Windows Update Issues

[TheMoralitySquad]

Alright so I've been battling a virus for the past few days and thought I had finally got rid of it but I guess I was wrong. I noticed that it was still there when I tried turning on Windows Update (It kept giving me the 80070422 error that the service wasn't running) When I tried turning the service on it gave me Error 1058 saying there wasn't any hardware or devices using this software and it wouldn't turn on. I looked it up on Google (Which has now stopped working, same with Yahoo and popular sites) and it led me here, one of the MS techs on their forum had a few links to here.

So far I've read the.. readme? And done the Spybot S&D scan while in safemode and fixed the viruses/stuff. Then I ran the Hijack this and here's what I got:





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:23 PM, on 8/30/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Software\Games\TortoiseSVN\bin\TSVNCache.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\System32\oodtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Security\ESET\ESET NOD32 Antivirus\egui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Software\Graphics\nHancer\nHancer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Software\Web\YPOPs\YPOPs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {897fa6cf-3997-63b8-7f54-edf177417759} - {95771477-1fde-45f7-8b36-7993fc6af798} - C:\Windows\system32\lfzzkx.dll
O2 - BHO: (no name) - {969615F1-AEFC-43FA-8F89-C8489384EDE6} - C:\Windows\system32\vtUlLFvS.dll
O2 - BHO: (no name) - {CD93797B-CDB6-4488-A054-0E8EB9B52D1C} - C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LZJXCB5N\3077htsbdjyf[1].dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\Windows\system32\oodtray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [aa8e1698] rundll32.exe "C:\Windows\system32\dkhicdav.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\Security\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BMa9bd2504] Rundll32.exe "C:\Windows\system32\kqavhjdj.dll",s
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Software\Extractors\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [nHancer] "C:\Program Files\Software\Graphics\nHancer\nHancer.exe" /tray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: YPOPs.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\Security\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\Security\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kinetic Books License Service - Kinetic Books - C:\Program Files\Common Files\Kinetic Books Shared\Service\KineticBooksLicenseService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\Software\Graphics\nHancer\nHancerService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\Windows\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\Software\Other\Sandra\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\Software\Other\Sandra\RpcSandraSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 8002 bytes


Now I wish I could rush something like this but I can't really, or bump it. I just hope I can fix my computer without having to reinstall Vista. I'm definitely going to reinstall it when I get a new harddrive and graphics card but that could be a week or two.

I'll check back later tonight

 

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove and it is made more so by the fact that many of the tools we use will not work on Vista, all I can promise is to do my best.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

2) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

 

[TheMoralitySquad]

Alright I read the instructions and disabled antivirus and antispyware, but I forgot about Spybot S&D. I noticed I hadn't turned it off when I looked through task manager after the scans finished.

Heres the Combofix Log:


ComboFix 08-08-30.03 - David 2008-08-31 12:33:55.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2753 [GMT -4:00]
Running from: C:\Users\David\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\System32\bKTEdMoq.ini
C:\Windows\System32\bKTEdMoq.ini2
C:\Windows\system32\BReWErS.dll
C:\Windows\System32\cJQXEfhk.ini
C:\Windows\System32\cJQXEfhk.ini2
C:\Windows\system32\dkhicdav.dll
C:\Windows\system32\ernoysrt.dll
C:\Windows\system32\hgGvuVpp.dll
C:\Windows\system32\igjfofiw.ini
C:\Windows\system32\iIbcDWqP.dll
C:\Windows\system32\jedjockj.ini
C:\Windows\system32\khfEXQJc.dll
C:\Windows\system32\kqavhjdj.dll
C:\Windows\system32\lfzzkx.dll
C:\Windows\system32\lxabpxhv.ini
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\nVvyHRqr.ini
C:\Windows\System32\nVvyHRqr.ini2
C:\Windows\System32\OppXENnn.ini
C:\Windows\System32\ppVuvGgh.ini
C:\Windows\System32\ppVuvGgh.ini2
C:\Windows\System32\PqWDcbIi.ini
C:\Windows\System32\PqWDcbIi.ini2
C:\Windows\system32\qoMdETKb.dll
C:\Windows\system32\rqRHyvVn.dll
C:\Windows\system32\snqvavaw.dll
C:\Windows\system32\SvFLlUtv.ini
C:\Windows\System32\SvFLlUtv.ini2
C:\Windows\system32\ubimxy.dll
C:\Windows\System32\uufytgak.ini
C:\Windows\System32\vadcihkd.ini
C:\Windows\system32\vtUlLFvS.dll
C:\Windows\system32\ykmgeqxy.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-31 )))))))))))))))))))))))))))))))
.

