virtumonde & virtumonde.generic infetion

malvakai · Dec 4, 2008

I have run spybot already and it couldnt get the two virtumonde off. Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:24 AM, on 12/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Winamp\winampa.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Avira anti virus\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Avira anti virus\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Avira anti virus\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\mandy\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qwest.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061220
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Qwest
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Avira anti virus\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\WINDOWS\TEMP\E_SDD.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Qwest Live - {A0D97F61-31C8-446D-AF9B-B6EF489816EE} - http://qwest.live.com (file missing) (HKCU)
O15 - Trusted Zone: http://www.download.com
O15 - Trusted Zone: *.dw.com
O15 - Trusted Zone: http://www.neopets.com
O15 - Trusted Zone: http://www.secondlife.com
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/DivXBrowserPlugin.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.phreik.com/controls/msnchat45.cab
O20 - AppInit_DLLs: siaeyo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Avira anti virus\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Avira anti virus\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8598 bytes

Shaba · Dec 7, 2008

Hi malvakai

Rename HijackThis.exe to malvakai.exe and post back a fresh HijackThis log, please

malvakai · Dec 9, 2008

Update: my computer completely locked up and had to take it to someone to "fix"... I am able to log into the internet again but he didnt actually fix anything, I'm still getting hit with popups. I haven't a clue what he actually did.

Here is the new log. I hope I did this right.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:11 PM, on 12/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\mandy\Desktop\malvakai.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {88E1594B-6339-4598-9595-0B49AEB0AD20} - C:\WINDOWS\system32\cbXNEuuR.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {D9CF531A-CC85-483E-BC9F-4BC343360DD7} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {FB0A842F-3739-4555-987E-82B9A1334B34} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Qwest Live - {A0D97F61-31C8-446D-AF9B-B6EF489816EE} - http://qwest.live.com (file missing) (HKCU)
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/DivXBrowserPlugin.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.phreik.com/controls/msnchat45.cab
O20 - AppInit_DLLs: khvaju.dll
O20 - Winlogon Notify: urqRHxvW - urqRHxvW.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7641 bytes

Shaba · Dec 9, 2008

I see that AntiVir has been uninstalled.

Please reinstall it and post back a fresh HijackThis log afterwards.

malvakai · Dec 9, 2008

This is how I got locked up last time. Avira gives me such constant popups that nothing else will run. As fast as I click the deny or the delete button I get more and more detection popups until I cant do anything. -starting to panic-

It wont let me run HJT while these avira detection popups are slamming me so I've had to turn it off, but it's there.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:33 AM, on 12/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\explorer.exe
C:\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Documents and Settings\mandy\Desktop\malvakai.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {4AD26438-20B2-4AE7-92D5-1DB78F5C4609} - C:\WINDOWS\system32\cbXNEuuR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {D9CF531A-CC85-483E-BC9F-4BC343360DD7} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {FB0A842F-3739-4555-987E-82B9A1334B34} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Qwest Live - {A0D97F61-31C8-446D-AF9B-B6EF489816EE} - http://qwest.live.com (file missing) (HKCU)
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/DivXBrowserPlugin.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.phreik.com/controls/msnchat45.cab
O20 - AppInit_DLLs: khvaju.dll fvzztk.dll
O20 - Winlogon Notify: urqRHxvW - urqRHxvW.dll (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8194 bytes

Shaba · Dec 9, 2008

I see, that is likely due to infection.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Disable also AntiVir.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

malvakai · Dec 9, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:32 AM, on 12/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SoftwareDistribution\Download\0eee9353a41e1ffb7bc4207f5acf499f\update\update.exe
C:\Documents and Settings\mandy\Desktop\malvakai.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Qwest Live - {A0D97F61-31C8-446D-AF9B-B6EF489816EE} - http://qwest.live.com (file missing) (HKCU)
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/DivXBrowserPlugin.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.phreik.com/controls/msnchat45.cab
O20 - AppInit_DLLs: khvaju.dll fvzztk.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7528 bytes

ComboFix 08-12-07.04 - mandy 2008-12-09 11:26:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1617 [GMT -7:00]
Running from: c:\documents and settings\mandy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mandy\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\avsapyfj.dll
c:\windows\system32\bgwyfhek.dll
c:\windows\system32\cbXNEuuR.dll
c:\windows\system32\cgffojen.dll
c:\windows\system32\cqjkst.dll
c:\windows\system32\dkacuxyl.dll
c:\windows\system32\ffvwnsiw.dll
c:\windows\system32\fvzztk.dll
c:\windows\system32\gnnltdit.ini
c:\windows\system32\jckskb.dll
c:\windows\system32\jfypasva.ini
c:\windows\system32\khvaju.dll
c:\windows\system32\laigones.dll
c:\windows\system32\ljonmdrn.dll
c:\windows\system32\logdtdgu.ini
c:\windows\system32\lyxucakd.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\oxmustdu.dll
c:\windows\system32\pgibjt.dll
c:\windows\system32\RuuENXbc.ini
c:\windows\system32\RuuENXbc.ini2
c:\windows\system32\slyhsjmv.dll
c:\windows\system32\sxpdstsv.dll
c:\windows\system32\tbrirr.dll
c:\windows\system32\tebwgmdn.dll
c:\windows\system32\tkjueqov.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-09 10:05 . 2008-12-09 10:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-09 10:05 . 2008-12-09 10:05 <DIR> d-------- C:\Avira
2008-12-08 15:21 . 2008-12-08 16:28 <DIR> d-------- C:\Spybot - Search & Destroy
2008-12-07 14:33 . 2008-12-07 14:59 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-07 14:33 . 2008-12-08 16:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 12:30 . 2008-12-07 14:04 2,354 --a------ C:\rollback.ini
2008-12-07 12:15 . 2008-12-07 13:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-07 12:15 . 2008-12-07 12:21 4,212 --ah----- c:\windows\system32\zllictbl.dat
2008-12-07 12:14 . 2008-12-07 14:25 <DIR> d-------- c:\windows\system32\ZoneLabs
2008-12-07 10:39 . 2008-12-07 10:39 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-07 10:28 . 2008-12-07 10:48 3,632 --a------ c:\windows\system32\spupdsvc.inf
2008-12-07 10:25 . 2008-04-14 05:42 1,306,624 -----c--- c:\windows\system32\dllcache\msxml6.dll
2008-12-07 10:25 . 2008-04-13 22:57 79,872 -----c--- c:\windows\system32\dllcache\msxml6r.dll
2008-12-07 10:22 . 2008-12-07 10:22 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-07 10:17 . 2006-12-29 00:31 19,569 --a------ c:\windows\003445_.tmp
2008-12-07 07:46 . 2008-12-07 07:48 <DIR> d-------- C:\f6e9123a9fffab9c53e3371ca32f2d
2008-12-07 02:01 . 2008-12-07 14:24 <DIR> d-------- c:\windows\Internet Logs
2008-12-07 00:52 . 2006-12-29 00:31 19,569 --a------ c:\windows\003444_.tmp
2008-12-07 00:42 . 2008-12-07 00:45 <DIR> d-------- C:\a5627bf6fc2e5deb51a5eb09e1ff
2008-12-07 00:04 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-12-07 00:04 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-12-06 22:51 . 2008-12-06 22:51 13,646 --a------ c:\windows\system32\wpa.bak
2008-12-06 22:45 . 2004-08-04 05:00 73,728 --a--c--- c:\windows\system32\dllcache\w3ext.dll
2008-12-06 22:45 . 2004-08-04 05:00 48,256 --a--c--- c:\windows\system32\dllcache\w32.dll
2008-12-06 22:45 . 2004-08-04 05:00 41,600 --a--c--- c:\windows\system32\dllcache\weitekp9.dll
2008-12-06 22:45 . 2004-08-04 05:00 31,232 --a--c--- c:\windows\system32\dllcache\weitekp9.sys
2008-12-06 22:45 . 2004-08-04 05:00 28,288 --a--c--- c:\windows\system32\dllcache\xjis.nls
2008-12-06 22:45 . 2004-08-04 05:00 9,216 --a--c--- c:\windows\system32\dllcache\wamps51.dll
2008-12-06 22:45 . 2004-08-04 05:00 5,632 --a--c--- c:\windows\system32\dllcache\w3svapi.dll
2008-12-06 22:45 . 2004-08-04 05:00 4,608 --a--c--- c:\windows\system32\dllcache\w3ctrs51.dll
2008-12-06 22:43 . 2004-08-04 05:00 10,129,408 --a--c--- c:\windows\system32\dllcache\hwxkor.dll
2008-12-06 22:42 . 2004-08-04 05:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2008-12-06 22:41 . 2004-08-04 05:00 169,984 --a--c--- c:\windows\system32\dllcache\iisui.dll
2008-12-06 22:08 . 2004-08-04 05:00 1,086,058 -ra------ c:\windows\SET4C.tmp
2008-12-06 22:08 . 2004-08-04 05:00 1,042,903 -ra------ c:\windows\SET49.tmp
2008-12-06 22:08 . 2004-08-04 05:00 13,753 -ra------ c:\windows\SET58.tmp
2008-12-06 21:24 . 2004-08-04 05:00 1,086,058 -ra------ c:\windows\SET4B.tmp
2008-12-06 21:24 . 2004-08-04 05:00 1,042,903 -ra------ c:\windows\SET48.tmp
2008-12-06 21:24 . 2004-08-04 05:00 13,753 -ra------ c:\windows\SET57.tmp
2008-12-06 20:31 . 2004-08-04 05:00 1,086,058 -ra------ c:\windows\SET4A.tmp
2008-12-06 20:31 . 2004-08-04 05:00 1,042,903 -ra------ c:\windows\SET47.tmp
2008-12-06 20:31 . 2004-08-04 05:00 13,753 -ra------ c:\windows\SET56.tmp
2008-12-06 20:16 . 2008-12-06 22:25 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-12-06 20:15 . 2008-12-06 22:25 749 -rah----- c:\windows\WindowsShell.Manifest
2008-12-06 20:15 . 2008-12-06 22:25 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-12-06 20:15 . 2008-12-06 22:25 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-12-06 20:15 . 2008-12-06 22:25 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2008-12-06 20:15 . 2008-12-06 22:25 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-12-06 20:14 . 2004-08-04 05:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2008-12-06 20:11 . 2004-08-04 05:00 55,296 --a------ c:\windows\system32\SET12E.tmp
2008-12-06 20:11 . 2008-04-13 17:11 55,296 --a------ c:\windows\system32\COM12F.tmp
2008-12-06 20:11 . 2004-08-04 05:00 23,552 --a------ c:\windows\system32\SET131.tmp
2008-12-06 20:11 . 2008-04-13 17:11 23,552 --a------ c:\windows\system32\COM132.tmp
2008-12-06 19:53 . 2004-08-04 05:00 1,042,903 --a--c--- c:\windows\system32\dllcache\SP2.CAT
2008-12-06 19:53 . 2004-08-04 05:00 797,189 --a--c--- c:\windows\system32\dllcache\NT5IIS.CAT
2008-12-06 19:53 . 2004-08-04 05:00 399,645 --a--c--- c:\windows\system32\dllcache\MAPIMIG.CAT
2008-12-06 19:53 . 2004-08-04 05:00 37,484 --a--c--- c:\windows\system32\dllcache\MW770.CAT
2008-12-06 19:53 . 2004-08-04 05:00 24,661 --a------ c:\windows\system32\spxcoins.dll
2008-12-06 19:53 . 2004-08-04 05:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2008-12-06 19:53 . 2004-08-04 05:00 13,472 --a--c--- c:\windows\system32\dllcache\HPCRDP.CAT
2008-12-06 19:53 . 2004-08-04 05:00 13,312 --a------ c:\windows\system32\irclass.dll
2008-12-06 19:53 . 2004-08-04 05:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2008-12-06 19:53 . 2004-08-04 05:00 8,574 --a--c--- c:\windows\system32\dllcache\IASNT4.CAT
2008-12-06 19:53 . 2004-08-04 05:00 7,382 --a--c--- c:\windows\system32\dllcache\OEMBIOS.CAT
2008-12-06 19:53 . 2004-08-04 05:00 7,334 --a--c--- c:\windows\system32\dllcache\wmerrenu.cat
2008-12-06 19:52 . 2008-12-06 22:51 1,196,000 --a------ c:\windows\setupapi.log.2.old
2008-12-06 19:52 . 2004-08-04 05:00 1,086,058 -ra------ c:\windows\SET83.tmp
2008-12-06 19:52 . 2004-08-04 05:00 1,042,903 -ra------ c:\windows\SET80.tmp
2008-12-06 19:52 . 2004-08-04 05:00 13,753 -ra------ c:\windows\SET8F.tmp
2008-12-06 18:46 . 2008-12-07 10:46 1,374 --a------ c:\windows\imsins.BAK
2008-12-06 18:42 . 2006-12-29 00:31 19,569 --a------ c:\windows\000001_.tmp
2008-12-06 18:18 . 2008-12-06 18:18 <DIR> d-------- c:\documents and settings\mandy\Application Data\Apple Computer
2008-12-06 15:06 . 2008-12-06 15:06 552 --a------ c:\windows\system32\d3d8caps.dat
2008-12-04 13:20 . 2008-12-04 13:20 73,728 --a--c--- c:\windows\system32\javacpl.cpl
2008-12-04 12:08 . 2008-12-04 12:10 <DIR> d-------- C:\QuickTime
2008-12-04 12:08 . 2008-12-04 12:08 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-04 12:04 . 2008-12-04 12:04 <DIR> d-------- c:\program files\Apple Software Update
2008-12-04 12:04 . 2008-12-04 12:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-04 09:29 . 2008-12-06 18:42 28,678 --a------ c:\windows\setupapi.old
2008-12-03 21:20 . 2008-12-04 10:04 <DIR> d-------- C:\Trend Micro
2008-12-03 13:46 . 2008-12-06 17:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-01 22:02 . 2008-12-01 22:03 <DIR> d-------- C:\Temp
2008-11-23 11:48 . 2008-12-04 13:20 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-15 17:52 . 2008-11-16 18:45 <DIR> d-------- C:\DVD Flick

