
O9 - Extra button: BitComet ×ê?′???÷ - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program

Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O15 - Trusted Zone: *.stumbleupon.com
O15 - Trusted Zone: http://www.talkaboutcanada.ca
O15 - Trusted Zone: http://s3.travian.com
O15 - Trusted Zone: http://s5.travian.com
O15 - Trusted Zone: http://s6.travian.com
O15 - Trusted Zone: http://www.travian.com
O15 - Trusted Zone: http://s3.travian.us
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00001025-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter25 Class) -

http://download.netmarble.com/web/nmstarter/NMStarter25.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) -

http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) -

https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-

secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) -

http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) -

http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games ?Buddy Invite) -

http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-

games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) -

http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) -

http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-

UNO1/GAME_UNO1.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) -

http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-

secure.com/ols3beta/fscax.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -

http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) -

http://www.netmarble.jp/_common/cab/NMJTransX.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games ?Hearts) -

http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) -

http://download.netmarble.com/kdefence/kdfense8237.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -

http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) -

http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} -

http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) -

http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games ?Game Communicator) -

http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {EC824758-3CF5-4C32-BF22-D88413B45EFE} (O2runner Control) - http://o2jam.o2jam.com/ActiveX/o2runner.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12

\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007

\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32

\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. -

C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision

Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program

Files\WinPcap\rpcapd.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows

Live\installer\WLSetupSvc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 13599 bytes


Thanks
 
You must log in or register to reply here.
Back
Top