2008-08-31 12:08 . 2008-08-31 12:08 1,905 --a------ C:\Windows\diagwrn.xml
2008-08-31 12:08 . 2008-08-31 12:08 1,905 --a------ C:\Windows\diagerr.xml
2008-08-30 20:28 . 2008-08-31 12:41 10,216 --a------ C:\Windows\System32\oodbs.lor
2008-08-30 15:18 . 2008-08-30 15:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-30 14:15 . 2008-08-30 15:19 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-30 14:15 . 2008-08-30 15:19 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-30 14:15 . 2008-08-30 14:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-30 10:46 . 2008-08-30 10:46 <DIR> d-------- C:\Users\David\AppData\Roaming\ESET
2008-08-30 10:35 . 2008-08-30 10:36 124,688 --a------ C:\Windows\System32\MSWINSCK.OCX
2008-08-30 10:24 . 2008-08-30 10:24 159,915 --a------ C:\Windows\Marsu-Fix Uninstaller.exe.bak
2008-08-27 21:09 . 2008-08-27 21:10 20 --a------ C:\simapp_lib.out
2008-08-27 21:01 . 2008-08-27 21:08 <DIR> d-------- C:\Users\David\AppData\Roaming\Kinetic Books
2008-08-27 21:01 . 2008-08-27 21:08 <DIR> d-------- C:\Users\All Users\Kinetic Books
2008-08-27 21:01 . 2008-08-27 21:08 <DIR> d-------- C:\ProgramData\Kinetic Books
2008-08-27 20:41 . 2008-08-27 21:01 <DIR> d-------- C:\Program Files\Common Files\Kinetic Books Shared
2008-08-27 20:40 . 2008-04-04 12:22 4,685,317 --a------ C:\Windows\System32\kbpprinc.dll
2008-08-27 20:40 . 2008-03-04 17:59 293,888 --a------ C:\Windows\System32\kbookspri.dll
2008-08-27 20:38 . 2008-08-27 20:48 <DIR> d-------- C:\Program Files\Kinetic Books
2008-08-27 20:38 . 2008-08-27 20:39 <DIR> d-------- C:\Program Files\Java
2008-08-27 15:47 . 2008-08-31 12:41 2,096 --ah----- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2008-08-27 15:47 . 2008-08-31 12:41 2,096 --ah----- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2008-08-26 16:13 . 2008-08-26 18:46 0 --ah----- C:\ntuser.dat.LOG2
2008-08-26 16:13 . 2008-08-26 18:46 0 --ah----- C:\ntuser.dat.LOG1
2008-08-26 16:13 . 2008-08-26 16:13 0 --a------ C:\ntuser.dat
2008-08-24 15:33 . 2008-08-24 15:33 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-08-24 15:32 . 2008-08-24 15:32 <DIR> d-------- C:\Program Files\Common Files\Microsoft Games
2008-08-24 15:02 . 2008-08-24 15:02 <DIR> dr------- C:\Windows\System32\config\systemprofile\Videos
2008-08-24 15:02 . 2008-08-24 15:02 <DIR> dr------- C:\Windows\System32\config\systemprofile\Searches
2008-08-24 15:02 . 2008-08-24 15:02 <DIR> dr------- C:\Windows\System32\config\systemprofile\Saved Games
2008-08-24 15:02 . 2008-08-24 15:02 <DIR> dr------- C:\Windows\System32\config\systemprofile\Pictures
2008-08-24 15:02 . 2008-08-24 15:02 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music
2008-08-24 15:02 . 2008-08-24 15:02 <DIR> dr------- C:\Windows\System32\config\systemprofile\Links
2008-08-24 15:02 . 2008-08-24 15:02 <DIR> dr------- C:\Windows\System32\config\systemprofile\Downloads
2008-08-24 15:02 . 2008-08-24 15:02 <DIR> dr------- C:\Windows\System32\config\systemprofile\Documents
2008-08-24 10:30 . 2008-08-24 10:30 84,480 --a------ C:\Windows\System32\jkcojdej.dll
2008-08-22 21:56 . 2008-08-23 15:57 2,560 --a------ C:\Windows\_MSRSTRT.EXE
2008-08-22 21:08 . 2008-08-22 21:08 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-08-22 18:41 . 2008-08-22 18:41 0 --------- C:\Windows\WB.ini
2008-08-22 18:40 . 2008-08-22 18:40 29 --a------ C:\Windows\.wb4
2008-08-22 18:38 . 2007-09-12 18:58 58,792 --------- C:\Windows\System32\wbload.dll
2008-08-22 18:38 . 2007-07-11 15:06 42,672 --------- C:\Windows\System32\wbsys.dll
2008-08-22 18:22 . 2008-01-27 01:09 615,424 --a------ C:\Windows\System32\themeui.dll
2008-08-22 17:50 . 2008-08-22 17:50 <DIR> d-------- C:\Users\David\AppData\Roaming\Sierra
2008-08-20 16:57 . 2008-08-20 16:57 <DIR> d-------- C:\Program Files\Sierra
2008-08-16 11:40 . 2008-07-15 21:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-16 11:12 . 2008-06-18 23:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-16 11:12 . 2008-04-18 01:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-16 11:11 . 2008-06-26 21:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-16 11:11 . 2008-06-27 00:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-16 11:11 . 2008-04-10 01:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-06 19:05 . 2008-08-06 19:05 <DIR> d-------- C:\Users\All Users\FLEXnet
2008-08-06 19:05 . 2008-08-06 19:05 <DIR> d-------- C:\ProgramData\FLEXnet
2008-08-06 18:52 . 2008-08-06 18:52 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-27 10:02 . 2008-07-27 10:02 <DIR> d-------- C:\Windows\System32\Futuremark
2008-07-27 10:02 . 2007-08-20 11:05 27,672 -ra------ C:\Windows\System32\drivers\Entech.sys
2008-07-26 23:11 . 2008-07-26 23:11 <DIR> d-------- C:\Users\Public\BIG SMELLY TURDS
2008-07-24 19:38 . 2008-08-23 15:05 <DIR> d-------- C:\HammerAutosave
2008-07-24 15:15 . 2008-07-24 15:16 4,627 --a------ C:\Windows\Uninstall\FAKEFACTORY CM6 Uninstall Log.txt
2008-07-24 14:30 . 2008-07-24 15:16 <DIR> d-------- C:\Windows\Uninstall\FAKEFACTORY CM6
2008-07-24 14:29 . 2008-07-24 14:49 11,092 --a------ C:\Windows\Uninstall\FAKEFACTORY CM6 Setup Log.txt
2008-07-23 22:05 . 2008-07-23 22:06 2,869 --a------ C:\Windows\Uninstall\FAKEFACTORY_Cinematic Uninstall Log.txt
2008-07-23 21:32 . 2008-07-23 22:06 <DIR> d-------- C:\Windows\Uninstall\FAKEFACTORY_Cinematic
2008-07-23 21:31 . 2008-07-24 15:15 <DIR> d-------- C:\Windows\Uninstall
2008-07-23 21:31 . 2008-07-23 21:42 5,990 --a------ C:\Windows\Uninstall\FAKEFACTORY_Cinematic Setup Log.txt
2008-07-17 22:06 . 2008-07-17 22:06 669,184 --a------ C:\Windows\System32\pbsvc.exe
2008-07-17 22:06 . 2008-07-17 22:06 22,328 --a------ C:\Users\David\AppData\Roaming\PnkBstrK.sys
2008-07-17 22:05 . 2008-07-17 22:05 <DIR> d-------- C:\Users\All Users\Media Center Programs
2008-07-17 22:05 . 2008-07-17 22:05 <DIR> d-------- C:\ProgramData\Media Center Programs
2008-07-17 14:30 . 2008-07-17 14:30 <DIR> d--hs---- C:\Windows\ftpcache
2008-07-14 18:27 . 2008-08-30 10:04 <DIR> d-------- C:\Users\All Users\Symantec
2008-07-14 18:27 . 2008-08-30 10:04 <DIR> d-------- C:\ProgramData\Symantec
2008-07-08 22:03 . 2008-06-25 21:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-08 22:03 . 2008-06-25 21:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-08 22:03 . 2008-06-25 23:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-07 16:07 . 2007-12-11 17:06 753,664 --a------ C:\Windows\System32\nvcplui.exe
2008-07-07 16:07 . 2007-12-11 17:06 413,696 --a------ C:\Windows\System32\nvcpl.cpl
2008-07-07 16:07 . 2007-12-11 17:06 307,200 --a------ C:\Windows\System32\nvexpbar.dll
2008-07-07 16:04 . 2008-02-26 17:55 9,417 --a------ C:\Windows\System32\nvide.nvu
2008-07-07 16:03 . 2008-07-13 22:37 <DIR> d-------- C:\NVIDIA
2008-07-07 16:03 . 2008-06-04 16:29 446,464 --a------ C:\Windows\System32\NVUNINST.EXE
2008-07-07 16:03 . 2008-01-10 14:30 442,368 --a------ C:\Windows\System32\nvusmb.exe
2008-07-07 16:03 . 2007-12-07 14:34 2,016 --a------ C:\Windows\System32\nvsmb.nvu
2008-07-07 15:39 . 2008-07-13 22:40 <DIR> d-------- C:\Windows\nvtmpinst
2008-07-02 18:24 . 2008-08-06 17:48 <DIR> d-------- C:\Users\David\.gimp-2.2
2008-07-02 18:20 . 2008-07-02 18:20 82 --a------ C:\Windows\TweakOblivion.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 16:30 --------- d-----w C:\Program Files\Steam
2008-08-31 15:44 --------- d-----w C:\Users\David\AppData\Roaming\Azureus
2008-08-30 14:45 --------- d-----w C:\ProgramData\ESET
2008-08-30 14:15 --------- d-----w C:\Program Files\Security
2008-08-30 14:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-24 19:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-24 19:03 --------- d-----w C:\Program Files\Microsoft Games
2008-08-16 16:56 --------- d-----w C:\Program Files\Windows Mail
2008-08-06 22:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-31 23:17 --------- d-----w C:\ProgramData\Test Drive Unlimited
2008-07-31 17:10 --------- d-----w C:\Program Files\Common Files\Steam
2008-07-19 19:28 --------- d-----w C:\Program Files\Atari
2008-07-19 18:24 --------- d-----w C:\ProgramData\Lavasoft
2008-07-18 02:06 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-07-18 01:52 --------- d-----w C:\Program Files\EA GAMES
2008-07-13 22:42 --------- d-----w C:\ProgramData\NVIDIA
2008-07-09 19:34 --------- d-----w C:\Program Files\Bethesda Softworks
2008-07-07 20:09 --------- d-----w C:\ProgramData\nHancer
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-01 16:55 253,952 ------w C:\Windows\Setup1.exe
2008-06-01 16:20 73,216 ------w C:\Windows\ST6UNST.EXE
2008-05-24 14:08 737,280 ----a-w C:\Windows\iun6002.exe
2008-03-19 19:37 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\Software\Games\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\Software\Games\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\Software\Games\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\Software\Games\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\Software\Games\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\Software\Games\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\Software\Games\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-05-08 16:17 1271032]
"AlcoholAutomount"="C:\Program Files\Software\Extractors\Alcohol 120\axcmd.exe" [2007-12-22 03:23 221568]
"nHancer"="C:\Program Files\Software\Graphics\nHancer\nHancer.exe" [2008-05-07 22:24 1302528]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 23:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08 813912]
"OODefragTray"="C:\Windows\system32\oodtray.exe" [2007-05-11 02:08 2512392]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 17:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 17:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 17:06 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"egui"="C:\Program Files\Security\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 18:52 1447168]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-01 01:37 4186112 C:\Windows\RtHDVCpl.exe]