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 06:33 --------- d-----w c:\documents and settings\mandy\Application Data\Azureus
2008-12-07 05:21 1,663 ----a-w c:\windows\inf\COMA7.tmp
2008-12-07 04:38 1,663 ----a-w c:\windows\inf\COMA6.tmp
2008-12-07 04:08 1,663 ----a-w c:\windows\inf\COMA5.tmp
2008-12-05 05:15 --------- d-----w c:\program files\Warcraft III
2008-12-04 22:29 --------- d-----w c:\program files\Windows Live Toolbar
2008-12-04 20:14 --------- d-----w c:\documents and settings\mandy\Application Data\Winamp
2008-12-04 19:08 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-04 18:29 --------- d-----w c:\program files\Java
2008-12-03 19:13 --------- d-----w c:\program files\Common Files\Adobe
2008-11-29 19:55 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-24 15:44 --------- d-----w c:\documents and settings\mandy\Application Data\gtk-2.0
2008-11-22 13:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-22 13:31 --------- d-----w c:\program files\Sierra
2008-11-22 13:30 --------- d-----w c:\program files\ArcSoft
2008-11-22 13:29 --------- d-----w c:\documents and settings\mandy\Application Data\ArcSoft
2008-11-22 04:22 --------- d-----w c:\program files\Vuze
2008-11-22 04:00 --------- d--h--w c:\program files\Zero G Registry
2008-11-09 06:32 --------- d-----w c:\program files\3Planesoft Screensaver Manager
2008-10-28 01:34 --------- d-----w c:\documents and settings\mandy\Application Data\Acreon
2008-10-25 22:26 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2008-10-20 04:05 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-17 03:28 --------- d-----w c:\documents and settings\mandy\Application Data\Move Networks
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 21:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 21:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-30 23:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-09 23:11 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-08-12 04:05 7,670,000 ----a-w c:\documents and settings\mandy\QuickCareSetup2.exe
2008-06-09 22:48 61,224 ----a-w c:\documents and settings\mandy\GoToAssistDownloadHelper.exe
2008-04-14 00:20 115,648 ----a-w c:\documents and settings\mandy\Application Data\GDIPFONTCACHEV1.DAT
2008-03-22 06:30 0 -c--a-w c:\program files\temp01
2007-11-12 03:49 1,696 ----a-w c:\documents and settings\mandy\Application Data\wklnhst.dat
2007-01-21 20:58 774,144 -c--a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-30 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\quicktime\QTTask.exe" [2008-09-06 413696]
"WinampAgent"="c:\winamp\winampa.exe" [2008-09-12 36352]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"avgnt"="c:\avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-20 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=khvaju.dll fvzztk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\bs player etc\ffdshow\ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"quickcare"=c:\program files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=
"c:\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
"17463:TCP"= 17463:TCP:VUZE
"17463:UDP"= 17463:UDP:VUZE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1741e702-5d9b-11dc-84d0-001167151cce}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af7b7879-c445-11dd-85b6-00188baed655}]
\Shell\AutoRun\command - E:\install.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{B01B1BFF-D4C1-45FE-9453-51DBE8348152} - c:\windows\system32\cbXNEuuR.dll
BHO-{D9CF531A-CC85-483E-BC9F-4BC343360DD7} - (no file)
BHO-{FB0A842F-3739-4555-987E-82B9A1334B34} - (no file)
Notify-urqRHxvW - urqRHxvW.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1;<local>

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 11:31:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\ati2evxx.exe
c:\avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\SoftwareDistribution\Download\963193362d99ddbedffb21408a40248b\update\update.exe
.
**************************************************************************
.
Completion time: 2008-12-09 11:38:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-09 18:36:35

Pre-Run: 20,362,436,608 bytes free
Post-Run: 20,358,455,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