C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
YPOPs.lnk - C:\Program Files\Software\Web\YPOPs\YPOPs.exe [2008-04-25 16:32:56 1331200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D7EF45AB-026C-429C-B724-91284BDD18E7}"= UDP:C:\Program Files\EA GAMES\BF2\Battlefield 2\BF2.exe:Battlefield 2
"{79B3571D-324D-43DF-B51C-B7F06D2868C7}"= TCP:C:\Program Files\EA GAMES\BF2\Battlefield 2\BF2.exe:Battlefield 2
"TCP Query User{D5E27AA4-8204-4475-ACA9-23DE7D1F51A6}C:\\program files\\software\\xfire\\xfire.exe"= UDP:C:\program files\software\xfire\xfire.exe:Xfire
"UDP Query User{5B10CE6A-EE37-4E50-9A0C-1EB913F6E9C8}C:\\program files\\software\\xfire\\xfire.exe"= TCP:C:\program files\software\xfire\xfire.exe:Xfire
"TCP Query User{4A643193-E904-4F6F-AEEC-04521352A21E}C:\\program files\\ea games\\bf2\\battlefield 2\\bf2.exe"= UDP:C:\program files\ea games\bf2\battlefield 2\bf2.exe:BF2
"UDP Query User{2F18EC59-5960-4FB2-8D04-3720F78BF632}C:\\program files\\ea games\\bf2\\battlefield 2\\bf2.exe"= TCP:C:\program files\ea games\bf2\battlefield 2\bf2.exe:BF2
"TCP Query User{453B7D9C-17BF-4A94-BD37-05F038CAF2DB}C:\\program files\\software\\azureus\\azureus.exe"= UDP:C:\program files\software\azureus\azureus.exe:Azureus
"UDP Query User{FFC1672A-BA67-42C3-9345-680AFDADA8C3}C:\\program files\\software\\azureus\\azureus.exe"= TCP:C:\program files\software\azureus\azureus.exe:Azureus
"TCP Query User{9DC145DF-8BFD-4CBA-B1E0-03915BBA2529}C:\\program files\\atari\\tdu\\testdriveunlimited.exe"= Disabled:UDP:C:\program files\atari\tdu\testdriveunlimited.exe:Test Drive Unlimited
"UDP Query User{9EA34FA7-8218-4515-A0A4-45A2D3E8DD47}C:\\program files\\atari\\tdu\\testdriveunlimited.exe"= Disabled:TCP:C:\program files\atari\tdu\testdriveunlimited.exe:Test Drive Unlimited
"TCP Query User{9826B74B-6773-4BF4-ADE6-A2E361D98504}C:\\program files\\atari\\unreal tournament\\system\\unrealtournament.exe"= UDP:C:\program files\atari\unreal tournament\system\unrealtournament.exe:UnrealTournament
"UDP Query User{8BA659D4-A439-4731-ADF4-36852F44B298}C:\\program files\\atari\\unreal tournament\\system\\unrealtournament.exe"= TCP:C:\program files\atari\unreal tournament\system\unrealtournament.exe:UnrealTournament
"TCP Query User{71BE1A89-7B2A-4C45-9949-CE1CDC22B28B}C:\\program files\\rockstar games\\gtarumble1c\\gtarumbleserver.exe"= UDP:C:\program files\rockstar games\gtarumble1c\gtarumbleserver.exe:GTARumbleServer
"UDP Query User{AC06B5E2-845B-41FB-AAD9-3E42698A3CAA}C:\\program files\\rockstar games\\gtarumble1c\\gtarumbleserver.exe"= TCP:C:\program files\rockstar games\gtarumble1c\gtarumbleserver.exe:GTARumbleServer
"TCP Query User{C7B5FE2C-63DD-4BED-A31A-477F30B42761}C:\\program files\\software\\xfire\\xfire.exe"= UDP:C:\program files\software\xfire\xfire.exe:Xfire
"UDP Query User{CC722276-E549-4C61-80B3-57C7F28E8723}C:\\program files\\software\\xfire\\xfire.exe"= TCP:C:\program files\software\xfire\xfire.exe:Xfire
"TCP Query User{EA840F9C-DFA6-4D82-8087-4F466C3ED091}C:\\program files\\steam\\steamapps\\themoralitysquad\\team fortress 2\\hl2.exe"= UDP:C:\program files\steam\steamapps\themoralitysquad\team fortress 2\hl2.exe:hl2
"UDP Query User{10AFCDFD-ABF9-4F40-A251-B7BF2925B206}C:\\program files\\steam\\steamapps\\themoralitysquad\\team fortress 2\\hl2.exe"= TCP:C:\program files\steam\steamapps\themoralitysquad\team fortress 2\hl2.exe:hl2
"{10D00230-6A03-4F83-B7DA-69D1AC29EE7B}"= UDP:C:\Program Files\Steam\Steam.exe:Steam
"{19E154B0-0DD9-4CBE-BE0D-641AE7BB02C6}"= TCP:C:\Program Files\Steam\Steam.exe:Steam
"TCP Query User{F96B69E4-812C-44DE-92F1-E17CFA7818A3}C:\\program files\\software\\games\\xfire\\xfire.exe"= UDP:C:\program files\software\games\xfire\xfire.exe:Xfire
"UDP Query User{8BF3C603-FE35-423C-B693-6CFC5F46E176}C:\\program files\\software\\games\\xfire\\xfire.exe"= TCP:C:\program files\software\games\xfire\xfire.exe:Xfire
"TCP Query User{C07DD0DE-3A14-4EA0-8097-D498ACB7C690}C:\\program files\\steam\\steamapps\\themoralitysquad\\team fortress 2\\hl2.exe"= UDP:C:\program files\steam\steamapps\themoralitysquad\team fortress 2\hl2.exe:hl2
"UDP Query User{2B2DA292-249D-4818-A5EC-79202F0AA97F}C:\\program files\\steam\\steamapps\\themoralitysquad\\team fortress 2\\hl2.exe"= TCP:C:\program files\steam\steamapps\themoralitysquad\team fortress 2\hl2.exe:hl2
"TCP Query User{FCCB2B77-6023-4D3A-8403-064C4D58227D}C:\\program files\\steam\\steamapps\\themoralitysquad\\source 2007 dedicated server\\srcds.exe"= UDP:C:\program files\steam\steamapps\themoralitysquad\source 2007 dedicated server\srcds.exe:srcds
"UDP Query User{F9A0D0A1-5F87-45AB-B556-91ABE88819C5}C:\\program files\\steam\\steamapps\\themoralitysquad\\source 2007 dedicated server\\srcds.exe"= TCP:C:\program files\steam\steamapps\themoralitysquad\source 2007 dedicated server\srcds.exe:srcds
"{EC7F925F-34C5-4EF6-A282-D5A7BD304F62}"= UDP:C:\Program Files\Software\Games\CrosuS\CrosuSApp.exe:Crosus
"{0C5BC034-DF89-4287-BD97-10856724CD24}"= TCP:C:\Program Files\Software\Games\CrosuS\CrosuSApp.exe:Crosus
"TCP Query User{563DBC1B-C379-4A01-AA19-E9C810C0E7A7}C:\\crosus-games\\freeciv\\civserver.exe"= UDP:C:\crosus-games\freeciv\civserver.exe:civserver
"UDP Query User{6E325B2A-A246-47A6-BE0C-72711CA3156E}C:\\crosus-games\\freeciv\\civserver.exe"= TCP:C:\crosus-games\freeciv\civserver.exe:civserver
"TCP Query User{E66B1128-077E-478B-82BF-D063A66B77E0}C:\\program files\\software\\web\\opera\\opera.exe"= UDP:C:\program files\software\web\opera\opera.exe:Opera Internet Browser
"UDP Query User{579F25BA-6441-4299-A86D-F874235EF9A1}C:\\program files\\software\\web\\opera\\opera.exe"= TCP:C:\program files\software\web\opera\opera.exe:Opera Internet Browser
"{557540FF-B75A-4940-B241-820E91A8495D}"= UDP:C:\Program Files\Atari\Civilization\CIV IV\Civilization4.exe:Sid Meier's Civilization 4
"{FA1AB585-681E-4DC3-ABC2-9331810A1C94}"= TCP:C:\Program Files\Atari\Civilization\CIV IV\Civilization4.exe:Sid Meier's Civilization 4
"{46424393-4E92-4923-9DA5-C19693CE553A}"= UDP:C:\Program Files\Atari\Civilization\CIV IV\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{DCD5BE51-B029-420E-A25B-DD3845D5E473}"= TCP:C:\Program Files\Atari\Civilization\CIV IV\Warlords\Civ4Warlords.exe:Sid Meier's Civilization 4 Warlords
"{43620573-DA0B-4C55-9148-6D46D16990E5}"= UDP:C:\Program Files\Atari\Civilization\CIV IV\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"{FA7B0507-E0D9-445D-99BE-9446C8C15947}"= TCP:C:\Program Files\Atari\Civilization\CIV IV\Warlords\Civ4Warlords_PitBoss.exe:Sid Meier's Civilization 4 Pitboss
"{EAD0CD9C-85E2-4306-97DF-2D18B829851B}"= UDP:C:\Program Files\Atari\Civilization\CIV IV\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{828C8FFF-D0C8-4791-8D1E-1FA7113BDF60}"= TCP:C:\Program Files\Atari\Civilization\CIV IV\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:Sid Meier's Civilization 4 Beyond the Sword Pitboss
"{C695F015-0233-4125-8238-4170454E7BEF}"= UDP:C:\Program Files\Atari\Civilization\CIV IV\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{3B787A14-3703-470E-B99B-D50A9B39C17F}"= TCP:C:\Program Files\Atari\Civilization\CIV IV\Beyond the Sword\Civ4BeyondSword.exe:Sid Meier's Civilization 4 Beyond the Sword
"{4FF32AAE-0BF9-4392-864D-F1C31915CC45}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{9F33FC7C-0469-4655-A0A1-DB785023C03E}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{503716BE-A7BE-4404-8363-80B48C019672}"= UDP:C:\Program Files\Software\Other\iTunes\iTunes.exe:iTunes
"{9C437D0F-67D9-4863-9437-30335F5F09F2}"= TCP:C:\Program Files\Software\Other\iTunes\iTunes.exe:iTunes
"TCP Query User{6F6BB31C-2A58-4694-B026-3BA2267D4309}C:\\program files\\steam\\steamapps\\themoralitysquad\\counter-strike source\\hl2.exe"= UDP:C:\program files\steam\steamapps\themoralitysquad\counter-strike source\hl2.exe:hl2
"UDP Query User{54726483-625B-44A4-B695-1FEAC2186F47}C:\\program files\\steam\\steamapps\\themoralitysquad\\counter-strike source\\hl2.exe"= TCP:C:\program files\steam\steamapps\themoralitysquad\counter-strike source\hl2.exe:hl2
"TCP Query User{F4A0A087-AF97-467F-9790-F10FA63A1929}C:\\program files\\steam\\steamapps\\themoralitysquad\\garrysmod\\hl2.exe"= UDP:C:\program files\steam\steamapps\themoralitysquad\garrysmod\hl2.exe:hl2
"UDP Query User{64D7506E-8A76-4E1B-8D4A-CF8C237D066E}C:\\program files\\steam\\steamapps\\themoralitysquad\\garrysmod\\hl2.exe"= TCP:C:\program files\steam\steamapps\themoralitysquad\garrysmod\hl2.exe:hl2
"TCP Query User{7D431107-815B-42AE-817E-B8E090F8E611}C:\\program files\\steam\\steamapps\\themoralitysquad\\source dedicated server\\srcds.exe"= UDP:C:\program files\steam\steamapps\themoralitysquad\source dedicated server\srcds.exe:srcds
"UDP Query User{414070D8-ED80-4B95-93AF-0D247F516FCF}C:\\program files\\steam\\steamapps\\themoralitysquad\\source dedicated server\\srcds.exe"= TCP:C:\program files\steam\steamapps\themoralitysquad\source dedicated server\srcds.exe:srcds
"TCP Query User{A95A6EB5-85E9-4040-B363-6EA03530668A}C:\\program files\\atari\\star wars battlefront ii\\gamedata\\battlefrontii.exe"= UDP:C:\program files\atari\star wars battlefront ii\gamedata\battlefrontii.exe:BattlefrontII
"UDP Query User{F3CB0EA7-6BAE-4710-B6B3-722C8506F35B}C:\\program files\\atari\\star wars battlefront ii\\gamedata\\battlefrontii.exe"= TCP:C:\program files\atari\star wars battlefront ii\gamedata\battlefrontii.exe:BattlefrontII
"TCP Query User{595F8DC4-ED61-4D2A-A78A-8C84A8F6B12C}C:\\program files\\atari\\star wars battlefront ii\\ pc server\\battlefrontii.exe"= UDP:C:\program files\atari\star wars battlefront ii\ pc server\battlefrontii.exe:BattlefrontII
"UDP Query User{2C0554BB-4002-496F-B557-3B30A3B01712}C:\\program files\\atari\\star wars battlefront ii\\ pc server\\battlefrontii.exe"= TCP:C:\program files\atari\star wars battlefront ii\ pc server\battlefrontii.exe:BattlefrontII
"TCP Query User{666E195F-93FC-4970-983A-70CE3D2C73F5}C:\\program files\\atari\\star wars battlefront ii\\pc server\\swbf2sm.exe"= UDP:C:\program files\atari\star wars battlefront ii\pc server\swbf2sm.exe:Star Wars® Battlefront™ II Server Manager
"UDP Query User{310CA36B-F51C-4AF3-8B49-B7CAF9CDC526}C:\\program files\\atari\\star wars battlefront ii\\pc server\\swbf2sm.exe"= TCP:C:\program files\atari\star wars battlefront ii\pc server\swbf2sm.exe:Star Wars® Battlefront™ II Server Manager