281 --- E O F --- 2008-11-13 10:01:13

Shaba · Dec 9, 2008

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

malvakai · Dec 9, 2008

3Planesoft Screensaver Manager 1.2
Actiontec Gateway
Adobe Color Common Settings
Adobe Color Common Settings
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.3
Adobe Setup
Adobe Setup
Adobe Shockwave Player
AltoMP3 Gold 5.20
AOLIcon
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.6
Avimator (remove only)
Avira AntiVir Personal - Free Antivirus
AZZ Cardfile
Big Fish Games Client
Broadcom Management Programs
BSPlayer
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Coral Clock 3D Screensaver 1.0
Dell Support 3.2.1
Dell Wireless WLAN Card
Digital Content Portal
Digital Line Detect
Direct Show Ogg Vorbis Filter (remove only)
DivX Content Uploader
DivX Web Player
EPSON CX7400 User's Guide
EPSON Printer Software
EPSON Scan
EPSON Stylus CX7400 Series Scanner Driver Update
Feeding Frenzy 2 Shipwreck Showdown (remove only)
ffdshow (remove only)
Fishdom
GIMP 2.4.0
Hotfix for Windows XP (KB952287)
InterActual Player
Java(TM) 6 Update 11
Learn2 Player (Uninstall Only)
Mahjong World (remove only)
Matroska Pack - Lazy Man's MKV 0.9.6
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Protection Service
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works Suite 2006 Setup Launcher
Modem Helper
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML4 Parser
msxml4SP2
NetWaiting
OutlookAddinSetup
Paint Shop Pro 7 ESD
Qualxserve Service Agreement
QuickConnect
QuickSet
QuickTime
Qwest QuickCare 2.0
RealPlayer
SecondLife (remove only)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
Starcraft
Synaptics Pointing Device Driver
The Lost Watch 3D Screensaver 1.0
The Rosetta Stone
TypeItIn Professional V2.8.1
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VC 9.0 Runtime
Viewpoint Media Player
Vuze
Western Railway 3D Screensaver 1.0
WinAce Archiver
Winamp
Windows Internet Explorer 7
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Writer
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Service Pack 3
WLTB Custom Buttons
World of Warcraft
Yahoo! Internet Mail

malvakai · Dec 9, 2008

Spybot has just now given me a list of 6 more infections: Adrevolver, Busrtmedia, Doubleclick, Fastclick, Right Media and Zedo... but not the dreaded Virtumonde. Is this forward progress? -smiles wryly-

Shaba · Dec 9, 2008

Yes we are progressing.

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Vuze

I'd like you to read the this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please run a new uninstall list scan when finished and post the log back here.

malvakai · Dec 9, 2008

Woot! Second scan with Spybot shows NO infections this time -happy dance- Just awaiting your good word now and if possible a list of things I should do to immunize myself from this happening again anytime soon.

malvakai · Dec 9, 2008

3Planesoft Screensaver Manager 1.2
Actiontec Gateway
Adobe Color Common Settings
Adobe Color Common Settings
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.3
Adobe Setup
Adobe Setup
Adobe Shockwave Player
AltoMP3 Gold 5.20
AOLIcon
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.6
Avimator (remove only)
Avira AntiVir Personal - Free Antivirus
AZZ Cardfile
Big Fish Games Client
Broadcom Management Programs
BSPlayer
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Coral Clock 3D Screensaver 1.0
Dell Support 3.2.1
Dell Wireless WLAN Card
Digital Content Portal
Digital Line Detect
Direct Show Ogg Vorbis Filter (remove only)
DivX Content Uploader
DivX Web Player
EPSON CX7400 User's Guide
EPSON Printer Software
EPSON Scan
EPSON Stylus CX7400 Series Scanner Driver Update
Feeding Frenzy 2 Shipwreck Showdown (remove only)
ffdshow (remove only)
Fishdom
GIMP 2.4.0
Hotfix for Windows XP (KB952287)
InterActual Player
Java(TM) 6 Update 11
Learn2 Player (Uninstall Only)
Mahjong World (remove only)
Matroska Pack - Lazy Man's MKV 0.9.6
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Protection Service
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works Suite 2006 Setup Launcher
Modem Helper
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML4 Parser
msxml4SP2
NetWaiting
OutlookAddinSetup
Paint Shop Pro 7 ESD
Qualxserve Service Agreement
QuickConnect
QuickSet
QuickTime
Qwest QuickCare 2.0
RealPlayer
SecondLife (remove only)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
Starcraft
Synaptics Pointing Device Driver
The Lost Watch 3D Screensaver 1.0
The Rosetta Stone
TypeItIn Professional V2.8.1
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VC 9.0 Runtime
Viewpoint Media Player
Western Railway 3D Screensaver 1.0
WinAce Archiver
Winamp
Windows Internet Explorer 7
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Writer
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Service Pack 3
WLTB Custom Buttons
World of Warcraft
Yahoo! Internet Mail

Shaba · Dec 10, 2008

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
c:\windows\003445_.tmp
c:\windows\003444_.tmp
c:\windows\SET4C.tmp
c:\windows\SET49.tmp
c:\windows\SET58.tmp
c:\windows\SET4B.tmp
c:\windows\SET48.tmp
c:\windows\SET57.tmp
c:\windows\SET4A.tmp
c:\windows\SET47.tmp
c:\windows\SET56.tmp
c:\windows\system32\SET12E.tmp
c:\windows\system32\COM12F.tmp
c:\windows\system32\SET131.tmp
c:\windows\system32\COM132.tmp
c:\windows\SET83.tmp
c:\windows\SET80.tmp
c:\windows\SET8F.tmp
c:\windows\000001_.tmp
c:\program files\temp01

Folder::
c:\documents and settings\mandy\Application Data\Azureus

Registry::
HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Vuze\\Azureus.exe"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

malvakai · Dec 10, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:37 AM, on 12/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mandy\Desktop\malvakai.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Qwest Live - {A0D97F61-31C8-446D-AF9B-B6EF489816EE} - http://qwest.live.com (file missing) (HKCU)
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/DivXBrowserPlugin.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.phreik.com/controls/msnchat45.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7283 bytes

Please help us improve HijackThis by reporting this error

Click 'Yes' to submit

Error Details:

An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=system.ini, sSection=boot, sValue=Shell)
Error #5 - Invalid procedure call or argument

Windows version: Windows NT 5.01.2600
MSIE version: 7.0.5730.13
HijackThis version: 2.0.2