"TCP Query User{9F76847E-E15D-42E4-BF12-5FAA48D00706}C:\\program files\\steam\\steamapps\\common\\trackmania nations forever\\tmforever.exe"= UDP:C:\program files\steam\steamapps\common\trackmania nations forever\tmforever.exe:TmForever
"UDP Query User{4782B598-666B-43FE-B630-FC64123F8B81}C:\\program files\\steam\\steamapps\\common\\trackmania nations forever\\tmforever.exe"= TCP:C:\program files\steam\steamapps\common\trackmania nations forever\tmforever.exe:TmForever
"TCP Query User{81E56151-17C7-4323-91B9-7302CB0F168A}C:\\program files\\software\\games\\xfire\\xfire.exe"= UDP:C:\program files\software\games\xfire\xfire.exe:Xfire
"UDP Query User{BA8A5B4D-A85D-450A-BD52-F0346000760D}C:\\program files\\software\\games\\xfire\\xfire.exe"= TCP:C:\program files\software\games\xfire\xfire.exe:Xfire
"{3EE8B662-57B4-4AD1-81D7-FC68AB01FE19}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{30E9F06E-E343-44D5-8C71-0A8743A17BAF}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{BD341D52-4E59-4FFC-BF24-8FAA04EEA926}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{77935EE8-BB6B-4841-B595-5B6401BDE3E2}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"{390A3F28-A484-47CC-988B-9CA069E5B5F2}"= TCP:45450:Azureus
"TCP Query User{00CB180E-2B7C-4DF9-B59C-95F6304090BE}C:\\program files\\software\\azureus\\azureus.exe"= UDP:C:\program files\software\azureus\azureus.exe:Azureus
"UDP Query User{A6E000DA-445E-45F9-8002-1EF08C96ABDC}C:\\program files\\software\\azureus\\azureus.exe"= TCP:C:\program files\software\azureus\azureus.exe:Azureus
"TCP Query User{99DC1AD8-9FDA-46AD-BDE2-09D3249BCF92}C:\\program files\\atari\\tmunitedforever\\tmforever.exe"= UDP:C:\program files\atari\tmunitedforever\tmforever.exe:TmForever
"UDP Query User{77A2E171-A593-48B2-B0BD-A05FF0E310C7}C:\\program files\\atari\\tmunitedforever\\tmforever.exe"= TCP:C:\program files\atari\tmunitedforever\tmforever.exe:TmForever
"TCP Query User{6A239FA8-BF24-41E9-996A-CEB13C8C9267}C:\\program files\\atari\\tmunitedforever\\tmforever.exe"= UDP:C:\program files\atari\tmunitedforever\tmforever.exe:TmForever
"UDP Query User{F14D4EFA-79F1-4808-B1AC-C855E430FA02}C:\\program files\\atari\\tmunitedforever\\tmforever.exe"= TCP:C:\program files\atari\tmunitedforever\tmforever.exe:TmForever
"TCP Query User{DE1AC4D5-EF3E-4F98-9940-944727C192C1}C:\\program files\\atari\\trackmania united forever\\tmforever.exe"= UDP:C:\program files\atari\trackmania united forever\tmforever.exe:TmForever
"UDP Query User{8C53C3F7-8D77-496E-8A2C-8A9250146A15}C:\\program files\\atari\\trackmania united forever\\tmforever.exe"= TCP:C:\program files\atari\trackmania united forever\tmforever.exe:TmForever
"TCP Query User{1F70487E-E3CC-4F20-943B-6AD2CBC426AC}C:\\program files\\motorola\\software update\\msu.exe"= UDP:C:\program files\motorola\software update\msu.exe:msu
"UDP Query User{45FA8C6B-F7EA-4A80-9E15-6F0F7A42E311}C:\\program files\\motorola\\software update\\msu.exe"= TCP:C:\program files\motorola\software update\msu.exe:msu
"TCP Query User{6C40B333-D0E5-4853-93F5-0F1C99B56AC8}C:\\users\\david\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= UDP:C:\users\david\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"UDP Query User{0E699D57-8AC1-46CF-97D9-844DE8BB3F2F}C:\\users\\david\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= TCP:C:\users\david\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"TCP Query User{0E3D3854-25B3-4B3D-8FAB-69DE6CCECE0D}C:\\program files\\steam\\steamapps\\themoralitysquad\\source sdk base\\hl2.exe"= UDP:C:\program files\steam\steamapps\themoralitysquad\source sdk base\hl2.exe:hl2
"UDP Query User{A688917F-7F81-411E-9CA8-EFF880B74289}C:\\program files\\steam\\steamapps\\themoralitysquad\\source sdk base\\hl2.exe"= TCP:C:\program files\steam\steamapps\themoralitysquad\source sdk base\hl2.exe:hl2
"TCP Query User{346EA179-E442-42E2-8B6D-9C156BE2EBF4}C:\\program files\\bethesda softworks\\oblivion\\consoleserver.exe"= UDP:C:\program files\bethesda softworks\oblivion\consoleserver.exe:ConsoleServer
"UDP Query User{B0F11AF2-CDB2-4C52-9DD0-A3157A164226}C:\\program files\\bethesda softworks\\oblivion\\consoleserver.exe"= TCP:C:\program files\bethesda softworks\oblivion\consoleserver.exe:ConsoleServer
"{2BC85FBA-9735-4DED-BA5D-48B51C1C630C}"= UDP:C:\Program Files\EA GAMES\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{F06B40FF-890A-403F-BBF7-1CF32A7FFD00}"= TCP:C:\Program Files\EA GAMES\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{7498A2A2-00CB-4B0F-B689-EF32E1F07152}"= UDP:C:\Program Files\EA GAMES\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{1CAEE7F9-FD9B-48D8-B7E8-68CB098004E8}"= TCP:C:\Program Files\EA GAMES\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{5E9F9DEF-9727-4DAB-BCC7-B56CFC5536D7}"= UDP:C:\Windows\System32\PnkBstrA.exenkBstrA
"{02291677-C624-449B-9C28-225B16830020}"= TCP:C:\Windows\System32\PnkBstrA.exenkBstrA
"{74706E55-E3AC-4D08-BA2C-64F359A1F409}"= UDP:C:\Windows\System32\PnkBstrB.exenkBstrB
"{E4AB6489-D73A-41BC-9784-4A172AD1A9DD}"= TCP:C:\Windows\System32\PnkBstrB.exenkBstrB