ComboFix 08-12-07.04 - mandy 2008-12-10 9:39:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1565 [GMT -7:00]
Running from: c:\documents and settings\mandy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mandy\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\program files\temp01
c:\windows\000001_.tmp
c:\windows\003444_.tmp
c:\windows\003445_.tmp
c:\windows\SET47.tmp
c:\windows\SET48.tmp
c:\windows\SET49.tmp
c:\windows\SET4A.tmp
c:\windows\SET4B.tmp
c:\windows\SET4C.tmp
c:\windows\SET56.tmp
c:\windows\SET57.tmp
c:\windows\SET58.tmp
c:\windows\SET80.tmp
c:\windows\SET83.tmp
c:\windows\SET8F.tmp
c:\windows\system32\COM12F.tmp
c:\windows\system32\COM132.tmp
c:\windows\system32\SET12E.tmp
c:\windows\system32\SET131.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\mandy\Application Data\Azureus
c:\documents and settings\mandy\Application Data\Azureus\.certs
c:\documents and settings\mandy\Application Data\Azureus\.keystore
c:\documents and settings\mandy\Application Data\Azureus\.lock
c:\documents and settings\mandy\Application Data\Azureus\active\02FE9E0C1EA7C82E8CF9CF07D6EFA430E2D7BD9C.dat
c:\documents and settings\mandy\Application Data\Azureus\active\02FE9E0C1EA7C82E8CF9CF07D6EFA430E2D7BD9C.dat.bak
c:\documents and settings\mandy\Application Data\Azureus\active\54CB6EA3A74DBABE31D2A63076517A69D061F1E0.dat
c:\documents and settings\mandy\Application Data\Azureus\active\54CB6EA3A74DBABE31D2A63076517A69D061F1E0.dat.bak
c:\documents and settings\mandy\Application Data\Azureus\active\cache.dat
c:\documents and settings\mandy\Application Data\Azureus\active\DD0A90B490203B23B3F271DBF99F95008A407BBE.dat
c:\documents and settings\mandy\Application Data\Azureus\active\DD0A90B490203B23B3F271DBF99F95008A407BBE.dat.bak
c:\documents and settings\mandy\Application Data\Azureus\azureus.config
c:\documents and settings\mandy\Application Data\Azureus\azureus.config.bak
c:\documents and settings\mandy\Application Data\Azureus\azureus.statistics
c:\documents and settings\mandy\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\mandy\Application Data\Azureus\banips.config
c:\documents and settings\mandy\Application Data\Azureus\banips.config.bak
c:\documents and settings\mandy\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\mandy\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\mandy\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\mandy\Application Data\Azureus\dht\general.dat
c:\documents and settings\mandy\Application Data\Azureus\dht\version.dat
c:\documents and settings\mandy\Application Data\Azureus\downloads.config
c:\documents and settings\mandy\Application Data\Azureus\downloads.config.bak
c:\documents and settings\mandy\Application Data\Azureus\friends.config
c:\documents and settings\mandy\Application Data\Azureus\friends.config.bak
c:\documents and settings\mandy\Application Data\Azureus\ipfilter.cache
c:\documents and settings\mandy\Application Data\Azureus\logs\alerts_1.log
c:\documents and settings\mandy\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\documents and settings\mandy\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\mandy\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\mandy\Application Data\Azureus\logs\MetaSearch_1.log
c:\documents and settings\mandy\Application Data\Azureus\logs\MetaSearch_Engine_3.txt
c:\documents and settings\mandy\Application Data\Azureus\logs\MetaSearch_Engine_3975117449.txt
c:\documents and settings\mandy\Application Data\Azureus\logs\MetaSearch_Engine_4.txt
c:\documents and settings\mandy\Application Data\Azureus\logs\MetaSearch_Engine_5.txt
c:\documents and settings\mandy\Application Data\Azureus\logs\MetaSearch_Engine_9.txt
c:\documents and settings\mandy\Application Data\Azureus\logs\NetStatus_1.log
c:\documents and settings\mandy\Application Data\Azureus\logs\save\1228412144156_MetaSearch_Engine_3.txt
c:\documents and settings\mandy\Application Data\Azureus\logs\save\1228412144156_MetaSearch_Engine_3975117449.txt
c:\documents and settings\mandy\Application Data\Azureus\logs\save\1228412144156_MetaSearch_Engine_4.txt
c:\documents and settings\mandy\Application Data\Azureus\logs\save\1228412144156_MetaSearch_Engine_5.txt
c:\documents and settings\mandy\Application Data\Azureus\logs\save\1228412144156_MetaSearch_Engine_9.txt
c:\documents and settings\mandy\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\mandy\Application Data\Azureus\logs\Subscriptions_1.log
c:\documents and settings\mandy\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\mandy\Application Data\Azureus\logs\v3.ads_1.log
c:\documents and settings\mandy\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\mandy\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\mandy\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\mandy\Application Data\Azureus\logs\v3.Stream_1.log
c:\documents and settings\mandy\Application Data\Azureus\metasearch.config
c:\documents and settings\mandy\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\mandy\Application Data\Azureus\net\pm_209.dat
c:\documents and settings\mandy\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\mandy\Application Data\Azureus\sidebarauto.config
c:\documents and settings\mandy\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\mandy\Application Data\Azureus\subs\07B55B068A6E01B66D9B.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\0FD0FA03EFA1F804421B.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\1939B5471D0F164567BD.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\1BAF7BCFBFF6391B49E2.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\47B0F3BA10CFAD82D9DD.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\4F5D92DCB17E8F9148BB.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\58671B832FC69600E7AF.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\58D07BFB55C7893361D2.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\719A4A4F36C578B42235.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\895A308B0AAAD5DA3C8E.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\8DE6E5753F5ADF094F49.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\91F9C7144C423FBD66FA.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\95B34C1A1F40931D0972.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\A2A76BEDB56D75EE5957.results
c:\documents and settings\mandy\Application Data\Azureus\subs\A2A76BEDB56D75EE5957.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\AF385A432EFB63164A7C.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\B792D08DEF58533CE133.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\CD8A22477A17EF2F15E2.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\E8139A68B1EC9E7A6DAD.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\E9248290A3AB0F83E6AA.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\ED1B44FA092775A661D9.vuze
c:\documents and settings\mandy\Application Data\Azureus\subs\F50654E16BE90590EC6B.vuze
c:\documents and settings\mandy\Application Data\Azureus\subscriptions.config
c:\documents and settings\mandy\Application Data\Azureus\subscriptions.config.bak
c:\documents and settings\mandy\Application Data\Azureus\tables.config
c:\documents and settings\mandy\Application Data\Azureus\tables.config.bak
c:\documents and settings\mandy\Application Data\Azureus\timingstats.dat
c:\documents and settings\mandy\Application Data\Azureus\tmp\AZU2044697810988881391.tmp
c:\documents and settings\mandy\Application Data\Azureus\tmp\AZU3796049605912571767.tmp
c:\documents and settings\mandy\Application Data\Azureus\tmp\AZU4115507779701709038.tmp
c:\documents and settings\mandy\Application Data\Azureus\tmp\AZU536320513697354549.tmp
c:\documents and settings\mandy\Application Data\Azureus\tmp\AZU5417061787198706554.tmp
c:\documents and settings\mandy\Application Data\Azureus\tmp\AZU9114697214793085938.tmp
c:\documents and settings\mandy\Application Data\Azureus\tmp\AZU9149832079994576350.tmp
c:\documents and settings\mandy\Application Data\Azureus\tmp\AZU937142134481028159.tmp
c:\documents and settings\mandy\Application Data\Azureus\torrents\1269840
c:\documents and settings\mandy\Application Data\Azureus\torrents\1952159
c:\documents and settings\mandy\Application Data\Azureus\torrents\AZU40664.tmp
c:\documents and settings\mandy\Application Data\Azureus\torrents\AZU40667.tmp
c:\documents and settings\mandy\Application Data\Azureus\torrents\AZU43060.tmp
c:\documents and settings\mandy\Application Data\Azureus\torrents\Dr+Who.torrent
c:\documents and settings\mandy\Application Data\Azureus\torrents\HouseM.D. Complete Season 1.torrent
c:\documents and settings\mandy\Application Data\Azureus\torrents\Into_Great_Silence__2005_DVDrip_XviD__Eng_Sub_.torrent
c:\documents and settings\mandy\Application Data\Azureus\tracker.config
c:\documents and settings\mandy\Application Data\Azureus\tracker.config.bak
c:\documents and settings\mandy\Application Data\Azureus\unsentdata.config
c:\documents and settings\mandy\Application Data\Azureus\unsentdata.config.bak
c:\documents and settings\mandy\Application Data\Azureus\update.log
c:\documents and settings\mandy\Application Data\Azureus\update.properties
c:\documents and settings\mandy\Application Data\Azureus\upnp_trace1.log
c:\documents and settings\mandy\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\mandy\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\mandy\Application Data\Azureus\VuzeActivities.config
c:\documents and settings\mandy\Application Data\Azureus\VuzeActivities.config.bak
c:\program files\temp01
c:\windows\000001_.tmp
c:\windows\003444_.tmp
c:\windows\003445_.tmp
c:\windows\SET47.tmp
c:\windows\SET48.tmp
c:\windows\SET49.tmp
c:\windows\SET4A.tmp
c:\windows\SET4B.tmp
c:\windows\SET4C.tmp
c:\windows\SET56.tmp
c:\windows\SET57.tmp
c:\windows\SET58.tmp
c:\windows\SET80.tmp
c:\windows\SET83.tmp
c:\windows\SET8F.tmp
c:\windows\system32\COM12F.tmp
c:\windows\system32\COM132.tmp
c:\windows\system32\SET12E.tmp
c:\windows\system32\SET131.tmp

.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-09 10:05 . 2008-12-09 10:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-09 10:05 . 2008-12-09 10:05 <DIR> d-------- C:\Avira
2008-12-08 15:21 . 2008-12-08 16:28 <DIR> d-------- C:\Spybot - Search & Destroy
2008-12-07 14:33 . 2008-12-07 14:59 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-07 14:33 . 2008-12-08 16:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 12:30 . 2008-12-07 14:04 2,354 --a------ C:\rollback.ini
2008-12-07 12:15 . 2008-12-07 13:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-07 12:15 . 2008-12-07 12:21 4,212 --ah----- c:\windows\system32\zllictbl.dat
2008-12-07 12:14 . 2008-12-07 14:25 <DIR> d-------- c:\windows\system32\ZoneLabs
2008-12-07 10:39 . 2008-12-07 10:39 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-07 10:25 . 2008-09-09 18:14 1,307,648 -----c--- c:\windows\system32\dllcache\msxml6.dll
2008-12-07 10:25 . 2008-04-13 22:57 79,872 -----c--- c:\windows\system32\dllcache\msxml6r.dll
2008-12-07 10:22 . 2008-12-07 10:22 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-07 07:46 . 2008-12-07 07:48 <DIR> d-------- C:\f6e9123a9fffab9c53e3371ca32f2d
2008-12-07 02:01 . 2008-12-07 14:24 <DIR> d-------- c:\windows\Internet Logs
2008-12-07 00:42 . 2008-12-07 00:45 <DIR> d-------- C:\a5627bf6fc2e5deb51a5eb09e1ff
2008-12-07 00:04 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-12-07 00:04 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-12-06 23:04 . 2008-09-08 03:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-12-06 23:04 . 2008-06-13 04:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-06 23:04 . 2008-08-14 03:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-12-06 23:03 . 2008-08-14 03:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-06 23:03 . 2008-08-14 03:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-06 23:03 . 2008-08-14 02:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-06 23:03 . 2008-08-14 02:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-06 23:03 . 2008-09-15 05:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-12-06 23:01 . 2008-10-24 04:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-06 23:01 . 2008-05-08 07:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-12-06 22:59 . 2008-04-11 12:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-12-06 22:59 . 2008-05-01 07:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-12-06 22:55 . 2008-09-04 10:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-12-06 22:55 . 2008-10-15 09:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-06 22:51 . 2008-12-06 22:51 13,646 --a------ c:\windows\system32\wpa.bak
2008-12-06 22:45 . 2004-08-04 05:00 73,728 --a--c--- c:\windows\system32\dllcache\w3ext.dll
2008-12-06 22:45 . 2004-08-04 05:00 48,256 --a--c--- c:\windows\system32\dllcache\w32.dll
2008-12-06 22:45 . 2004-08-04 05:00 41,600 --a--c--- c:\windows\system32\dllcache\weitekp9.dll
2008-12-06 22:45 . 2004-08-04 05:00 31,232 --a--c--- c:\windows\system32\dllcache\weitekp9.sys
2008-12-06 22:45 . 2004-08-04 05:00 28,288 --a--c--- c:\windows\system32\dllcache\xjis.nls
2008-12-06 22:45 . 2004-08-04 05:00 9,216 --a--c--- c:\windows\system32\dllcache\wamps51.dll
2008-12-06 22:45 . 2004-08-04 05:00 5,632 --a--c--- c:\windows\system32\dllcache\w3svapi.dll
2008-12-06 22:45 . 2004-08-04 05:00 4,608 --a--c--- c:\windows\system32\dllcache\w3ctrs51.dll
2008-12-06 22:43 . 2004-08-04 05:00 10,129,408 --a--c--- c:\windows\system32\dllcache\hwxkor.dll
2008-12-06 22:42 . 2004-08-04 05:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2008-12-06 22:41 . 2004-08-04 05:00 169,984 --a--c--- c:\windows\system32\dllcache\iisui.dll
2008-12-06 20:16 . 2008-12-06 22:25 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-12-06 20:15 . 2008-12-06 22:25 749 -rah----- c:\windows\WindowsShell.Manifest
2008-12-06 20:15 . 2008-12-06 22:25 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-12-06 20:15 . 2008-12-06 22:25 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-12-06 20:15 . 2008-12-06 22:25 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2008-12-06 20:15 . 2008-12-06 22:25 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-12-06 20:14 . 2004-08-04 05:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2008-12-06 19:53 . 2004-08-04 05:00 1,042,903 --a--c--- c:\windows\system32\dllcache\SP2.CAT
2008-12-06 19:53 . 2004-08-04 05:00 797,189 --a--c--- c:\windows\system32\dllcache\NT5IIS.CAT
2008-12-06 19:53 . 2004-08-04 05:00 399,645 --a--c--- c:\windows\system32\dllcache\MAPIMIG.CAT
2008-12-06 19:53 . 2004-08-04 05:00 37,484 --a--c--- c:\windows\system32\dllcache\MW770.CAT
2008-12-06 19:53 . 2004-08-04 05:00 24,661 --a------ c:\windows\system32\spxcoins.dll
2008-12-06 19:53 . 2004-08-04 05:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2008-12-06 19:53 . 2004-08-04 05:00 13,472 --a--c--- c:\windows\system32\dllcache\HPCRDP.CAT
2008-12-06 19:53 . 2004-08-04 05:00 13,312 --a------ c:\windows\system32\irclass.dll
2008-12-06 19:53 . 2004-08-04 05:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2008-12-06 19:53 . 2004-08-04 05:00 8,574 --a--c--- c:\windows\system32\dllcache\IASNT4.CAT
2008-12-06 19:53 . 2004-08-04 05:00 7,382 --a--c--- c:\windows\system32\dllcache\OEMBIOS.CAT
2008-12-06 19:53 . 2004-08-04 05:00 7,334 --a--c--- c:\windows\system32\dllcache\wmerrenu.cat
2008-12-06 19:52 . 2008-12-06 22:51 1,196,000 --a------ c:\windows\setupapi.log.2.old
2008-12-06 18:46 . 2008-12-09 11:46 1,374 --a------ c:\windows\imsins.BAK
2008-12-06 18:18 . 2008-12-06 18:18 <DIR> d-------- c:\documents and settings\mandy\Application Data\Apple Computer
2008-12-06 15:06 . 2008-12-06 15:06 552 --a------ c:\windows\system32\d3d8caps.dat
2008-12-04 13:20 . 2008-12-04 13:20 73,728 --a--c--- c:\windows\system32\javacpl.cpl
2008-12-04 12:08 . 2008-12-04 12:10 <DIR> d-------- C:\QuickTime
2008-12-04 12:08 . 2008-12-04 12:08 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-04 12:04 . 2008-12-04 12:04 <DIR> d-------- c:\program files\Apple Software Update
2008-12-04 12:04 . 2008-12-04 12:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-04 09:29 . 2008-12-06 18:42 28,678 --a------ c:\windows\setupapi.old
2008-12-03 21:20 . 2008-12-04 10:04 <DIR> d-------- C:\Trend Micro
2008-12-03 13:46 . 2008-12-06 17:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-01 22:02 . 2008-12-01 22:03 <DIR> d-------- C:\Temp
2008-11-23 11:48 . 2008-12-04 13:20 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-15 17:52 . 2008-11-16 18:45 <DIR> d-------- C:\DVD Flick