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 09:42]
R3 CSCO21;Cisco Aironet 802.11a/b/g Wireless Adapter Service;C:\Windows\system32\DRIVERS\csco21.sys [2006-05-19 03:42]
R3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-07-31 12:26]
R3 usbprint;Microsoft USB PRINTER Class;C:\Windows\system32\DRIVERS\usbprint.sys [2008-01-18 22:14]
S3 Kinetic Books License Service;Kinetic Books License Service;C:\Program Files\Common Files\Kinetic Books Shared\Service\KineticBooksLicenseService.exe [2008-08-27 20:41]
S3 motccgp;Motorola USB Composite Device Driver;C:\Windows\system32\DRIVERS\motccgp.sys [2007-11-02 15:36]
S3 motccgpfl;MotCcgpFlService;C:\Windows\system32\DRIVERS\motccgpfl.sys [2007-01-22 19:33]
S3 motport;Motorola USB Diagnostic Port;C:\Windows\system32\DRIVERS\motport.sys [2007-06-18 15:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34e1def0-d0fd-11dc-bbce-806e6f6e6963}]
\shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3fbda58d-cbf3-11dc-86c2-806e6f6e6963}]
\shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70c3906c-283c-11dd-a09f-806e6f6e6963}]
\shell\AutoRun\command - E:\Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-08-30 C:\Windows\Tasks\Easy SpyRemover.job
- C:\Program Files\Security\Easy SpyRemover\EasySpyRemover.exe [2007-11-09 18:54]
.
- - - - ORPHANS REMOVED - - - -

BHO-{CD93797B-CDB6-4488-A054-0E8EB9B52D1C} - C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LZJXCB5N\3077htsbdjyf[1].dll
HKLM-Run-aa8e1698 - C:\Windows\system32\dkhicdav.dll
HKLM-Run-BMa9bd2504 - C:\Windows\system32\kqavhjdj.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\dzzqhyvk.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.maingearforums.com
FF -: plugin - C:\Program Files\Software\Adobe Reader\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Software\Java\jre1.6.0_03\bin\npjava11.dll
FF -: plugin - C:\Program Files\Software\Java\jre1.6.0_03\bin\npjava12.dll
FF -: plugin - C:\Program Files\Software\Java\jre1.6.0_03\bin\npjava13.dll
FF -: plugin - C:\Program Files\Software\Java\jre1.6.0_03\bin\npjava14.dll
FF -: plugin - C:\Program Files\Software\Java\jre1.6.0_03\bin\npjava32.dll
FF -: plugin - C:\Program Files\Software\Java\jre1.6.0_03\bin\npjpi160_03.dll
FF -: plugin - C:\Program Files\Software\Java\jre1.6.0_03\bin\npoji610.dll
FF -: plugin - C:\Program Files\Software\Other\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Software\Web\Mozilla Firefox\plugins\npnul32.dll
FF -: plugin - C:\Program Files\Software\Web\Mozilla Firefox\plugins\NPSWF32.dll
FF -: plugin - C:\Program Files\Software\Web\Opera\program\plugins\np-mswmp.dll
FF -: plugin - C:\Program Files\Software\Web\Opera\program\plugins\np32dsw.dll
FF -: plugin - C:\Program Files\Software\Web\Opera\program\plugins\npitunes.dll
FF -: plugin - C:\Program Files\Software\Web\Opera\program\plugins\nppdf32.dll
FF -: plugin - C:\Program Files\Software\Web\Opera\program\plugins\npqtplugin.dll
FF -: plugin - C:\Program Files\Software\Web\Opera\program\plugins\npqtplugin2.dll
FF -: plugin - C:\Program Files\Software\Web\Opera\program\plugins\npqtplugin3.dll
FF -: plugin - C:\Program Files\Software\Web\Opera\program\plugins\npqtplugin4.dll
FF -: plugin - C:\Program Files\Software\Web\Opera\program\plugins\npqtplugin5.dll
FF -: plugin - C:\Program Files\Software\Web\Opera\program\plugins\npqtplugin6.dll
FF -: plugin - C:\Program Files\Software\Web\Opera\program\plugins\npqtplugin7.dll
FF -: plugin - C:\Program Files\Software\Web\Opera\program\plugins\NPSWF32.dll
FF -: plugin - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-31 12:41:32
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\Software\Games\TortoiseSVN\iconv\_tbl_simple.so
-> C:\Program Files\Software\Games\TortoiseSVN\iconv\windows-1252.so
-> C:\Program Files\Software\Games\TortoiseSVN\iconv\utf-8.so
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\CISVC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\PnkBstrA.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Software\Games\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Software\Graphics\nHancer\nHancerService.exe
C:\Windows\System32\oodag.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-08-31 12:47:01 - machine was rebooted [David]
ComboFix-quarantined-files.txt 2008-08-31 16:46:57