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-10 05:36 --------- d-----w c:\documents and settings\mandy\Application Data\gtk-2.0
2008-12-10 03:58 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-10 02:16 --------- d-----w c:\program files\Warcraft III
2008-12-09 19:26 --------- d-----w c:\program files\Vuze
2008-12-07 05:21 1,663 ----a-w c:\windows\inf\COMA7.tmp
2008-12-07 04:38 1,663 ----a-w c:\windows\inf\COMA6.tmp
2008-12-07 04:08 1,663 ----a-w c:\windows\inf\COMA5.tmp
2008-12-04 22:29 --------- d-----w c:\program files\Windows Live Toolbar
2008-12-04 20:14 --------- d-----w c:\documents and settings\mandy\Application Data\Winamp
2008-12-04 19:08 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-04 18:29 --------- d-----w c:\program files\Java
2008-12-03 19:13 --------- d-----w c:\program files\Common Files\Adobe
2008-11-22 13:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-22 13:31 --------- d-----w c:\program files\Sierra
2008-11-22 13:30 --------- d-----w c:\program files\ArcSoft
2008-11-22 13:29 --------- d-----w c:\documents and settings\mandy\Application Data\ArcSoft
2008-11-22 04:00 --------- d--h--w c:\program files\Zero G Registry
2008-11-09 06:32 --------- d-----w c:\program files\3Planesoft Screensaver Manager
2008-10-28 01:34 --------- d-----w c:\documents and settings\mandy\Application Data\Acreon
2008-10-25 22:26 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-20 04:05 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-17 03:28 --------- d-----w c:\documents and settings\mandy\Application Data\Move Networks
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 21:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 21:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 23:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-08-12 04:05 7,670,000 ----a-w c:\documents and settings\mandy\QuickCareSetup2.exe
2008-06-09 22:48 61,224 ----a-w c:\documents and settings\mandy\GoToAssistDownloadHelper.exe
2008-04-14 00:20 115,648 ----a-w c:\documents and settings\mandy\Application Data\GDIPFONTCACHEV1.DAT
2007-11-12 03:49 1,696 ----a-w c:\documents and settings\mandy\Application Data\wklnhst.dat
2007-01-21 20:58 774,144 -c--a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-09_11.35.32.62 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-13 11:05:51 272,128 ------w c:\windows\Driver Cache\i386\bthport.sys
+ 2008-10-24 11:21:09 455,296 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-08-14 10:09:26 2,145,280 ------w c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-08-14 09:33:16 2,066,048 ------w c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-08-14 09:33:16 2,023,936 ------w c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-08-14 10:11:02 2,189,184 ------w c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB938127-v2-IE7\spuninst\updspapi.dll
+ 2007-08-14 01:54:10 765,952 -c----w c:\windows\ie7updates\KB938127-v2-IE7\vgx.dll
+ 2007-08-14 01:39:00 123,904 -c----w c:\windows\ie7updates\KB958215-IE7\advpack.dll
+ 2007-08-14 01:35:46 346,624 -c----w c:\windows\ie7updates\KB958215-IE7\dxtmsft.dll
+ 2007-08-14 01:35:38 214,528 -c----w c:\windows\ie7updates\KB958215-IE7\dxtrans.dll
+ 2007-08-14 01:54:10 131,584 -c----w c:\windows\ie7updates\KB958215-IE7\extmgr.dll
+ 2008-08-26 07:24:28 63,488 -c----w c:\windows\ie7updates\KB958215-IE7\icardie.dll
+ 2007-08-14 01:39:06 54,784 -c----w c:\windows\ie7updates\KB958215-IE7\ie4uinit.exe
+ 2007-08-14 01:39:26 152,064 -c----w c:\windows\ie7updates\KB958215-IE7\ieakeng.dll
+ 2007-08-14 01:39:54 229,376 -c----w c:\windows\ie7updates\KB958215-IE7\ieaksie.dll
+ 2007-08-14 00:56:54 161,792 -c----w c:\windows\ie7updates\KB958215-IE7\ieakui.dll
+ 2008-08-26 07:24:28 383,488 -c----w c:\windows\ie7updates\KB958215-IE7\ieapfltr.dll
+ 2007-08-14 01:39:50 382,976 -c----w c:\windows\ie7updates\KB958215-IE7\iedkcs32.dll
+ 2008-10-03 17:41:15 6,066,176 -c----w c:\windows\ie7updates\KB958215-IE7\ieframe.dll
+ 2007-08-14 01:39:10 43,008 -c----w c:\windows\ie7updates\KB958215-IE7\iernonce.dll
+ 2008-08-26 07:24:29 267,776 -c----w c:\windows\ie7updates\KB958215-IE7\iertutil.dll
+ 2007-08-14 01:39:10 13,312 -c----w c:\windows\ie7updates\KB958215-IE7\ieudinit.exe
+ 2007-08-14 01:43:56 622,080 -c----w c:\windows\ie7updates\KB958215-IE7\iexplore.exe
+ 2007-08-14 01:54:10 27,136 -c----w c:\windows\ie7updates\KB958215-IE7\jsproxy.dll
+ 2008-08-26 07:24:30 459,264 -c----w c:\windows\ie7updates\KB958215-IE7\msfeeds.dll
+ 2008-08-26 07:24:30 52,224 -c----w c:\windows\ie7updates\KB958215-IE7\msfeedsbs.dll
+ 2007-08-14 01:54:12 3,578,368 -c----w c:\windows\ie7updates\KB958215-IE7\mshtml.dll
+ 2007-08-14 01:54:10 475,648 -c----w c:\windows\ie7updates\KB958215-IE7\mshtmled.dll
+ 2007-08-14 01:44:26 192,000 -c----w c:\windows\ie7updates\KB958215-IE7\msrating.dll
+ 2007-08-14 01:54:10 670,720 -c----w c:\windows\ie7updates\KB958215-IE7\mstime.dll
+ 2007-08-14 01:44:06 101,376 -c----w c:\windows\ie7updates\KB958215-IE7\occache.dll
+ 2007-08-14 01:36:12 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\updspapi.dll
+ 2007-08-14 01:44:30 105,984 -c----w c:\windows\ie7updates\KB958215-IE7\url.dll
+ 2007-08-14 01:54:10 1,162,240 -c----w c:\windows\ie7updates\KB958215-IE7\urlmon.dll
+ 2007-08-14 01:54:10 231,424 -c----w c:\windows\ie7updates\KB958215-IE7\webcheck.dll
+ 2007-08-14 01:54:10 818,688 -c----w c:\windows\ie7updates\KB958215-IE7\wininet.dll
- 2007-08-14 01:39:00 123,904 ----a-w c:\windows\system32\advpack.dll
+ 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-04-14 12:42:16 139,264 ----a-w c:\windows\system32\cscript.exe
+ 2008-05-07 09:07:23 135,168 ----a-w c:\windows\system32\cscript.exe
- 2007-08-14 01:39:00 123,904 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2008-10-16 20:38:34 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2008-05-07 09:07:23 135,168 -c----w c:\windows\system32\dllcache\cscript.exe
- 2007-08-14 01:35:46 346,624 -c----w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 -c----w c:\windows\system32\dllcache\dxtmsft.dll
- 2007-08-14 01:35:38 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
- 2007-08-14 01:54:10 131,584 -c----w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 20:38:35 133,120 -c----w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-23 12:36:14 286,720 -c----w c:\windows\system32\dllcache\gdi32.dll
+ 2008-10-16 20:38:35 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
- 2007-08-14 01:39:06 54,784 -c----w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
- 2007-08-14 01:39:26 152,064 -c----w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
- 2007-08-14 01:39:54 229,376 -c----w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
- 2007-08-14 00:56:54 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2008-10-15 07:04:53 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2007-04-17 09:32:38 2,455,488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
+ 2008-10-16 20:38:35 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
- 2007-08-14 01:39:50 382,976 -c----w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll
- 2007-08-14 01:39:10 43,008 -c----w c:\windows\system32\dllcache\iernonce.dll
+ 2008-10-16 20:38:37 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
+ 2008-10-16 20:38:37 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
- 2007-08-14 01:43:56 622,080 -c----w c:\windows\system32\dllcache\iexplore.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\system32\dllcache\iexplore.exe
- 2007-08-14 01:38:04 491,520 -c----w c:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:53:39 512,000 -c----w c:\windows\system32\dllcache\jscript.dll
- 2007-08-14 01:54:10 27,136 -c----w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 -c----w c:\windows\system32\dllcache\jsproxy.dll
- 2004-09-15 18:27:52 96,768 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-10 16:17:42 96,768 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-10-16 20:38:37 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-10-16 20:38:37 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-08-14 01:54:12 3,578,368 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2008-10-17 09:08:40 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2007-08-14 01:54:10 475,648 -c----w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 -c----w c:\windows\system32\dllcache\mshtmled.dll
- 2007-08-14 01:44:26 192,000 -c----w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 20:38:38 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
- 2007-08-14 01:54:10 670,720 -c----w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 20:38:39 671,232 -c----w c:\windows\system32\dllcache\mstime.dll
- 2007-08-14 01:44:06 101,376 -c----w c:\windows\system32\dllcache\occache.dll
+ 2008-10-16 20:38:39 102,912 -c----w c:\windows\system32\dllcache\occache.dll
- 2007-08-14 01:36:12 44,544 -c----w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 -c----w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-05-09 10:53:39 180,224 -c----w c:\windows\system32\dllcache\scrobj.dll
+ 2008-05-09 10:53:40 172,032 -c----w c:\windows\system32\dllcache\scrrun.dll
- 2008-04-14 12:42:08 246,814 -c--a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:02:42 247,326 -c--a-w c:\windows\system32\dllcache\strmdll.dll
- 2007-08-14 01:44:30 105,984 -c----w c:\windows\system32\dllcache\url.dll
+ 2008-10-16 20:38:39 105,984 -c----w c:\windows\system32\dllcache\url.dll
- 2007-08-14 01:54:10 1,162,240 -c----w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\system32\dllcache\urlmon.dll
- 2007-08-14 01:54:10 413,696 -c----w c:\windows\system32\dllcache\vbscript.dll
+ 2008-05-09 10:53:40 430,080 -c----w c:\windows\system32\dllcache\vbscript.dll
- 2007-08-14 01:54:10 765,952 -c----w c:\windows\system32\dllcache\VGX.dll
+ 2008-05-27 17:23:58 765,952 -c----w c:\windows\system32\dllcache\vgx.dll
- 2007-08-14 01:54:10 231,424 -c----w c:\windows\system32\dllcache\webcheck.dll
+ 2008-10-16 20:38:39 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
- 2007-08-14 01:54:10 818,688 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 20:38:40 826,368 -c----w c:\windows\system32\dllcache\wininet.dll
- 2004-09-15 18:27:54 229,376 -c--a-w c:\windows\system32\dllcache\wmasf.dll
+ 2007-10-28 00:40:06 227,328 -c--a-w c:\windows\system32\dllcache\wmasf.dll
- 2004-09-15 18:27:54 1,027,072 -c--a-w c:\windows\system32\dllcache\wmnetmgr.dll
+ 2008-06-10 18:37:02 1,026,048 -c--a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2004-09-15 18:27:56 5,550,080 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2007-04-30 15:20:24 5,537,792 -c--a-w c:\windows\system32\dllcache\wmp.dll
- 2004-09-15 18:28:04 2,362,104 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-10 18:57:40 2,364,472 -c--a-w c:\windows\system32\dllcache\WMVCore.dll
+ 2008-05-08 11:24:44 155,648 -c----w c:\windows\system32\dllcache\wscript.exe
+ 2008-05-09 10:53:40 90,112 -c----w c:\windows\system32\dllcache\wshext.dll
- 2008-04-14 07:49:24 138,112 ----a-w c:\windows\system32\drivers\afd.sys
+ 2008-08-14 10:04:36 138,496 ----a-w c:\windows\system32\drivers\afd.sys
- 2008-04-14 07:16:34 273,024 ----a-w c:\windows\system32\drivers\bthport.sys
+ 2008-06-13 11:05:51 272,128 ----a-w c:\windows\system32\drivers\bthport.sys
- 2008-04-14 07:25:10 202,624 ----a-w c:\windows\system32\drivers\rmcast.sys
+ 2008-05-08 14:02:52 203,136 ----a-w c:\windows\system32\drivers\rmcast.sys
- 2008-04-14 07:45:12 334,848 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-09-08 10:41:42 333,824 ----a-w c:\windows\system32\drivers\srv.sys
- 2007-08-14 01:35:46 346,624 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2007-08-14 01:35:38 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2007-08-14 01:54:10 131,584 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\extmgr.dll
- 2008-12-07 17:35:44 1,654,632 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-09 18:48:26 1,654,632 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-08-26 07:24:28 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
- 2007-08-14 01:39:06 54,784 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2007-08-14 01:39:26 152,064 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2007-08-14 01:39:54 229,376 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2007-08-14 00:56:54 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2008-08-26 07:24:28 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2007-08-14 01:39:50 382,976 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2008-10-03 17:41:15 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
- 2007-08-14 01:39:10 43,008 ----a-w c:\windows\system32\iernonce.dll
+ 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2008-08-26 07:24:29 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2007-08-14 01:39:10 13,312 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-04-14 12:41:56 691,712 ----a-w c:\windows\system32\inetcomm.dll
+ 2008-04-11 19:04:26 691,712 ----a-w c:\windows\system32\inetcomm.dll
- 2008-04-14 12:41:58 512,000 ----a-w c:\windows\system32\jscript.dll
+ 2008-05-09 10:53:39 512,000 ----a-w c:\windows\system32\jscript.dll
- 2007-08-14 01:54:10 27,136 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2004-09-15 18:27:52 96,768 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-10 16:17:42 96,768 ----a-w c:\windows\system32\logagent.exe
- 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
+ 2008-12-02 21:26:30 17,593,280 ----a-w c:\windows\system32\MRT.exe
- 2008-08-26 07:24:30 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-08-26 07:24:30 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2007-08-14 01:54:12 3,578,368 ----a-w c:\windows\system32\mshtml.dll
+ 2008-10-17 09:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2007-08-14 01:54:10 475,648 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2007-08-14 01:44:26 192,000 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\msrating.dll
- 2007-08-14 01:54:10 670,720 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\mstime.dll
- 2008-04-14 12:42:02 1,104,896 ----a-w c:\windows\system32\msxml3.dll
+ 2008-09-04 17:15:04 1,106,944 ----a-w c:\windows\system32\msxml3.dll
- 2008-04-14 12:42:02 337,408 ----a-w c:\windows\system32\netapi32.dll
+ 2008-10-15 16:34:24 337,408 ----a-w c:\windows\system32\netapi32.dll
- 2008-04-14 07:01:22 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
+ 2008-08-14 09:33:16 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
- 2008-04-14 07:54:38 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
+ 2008-08-14 10:09:26 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
- 2007-08-14 01:44:06 101,376 ----a-w c:\windows\system32\occache.dll
+ 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\occache.dll
- 2008-12-09 18:03:13 92,388 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-09 22:18:56 92,388 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-09 18:03:13 492,578 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-09 22:18:56 492,578 ----a-w c:\windows\system32\perfh009.dat
- 2007-08-14 01:36:12 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2008-04-14 12:42:06 180,224 ----a-w c:\windows\system32\scrobj.dll
+ 2008-05-09 10:53:39 180,224 ----a-w c:\windows\system32\scrobj.dll
- 2008-04-14 12:42:06 172,032 ----a-w c:\windows\system32\scrrun.dll
+ 2008-05-09 10:53:40 172,032 ----a-w c:\windows\system32\scrrun.dll
- 2008-04-14 00:12:38 60,416 ----a-w c:\windows\system32\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ----a-w c:\windows\system32\tzchange.exe
- 2007-08-14 01:44:30 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
- 2007-08-14 01:54:10 1,162,240 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-04-14 12:42:10 434,176 ----a-w c:\windows\system32\vbscript.dll
+ 2008-05-09 10:53:40 430,080 ----a-w c:\windows\system32\vbscript.dll
- 2007-08-14 01:54:10 231,424 ----a-w c:\windows\system32\webcheck.dll
+ 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2004-09-15 18:27:54 229,376 ----a-w c:\windows\system32\wmasf.dll
+ 2007-10-28 00:40:06 227,328 ----a-w c:\windows\system32\wmasf.dll
- 2004-09-15 18:27:54 1,027,072 ----a-w c:\windows\system32\wmnetmgr.dll
+ 2008-06-10 18:37:02 1,026,048 ----a-w c:\windows\system32\WMNetmgr.dll
- 2004-09-15 18:27:56 5,550,080 ----a-w c:\windows\system32\wmp.dll
+ 2007-04-30 15:20:24 5,537,792 ----a-w c:\windows\system32\wmp.dll
- 2004-09-15 18:28:04 2,362,104 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-10 18:57:40 2,364,472 ----a-w c:\windows\system32\WMVCore.dll
- 2008-04-14 12:42:42 155,648 ----a-w c:\windows\system32\wscript.exe
+ 2008-05-08 11:24:44 155,648 ----a-w c:\windows\system32\wscript.exe
- 2008-04-14 12:42:12 90,112 ----a-w c:\windows\system32\wshext.dll
+ 2008-05-09 10:53:40 90,112 ----a-w c:\windows\system32\wshext.dll
+ 2008-12-09 22:14:39 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_750.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-30 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\quicktime\QTTask.exe" [2008-09-06 413696]
"WinampAgent"="c:\winamp\winampa.exe" [2008-09-12 36352]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"avgnt"="c:\avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-20 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\bs player etc\ffdshow\ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"quickcare"=c:\program files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=
"c:\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader
"17463:TCP"= 17463:TCP:VUZE
"17463:UDP"= 17463:UDP:VUZE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1741e702-5d9b-11dc-84d0-001167151cce}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af7b7879-c445-11dd-85b6-00188baed655}]
\Shell\AutoRun\command - E:\install.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1;<local>

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 09:42:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2008-12-10 9:45:40
ComboFix-quarantined-files.txt 2008-12-10 16:44:22
ComboFix2.txt 2008-12-09 18:38:05

Pre-Run: 19,998,826,496 bytes free
Post-Run: 20,025,741,312 bytes free

604 --- E O F --- 2008-12-09 19:13:48

Shaba · Dec 10, 2008

Open notepad and copy/paste the text in the codebox below into it:

Code:

Folder::
c:\program files\Vuze

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17463:TCP"=-
"17463:UDP"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

malvakai · Dec 10, 2008

Please help us improve HijackThis by reporting this error

Click 'Yes' to submit

Error Details:

An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=system.ini, sSection=boot, sValue=Shell)
Error #5 - Invalid procedure call or argument

Windows version: Windows NT 5.01.2600
MSIE version: 7.0.5730.13
HijackThis version: 2.0.2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:59 AM, on 12/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\bfgclient\bfggameservices.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mandy\Desktop\malvakai.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Qwest Live - {A0D97F61-31C8-446D-AF9B-B6EF489816EE} - http://qwest.live.com (file missing) (HKCU)
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/DivXBrowserPlugin.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.phreik.com/controls/msnchat45.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7363 bytes

ComboFix 08-12-07.04 - mandy 2008-12-10 10:10:07.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1552 [GMT -7:00]
Running from: c:\documents and settings\mandy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mandy\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Vuze
c:\program files\Vuze\plugins\azemp\azemp_2.0.30.jar
c:\program files\Vuze\plugins\azemp\azemp_2.0.30.zip
c:\program files\Vuze\plugins\azemp\azemp_2.0.32.jar
c:\program files\Vuze\plugins\azemp\azemp_2.0.32.zip
c:\program files\Vuze\plugins\azemp\azmplay.exe.bak
c:\program files\Vuze\plugins\azemp\cp1250-a.raw.bak
c:\program files\Vuze\plugins\azemp\cp1250-b.raw.bak
c:\program files\Vuze\plugins\azemp\font.desc.bak
c:\program files\Vuze\plugins\azemp\mplayer\config
c:\program files\Vuze\plugins\azemp\osd-mplayer-a.raw.bak
c:\program files\Vuze\plugins\azemp\osd-mplayer-b.raw.bak
c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.30
c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.32