Pre-Run: 117,257,191,424 bytes free
Post-Run: 116,749,836,288 bytes free

419 --- E O F --- 2008-08-16 15:41:15




And the NEW HijackThis Log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:38 PM, on 8/31/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\System32\oodtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Software\Graphics\nHancer\nHancer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Software\Web\YPOPs\YPOPs.exe
C:\Program Files\Software\Games\TortoiseSVN\bin\TSVNCache.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\Windows\system32\oodtray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\Security\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Software\Extractors\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [nHancer] "C:\Program Files\Software\Graphics\nHancer\nHancer.exe" /tray
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: YPOPs.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\Security\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kinetic Books License Service - Kinetic Books - C:\Program Files\Common Files\Kinetic Books Shared\Service\KineticBooksLicenseService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\Software\Graphics\nHancer\nHancerService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\Windows\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\Software\Other\Sandra\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\Software\Other\Sandra\RpcSandraSrv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6886 bytes





Also, I'm using a different computer to upload these, but I'm putting the files on a flashdrive, is there any chance the virus/malware could infect this computer through the flash drive?

 

[pskelley]

is there any chance the virus/malware could infect this computer through the flash drive?

not unless the flash drive is infected.

1) C:\Program Files\Java\jre1.6.0_05\ <<< update Java, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

2) Run DISK CLEANUP: ALL PROGRAMS > ACCESSORIES > SYSTEM TOOLS > DISK CLEANUP

3) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

How is the computer running now?

Thanks

 

[TheMoralitySquad]

Well the computer seems fine, except I'm not going to turn the internet back on until I'm sure or if you say to update something again. Explorer.exe used to crash about once every 5 minutes and it ahsn't crashed once.

Heres that log:



Malwarebytes' Anti-Malware 1.25
Database version: 1101
Windows 6.0.6001 Service Pack 1

5:13:12 PM 8/31/2008
mbam-log-08-31-2008 (17-13-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 373738
Time elapsed: 1 hour(s), 51 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\Windows\System32\dkhicdav.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\ernoysrt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\hgGvuVpp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\iIbcDWqP.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\khfEXQJc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\kqavhjdj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\lfzzkx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\rqRHyvVn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\snqvavaw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\ubimxy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\vtUlLFvS.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\ykmgeqxy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.




Norton Antivrus said I had Trojan.Vundo but it never seemed to delete it and it kept coming back. But now I'm running my dad's NOD32 Smart Security or whatever it is. I never really liked Norton because I thought I wasn't protected.

So how do you stay protected from stuff like this? I heard NOD32 Smart Security/Suite/whatever (I need to check the name) protects against viruses and spyware, but will it stop this from happening again?

 

[pskelley]

Thanks for returning your information and the feedback, you said:

Norton Antivrus said I had Trojan.Vundo

If you are talking about now Norton may be seeing the Vundo files in combofix quarantine. If you are talking about earlier, look at the Vundo files combofix removed under Other Deletions.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Run another MBAM scan to be sure we got all of the junk, no need to post a clean scan result.

Update Norton and run a system scan, if it finds anything at all it can not deal with, I need that information. If you have any issues with the program, contact tech support for instructions:
http://www.symantec.com/enterprise/support/index.jsp

Thanks...Phil

 

[TheMoralitySquad]

No Norton said I had Trojan.Vundo a few days ago and said it delted it, but it came back the next day and the next until I installed NOD32



And thanks so much, I'm glad that I didn't have to format my hard drive to destroy this thing. I'll post the log if it says anything is wrong.

 

[TheMoralitySquad]

Alright the scan showed nothing, is that it? I'd love to start using the computer again. For now I'll just turn it off

 

[pskelley]

If both MBAM and Norton were clean, go for it:bigthumb:

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html