.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-09 10:05 . 2008-12-09 10:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-09 10:05 . 2008-12-09 10:05 <DIR> d-------- C:\Avira
2008-12-08 15:21 . 2008-12-08 16:28 <DIR> d-------- C:\Spybot - Search & Destroy
2008-12-07 14:33 . 2008-12-07 14:59 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-07 14:33 . 2008-12-08 16:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 12:30 . 2008-12-07 14:04 2,354 --a------ C:\rollback.ini
2008-12-07 12:15 . 2008-12-07 13:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-07 12:15 . 2008-12-07 12:21 4,212 --ah----- c:\windows\system32\zllictbl.dat
2008-12-07 12:14 . 2008-12-07 14:25 <DIR> d-------- c:\windows\system32\ZoneLabs
2008-12-07 10:39 . 2008-12-07 10:39 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-07 10:25 . 2008-09-09 18:14 1,307,648 -----c--- c:\windows\system32\dllcache\msxml6.dll
2008-12-07 10:25 . 2008-04-13 22:57 79,872 -----c--- c:\windows\system32\dllcache\msxml6r.dll
2008-12-07 10:22 . 2008-12-07 10:22 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-07 07:46 . 2008-12-07 07:48 <DIR> d-------- C:\f6e9123a9fffab9c53e3371ca32f2d
2008-12-07 02:01 . 2008-12-07 14:24 <DIR> d-------- c:\windows\Internet Logs
2008-12-07 00:42 . 2008-12-07 00:45 <DIR> d-------- C:\a5627bf6fc2e5deb51a5eb09e1ff
2008-12-07 00:04 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-12-07 00:04 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-12-06 23:04 . 2008-09-08 03:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-12-06 23:04 . 2008-06-13 04:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-06 23:04 . 2008-08-14 03:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-12-06 23:03 . 2008-08-14 03:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-06 23:03 . 2008-08-14 03:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-06 23:03 . 2008-08-14 02:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-06 23:03 . 2008-08-14 02:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-06 23:03 . 2008-09-15 05:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-12-06 23:01 . 2008-10-24 04:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-06 23:01 . 2008-05-08 07:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-12-06 22:59 . 2008-04-11 12:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-12-06 22:59 . 2008-05-01 07:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-12-06 22:55 . 2008-09-04 10:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-12-06 22:55 . 2008-10-15 09:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-06 22:51 . 2008-12-06 22:51 13,646 --a------ c:\windows\system32\wpa.bak
2008-12-06 22:45 . 2004-08-04 05:00 73,728 --a--c--- c:\windows\system32\dllcache\w3ext.dll
2008-12-06 22:45 . 2004-08-04 05:00 48,256 --a--c--- c:\windows\system32\dllcache\w32.dll
2008-12-06 22:45 . 2004-08-04 05:00 41,600 --a--c--- c:\windows\system32\dllcache\weitekp9.dll
2008-12-06 22:45 . 2004-08-04 05:00 31,232 --a--c--- c:\windows\system32\dllcache\weitekp9.sys
2008-12-06 22:45 . 2004-08-04 05:00 28,288 --a--c--- c:\windows\system32\dllcache\xjis.nls
2008-12-06 22:45 . 2004-08-04 05:00 9,216 --a--c--- c:\windows\system32\dllcache\wamps51.dll
2008-12-06 22:45 . 2004-08-04 05:00 5,632 --a--c--- c:\windows\system32\dllcache\w3svapi.dll
2008-12-06 22:45 . 2004-08-04 05:00 4,608 --a--c--- c:\windows\system32\dllcache\w3ctrs51.dll
2008-12-06 22:43 . 2004-08-04 05:00 10,129,408 --a--c--- c:\windows\system32\dllcache\hwxkor.dll
2008-12-06 22:42 . 2004-08-04 05:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2008-12-06 22:41 . 2004-08-04 05:00 169,984 --a--c--- c:\windows\system32\dllcache\iisui.dll
2008-12-06 20:16 . 2008-12-06 22:25 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-12-06 20:15 . 2008-12-06 22:25 749 -rah----- c:\windows\WindowsShell.Manifest
2008-12-06 20:15 . 2008-12-06 22:25 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-12-06 20:15 . 2008-12-06 22:25 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-12-06 20:15 . 2008-12-06 22:25 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2008-12-06 20:15 . 2008-12-06 22:25 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-12-06 20:14 . 2004-08-04 05:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2008-12-06 19:53 . 2004-08-04 05:00 1,042,903 --a--c--- c:\windows\system32\dllcache\SP2.CAT
2008-12-06 19:53 . 2004-08-04 05:00 797,189 --a--c--- c:\windows\system32\dllcache\NT5IIS.CAT
2008-12-06 19:53 . 2004-08-04 05:00 399,645 --a--c--- c:\windows\system32\dllcache\MAPIMIG.CAT
2008-12-06 19:53 . 2004-08-04 05:00 37,484 --a--c--- c:\windows\system32\dllcache\MW770.CAT
2008-12-06 19:53 . 2004-08-04 05:00 24,661 --a------ c:\windows\system32\spxcoins.dll
2008-12-06 19:53 . 2004-08-04 05:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2008-12-06 19:53 . 2004-08-04 05:00 13,472 --a--c--- c:\windows\system32\dllcache\HPCRDP.CAT
2008-12-06 19:53 . 2004-08-04 05:00 13,312 --a------ c:\windows\system32\irclass.dll
2008-12-06 19:53 . 2004-08-04 05:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2008-12-06 19:53 . 2004-08-04 05:00 8,574 --a--c--- c:\windows\system32\dllcache\IASNT4.CAT
2008-12-06 19:53 . 2004-08-04 05:00 7,382 --a--c--- c:\windows\system32\dllcache\OEMBIOS.CAT
2008-12-06 19:53 . 2004-08-04 05:00 7,334 --a--c--- c:\windows\system32\dllcache\wmerrenu.cat
2008-12-06 19:52 . 2008-12-06 22:51 1,196,000 --a------ c:\windows\setupapi.log.2.old
2008-12-06 18:46 . 2008-12-09 11:46 1,374 --a------ c:\windows\imsins.BAK
2008-12-06 18:18 . 2008-12-06 18:18 <DIR> d-------- c:\documents and settings\mandy\Application Data\Apple Computer
2008-12-06 15:06 . 2008-12-06 15:06 552 --a------ c:\windows\system32\d3d8caps.dat
2008-12-04 13:20 . 2008-12-04 13:20 73,728 --a--c--- c:\windows\system32\javacpl.cpl
2008-12-04 12:08 . 2008-12-04 12:10 <DIR> d-------- C:\QuickTime
2008-12-04 12:08 . 2008-12-04 12:08 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-04 12:04 . 2008-12-04 12:04 <DIR> d-------- c:\program files\Apple Software Update
2008-12-04 12:04 . 2008-12-04 12:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-04 09:29 . 2008-12-06 18:42 28,678 --a------ c:\windows\setupapi.old
2008-12-03 21:20 . 2008-12-04 10:04 <DIR> d-------- C:\Trend Micro
2008-12-03 13:46 . 2008-12-06 17:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-01 22:02 . 2008-12-01 22:03 <DIR> d-------- C:\Temp
2008-11-23 11:48 . 2008-12-04 13:20 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-15 17:52 . 2008-11-16 18:45 <DIR> d-------- C:\DVD Flick

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-10 17:08 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-10 05:36 --------- d-----w c:\documents and settings\mandy\Application Data\gtk-2.0
2008-12-10 02:16 --------- d-----w c:\program files\Warcraft III
2008-12-07 05:21 1,663 ----a-w c:\windows\inf\COMA7.tmp
2008-12-07 04:38 1,663 ----a-w c:\windows\inf\COMA6.tmp
2008-12-07 04:08 1,663 ----a-w c:\windows\inf\COMA5.tmp
2008-12-04 22:29 --------- d-----w c:\program files\Windows Live Toolbar
2008-12-04 20:14 --------- d-----w c:\documents and settings\mandy\Application Data\Winamp
2008-12-04 19:08 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-04 18:29 --------- d-----w c:\program files\Java
2008-12-03 19:13 --------- d-----w c:\program files\Common Files\Adobe
2008-11-22 13:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-22 13:31 --------- d-----w c:\program files\Sierra
2008-11-22 13:30 --------- d-----w c:\program files\ArcSoft
2008-11-22 13:29 --------- d-----w c:\documents and settings\mandy\Application Data\ArcSoft
2008-11-22 04:00 --------- d--h--w c:\program files\Zero G Registry
2008-11-09 06:32 --------- d-----w c:\program files\3Planesoft Screensaver Manager
2008-10-28 01:34 --------- d-----w c:\documents and settings\mandy\Application Data\Acreon
2008-10-25 22:26 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-20 04:05 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-17 03:28 --------- d-----w c:\documents and settings\mandy\Application Data\Move Networks
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 21:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 21:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 23:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-08-12 04:05 7,670,000 ----a-w c:\documents and settings\mandy\QuickCareSetup2.exe
2008-06-09 22:48 61,224 ----a-w c:\documents and settings\mandy\GoToAssistDownloadHelper.exe
2008-04-14 00:20 115,648 ----a-w c:\documents and settings\mandy\Application Data\GDIPFONTCACHEV1.DAT
2007-11-12 03:49 1,696 ----a-w c:\documents and settings\mandy\Application Data\wklnhst.dat
2007-01-21 20:58 774,144 -c--a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-30 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\quicktime\QTTask.exe" [2008-09-06 413696]
"WinampAgent"="c:\winamp\winampa.exe" [2008-09-12 36352]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"avgnt"="c:\avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-20 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\bs player etc\ffdshow\ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"quickcare"=c:\program files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=
"c:\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard Downloader

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1741e702-5d9b-11dc-84d0-001167151cce}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af7b7879-c445-11dd-85b6-00188baed655}]
\Shell\AutoRun\command - E:\install.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1;<local>

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 10:11:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2008-12-10 10:13:38
ComboFix-quarantined-files.txt 2008-12-10 17:12:20
ComboFix2.txt 2008-12-10 16:45:41
ComboFix3.txt 2008-12-09 18:38:05

Pre-Run: 19,998,404,608 bytes free
Post-Run: 19,985,633,280 bytes free

236 --- E O F --- 2008-12-09 19:13:48

Shaba · Dec 10, 2008

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here

malvakai · Dec 12, 2008

Took all day to get the Kasperkey. Kept getting slammed with popups again -sigh- Thank you for going through all this with me and being so patient.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:31 PM, on 12/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\SecondLife\SecondLife.exe
C:\Documents and Settings\mandy\Desktop\malvakai.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Qwest Live - {A0D97F61-31C8-446D-AF9B-B6EF489816EE} - http://qwest.live.com (file missing) (HKCU)
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/DivXBrowserPlugin.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.phreik.com/controls/msnchat45.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7460 bytes

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, December 11, 2008 14:23:28
Records in database: 1452294
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 122347
Threat name: 1
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 02:46:02

File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\bgwyfhek.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\cgffojen.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\cqjkst.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ffvwnsiw.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\fvzztk.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jckskb.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\khvaju.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\laigones.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ljonmdrn.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\oxmustdu.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pgibjt.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\slyhsjmv.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tbrirr.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tebwgmdn.dll.vir Infected: Trojan.Win32.Monder.abke 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tkjueqov.dll.vir Infected: Trojan.Win32.Monder.abke 1

The selected area was scanned.

Shaba · Dec 12, 2008

I don't see anything bad on HijackThis log.

Do those popups happen on every website or also when browser is closed?

virtumonde & virtumonde.generic infetion

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus