WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Closed] I can't get rid of a Vundo.

Started by magiclzrd , Oct 18 2007 11:36 AM

This topic is locked

14 replies to this topic

#1 magiclzrd

New Member

New Member
6 posts

Posted 18 October 2007 - 11:36 AM

Somehow a Vundo found its way onto my computer. I've tried (unsuccessfully) to get rid of it. I've used VundoFix.exe and FixVundo.exe, I've tried SW Doctor, tried to manually remove the awvvv.dll file, and I've tried my virus scanner. I'm not sure if it'll show up on the HijackThis log, but I figure that I have nothing to lose.

Logfile of HijackThis v1.99.1
Scan saved at 10:06:04 AM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\Rich.HAL\LOCALS~1\Temp\hpdj.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Net message Service - Unknown owner - C:\WINDOWS\system32\netmsg.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WMP55AGSVC - Unknown owner - C:\Program Files\Dual-Band Wireless A+G PCI Network Adapter\WLService.exe" "WMP55AG.exe (file missing)

TIA for any/all help.

--Rich

Advertisements

Register to Remove

#2 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 18 October 2007 - 11:45 AM

Hi, and Welcome to What The Tech

My name is jpshortstuff. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

As I am still training here, my posts to you will be checked by an Expert member. This will ensure that all advice and instructions I give you are accurate and safe. This may mean that my replies may take a little longer.

Show all hidden files:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please do not delete anything unless instructed to.

Next, rename HijackThis.exe to scanner.exe.
Scan again with HijackThis, and "copy/paste" a new log file into this thread.

Then I will analyze your log and sort out a fix for you

Also please describe how your computer behaves at the moment.

jpshortstuff

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#3 magiclzrd

New Member

New Member
6 posts

Posted 18 October 2007 - 05:00 PM

Thanks for the quick reply. Here is the new log file.

Logfile of HijackThis v1.99.1
Scan saved at 3:51:07 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {1984B9D0-7D8E-485D-BC87-F633CB709679} - C:\WINDOWS\system32\awvvv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\Rich.HAL\LOCALS~1\Temp\hpdj.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Net message Service - Unknown owner - C:\WINDOWS\system32\netmsg.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

I highlighted the file that's giving me trouble. I know you would have seen it without the highlighting, but I thought I'd try to help. Anyway, my computer gets pop-ups from all the stupid WinAntiSpyware (and so on) sites. I've also noticed a recent decrease in internet connection speed (although this could be something else). I also get constant notifications from my anti-virus program that I have three seperate trojans. I delete them and they keep coming back. That's about it. Again, thanks for the help.

--Rich
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WMP55AGSVC - Unknown owner - C:\Program Files\Dual-Band Wireless A+G PCI Network Adapter\WLService.exe" "WMP55AG.exe (file missing)

#4 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 18 October 2007 - 05:10 PM

Thanks, just letting you know I'm looking at your log now and working on a fix.

Please remember that as I am in training an Expert must check my fix before I post, but the wait shouldn't be too long.

jpshortstuff

Proud Graduate of the TC/WTT Classroom

#5 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 20 October 2007 - 11:03 AM

Hi magiclzrd

Sorry for delays, problems with the site slowing us down a bit but it should be okay now.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Download ComboFix by sUBs from here or here

**Save it to your desktop**

Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Thanks,

jpshortstuff

Proud Graduate of the TC/WTT Classroom

#6 magiclzrd

New Member

New Member
6 posts

Posted 20 October 2007 - 02:57 PM

Here is the ComboFix Log.

ComboFix 07-10-20.6 - Rich 2007-10-20 13:32:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2543 [GMT -7:00]
Running from: C:\Documents and Settings\Rich.HAL\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\check_LSA7.txt
C:\DOCUME~1\Rich.HAL\APPLIC~1\inst.exe
C:\Documents and Settings\Rich.HAL\Application Data\inst.exe
C:\Program Files\Temporary
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awvvv.dll
C:\WINDOWS\system32\awvvv.dll
C:\WINDOWS\system32\vvvwa.bak2
C:\WINDOWS\system32\vvvwa.ini

.
((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 )))))))))))))))))))))))))))))))
.

2007-10-18 09:45 <DIR> d-------- C:\HijackThis
2007-10-10 19:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\WinZip
2007-09-27 17:58 <DIR> d-------- C:\VundoFix Backups
2007-09-27 12:32 <DIR> d-------- C:\Program Files\Jetico
2007-09-26 09:26 <DIR> d-------- C:\Documents and Settings\Rich.HAL\Application Data\PC Tools
2007-09-26 09:26 <DIR> d-------- C:\DOCUME~1\Rich.HAL\APPLIC~1\PC Tools
2007-09-23 21:53 <DIR> d-------- C:\vd
2007-09-20 11:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\third lies itch ford
2007-09-20 11:24 <DIR> d-------- C:\Program Files\Forcashfast
2007-09-20 11:24 <DIR> d-------- C:\Program Files\3wPlayer
2007-09-20 11:24 <DIR> d-------- C:\Documents and Settings\Rich.HAL\Application Data\Forcashfast
2007-09-20 11:24 <DIR> d-------- C:\DOCUME~1\Rich.HAL\APPLIC~1\Forcashfast
2007-09-20 01:39 <DIR> d-------- C:\Program Files\Black Isle

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 14:10 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
2007-10-08 00:10 --------- d-----w C:\Documents and Settings\Rich.HAL\Application Data\LimeWire
2007-10-08 00:10 --------- d-----w C:\DOCUME~1\Rich.HAL\APPLIC~1\LimeWire
2007-10-05 00:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-04 01:23 --------- d-----w C:\Program Files\Doom 3
2007-09-27 10:34 --------- d-----w C:\Program Files\Spyware Doctor
2007-09-19 22:35 --------- d-----w C:\Documents and Settings\Rich.HAL\Application Data\Tenebril
2007-09-19 22:35 --------- d-----w C:\DOCUME~1\Rich.HAL\APPLIC~1\Tenebril
2007-09-19 22:33 --------- d-----w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Tenebril
2007-09-19 04:16 --------- d-----w C:\Documents and Settings\Rich.HAL\Application Data\Vso
2007-09-19 04:16 --------- d-----w C:\DOCUME~1\Rich.HAL\APPLIC~1\Vso
2007-09-19 01:16 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2007-09-19 01:16 47,360 ----a-w C:\Documents and Settings\Rich.HAL\Application Data\pcouffin.sys
2007-09-19 01:16 47,360 ----a-w C:\DOCUME~1\Rich.HAL\APPLIC~1\pcouffin.sys
2007-09-19 01:16 --------- d-----w C:\Program Files\VSO
2007-09-18 21:42 --------- d-----w C:\Program Files\Common Files\AVSMedia
2007-09-18 21:41 --------- d-----w C:\Program Files\AVSMedia
2007-09-18 13:39 --------- d-----w C:\Program Files\AllToAVI
2007-09-17 23:51 --------- d-----w C:\Program Files\WinAVI Video Converter
2007-09-17 09:32 --------- d-----w C:\Documents and Settings\Rich.HAL\Application Data\vlc
2007-09-17 09:32 --------- d-----w C:\DOCUME~1\Rich.HAL\APPLIC~1\vlc
2007-09-17 09:29 --------- d-----w C:\Program Files\VideoLAN
2007-09-12 03:44 --------- d-----w C:\Program Files\LightScribe
2007-09-12 03:44 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-08-28 00:41 --------- d-----w C:\Documents and Settings\Rich.HAL\Application Data\Ahead
2007-08-28 00:41 --------- d-----w C:\DOCUME~1\Rich.HAL\APPLIC~1\Ahead
2007-08-28 00:30 --------- d-----w C:\Program Files\Nero
2007-08-28 00:30 --------- d-----w C:\Program Files\Common Files\Ahead
2007-08-28 00:16 --------- d-----w C:\Program Files\Ahead
2007-08-16 02:13 21,920 ----a-w C:\Documents and Settings\Rich.HAL\Application Data\GDIPFONTCACHEV1.DAT
2007-08-16 02:13 21,920 ----a-w C:\DOCUME~1\Rich.HAL\APPLIC~1\GDIPFONTCACHEV1.DAT
2006-11-17 00:39 32,168 ----a-w C:\Documents and Settings\Rich\Application Data\GDIPFONTCACHEV1.DAT
2005-07-05 06:44 184,808 ----a-w C:\Documents and Settings\Rich\Application Data\shb.dat
2003-08-27 22:19 36,963 ------w C:\Program Files\Common Files\SM1updtr.dll
2005-10-15 08:07:16 1,303,639 --sha-r C:\WINDOWS\system32\nqfalz.exe
2005-10-15 08:07:16 1,303,639 --sha-r C:\WINDOWS\system32\qpruay.exe
2005-10-15 08:07:16 1,303,639 --sha-r C:\WINDOWS\system32\wpczsz.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 936,960 2003-04-08 05:41:01 C:\Program Files\BuyPin Software\Advertising Killer\bak\akiller.exe
----a-w 32,946 2006-11-13 22:24:43 C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe

----a-w 38,592 2002-09-15 04:22:06 C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe
----a-w 38,592 2002-09-15 04:22:06 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

----a-w 218,240 2004-11-03 00:59:52 C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
----a-w 32,946 2006-11-13 22:24:43 C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

----a-w 203,264 1999-04-12 08:00:00 C:\Program Files\Creative\SBLive\AudioHQ\bak\AHQTB.EXE
----a-w 203,264 2007-08-18 01:40:10 C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE

----a-w 282,624 2006-09-01 22:57:48 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 282,624 2006-09-01 23:57:48 C:\Program Files\QuickTime\qttask.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-27 13:54]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 14:26]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-09-14 21:22]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2007-08-17 18:40]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-02 17:17]

C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Monitor.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Monitor.lnk
backup=C:\WINDOWS\pss\Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rich.HAL^Start Menu^Programs^Startup^Scheduler.lnk]
path=C:\Documents and Settings\Rich.HAL\Start Menu\Programs\Startup\Scheduler.lnk
backup=C:\WINDOWS\pss\Scheduler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneDVDElbyDelay]
"C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Launcher]
C:\Program Files\Creative\Launcher\CTLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ElbyCheckAnyDVD]
"C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
"C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MI4Tray]
C:\Program Files\Steinberg\MI4\MI4tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name of App]
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickenScheduledUpdates]
C:\Program Files\Quicken\bagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe "C:\WINDOWS\system32\rnjxjtdd.dll",sitypnow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
"C:\Program Files\TomTom HOME\TomTomHOME.exe" -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DomainService"=2 (0x2)

S2 Net message Service;Net message Service;C:\WINDOWS\system32\netmsg.exe
S2 WMP55AGSVC;WMP55AGSVC;"C:\Program Files\Dual-Band Wireless A+G PCI Network Adapter\WLService.exe" "WMP55AG.exe"
S4 BCSWAP;BCSWAP;C:\WINDOWS\system32\drivers\BCSWAP.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b443b2a-a1e7-11db-8d8b-000f66168064}]
AutoRun\command - G:\InstallTomTomHOME.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-20 13:39:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-20 13:45:13 - machine was rebooted
.
--- E O F ---

I see that the .dll's that have been bothering me were deleted. Does this me my machine is cleaned of this Vundo? Thanks again for all your help.

#7 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 20 October 2007 - 03:30 PM

can you post a new HijackThis log as well please?

Vundo may be gone, we just need to clean up now, and make sure there isn't anything else lurking.

Thanks,

jpshortstuff

Proud Graduate of the TC/WTT Classroom

#8 magiclzrd

New Member

New Member
6 posts

Posted 20 October 2007 - 07:51 PM

Thanks again (again).

Here's the new HT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:10:43 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Rich.HAL\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Net message Service - Unknown owner - C:\WINDOWS\system32\netmsg.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WMP55AGSVC - Unknown owner - C:\Program Files\Dual-Band Wireless A+G PCI Network Adapter\WLService.exe" "WMP55AG.exe (file missing)

When I was researching this thing, I read about Java being susceptible to attacks and I was wondering if I need to update my version. Thanks.

magiclzrd

#9 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 20 October 2007 - 07:54 PM

Hi magiclzrd

Yes, you're right about old versions of Java being vulnerable, and you need to keep you're java updated regularly. This is something that i usually recommend to users at the end of the fix, but it is fine if you want to do this now. Your version isn't that out of date anyway, but its your decision whether to do it now or later.

I need to see another log from HijackThis.

Run Hijackthis.
Click on Open the Misc Tools section.
Next click on Open uninstall manager.
Press the Save list button.
Save the file to your desktop, with the default name of uninstall_list
Copy & Paste the entire contents of that file in your in your next post.

Thanks, working on the rest of the fix already, this will just aid me a bit.

jpshortstuff

Proud Graduate of the TC/WTT Classroom

#10 magiclzrd

New Member

New Member
6 posts

Posted 20 October 2007 - 11:24 PM

jpshortstuff--

Thanks for all your quick responses. You've really helped me get my computer back up to speed. Here's that uninstall log you wanted:

Adobe Acrobat 7.0.9 Professional
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
AllToAVI v4 r5394
AnyDVD
Apple Software Update
AVS Disc Creator version 2.1
AVS Video Tools 5.1
Baldur's Gate™ II - Shadows of Amn™
BCWipe 3.0
Bink and Smacker
BitLord 1.1
CDRWIN 6.1
CloneCD
CloneDVD2
ConvertXtoDVD 2.2.3.258
Creative Launcher
Creative PlayCenter
Creative Recorder
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Ripper Platinum 4
Final Draft 7
FW LiveUpdate
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows XP (KB915865)
hp deskjet 3820 series (Remove only)
hp deskjet 5100
Indeo® Software
Intel A/V Codecs V2.0
Intel Application Accelerator
Intel Audio Studio 2.0
Intel® Graphics Media Accelerator Driver
Intel® Management Engine Interface
Intel® PRO Network Connections
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 3
Java™ 6 Update 2
Java™ SE Runtime Environment 6 Update 1
LightScribe Applications
LimeWire PRO 4.12.3
LiveReg (Symantec Corporation)
Magic ISO Maker v5.4 (build 0239)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Mozilla Firefox (2.0.0.8)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser (KB927977)
MSXML4 Parser
Nero 7 Demo
Nero Suite
Nimo Codecs Pack v4.33 (Remove Only)
Norton AntiVirus Parent MSI
PowerISO
Quicken 2007
QuickTime
ResumeMaker
ResumeMaker Professional
Safari
SanDisk TransferMate
SigmaTel Audio
Sound Blaster Live! Value
SoundMAX
Spyware Doctor 5.0
Steinberg MI4 Setup
Trend Micro PC-cillin Internet Security 2007
Trend Micro PC-cillin Internet Security 2007
TurboTax Basic 2006
TurboTax ItsDeductible 2006
VideoLAN VLC media player 0.8.6c
WexTech AnswerWorks
Win AVI HelixSDK
WinAVI Video Converter
Windows Internet Explorer 7
WinMPG VideoConvert 6.6.3
WinRAR archiver
WinZip 11.1
Xvid 1.1.2 final uninstall

Hope this helps. I won't install a newer version of Java until you say my machine is good.

magiclzrd

#11 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 22 October 2007 - 08:57 AM

Hi magiclzrd

Sorry about the delays there, talked to a developer who wants some samples of an infection on your machine.

Could you please create a zip folder called "AWF_samples.zip" containing the following files:
C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

In a browser of your choice, follow this link:
http://www.bleepingc...e.php?channel=4

Fill out the form

Link to topic = http://forums.whatth...ndo_t84261.html
File - browse to AWF_samples.zip and click OK.
Copy and paste this text into the comments box:

AWF samples as requested
-jpshortstuff

Then click Send File.

FindAWF

Click here to download FindAWF.exe and save it to your desktop.

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to Press any key to continue.
Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
Copy and paste the contents of the AWF.txt file in your next reply.

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\nqfalz.exe
C:\WINDOWS\system32\qpruay.exe
C:\WINDOWS\system32\wpczsz.exe

Folder::
C:\VundoFix Backups
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DomainService"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Thanks,

jpshortstuff

Proud Graduate of the TC/WTT Classroom

#12 magiclzrd

New Member

New Member
6 posts

Posted 24 October 2007 - 06:56 PM

Sorry about the delay. I had it all ready to go and my computer crashed. Nothing big. I did send those two files you asked me to send. I may have sent them twice. Here are the new logs you wanted.

New CF log:

ComboFix 07-10-20.6 - Rich 2007-10-23 18:31:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2445 [GMT -7:00]
Running from: C:\Documents and Settings\Rich.HAL\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rich.HAL\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\nqfalz.exe
C:\WINDOWS\system32\qpruay.exe
C:\WINDOWS\system32\wpczsz.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Rich.HAL\Application Data\LimeWire
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\.NetworkShare\LimeWireWin4.14.10.exe
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\412splashpro.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\createtimes.cache
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\data.ser
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\fileurns.bak
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\fileurns.cache
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\filters.props
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\gnutella.net
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\installation.props
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\library.dat
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\limewire.props
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\pub1.key
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\public.key
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\questions.props
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\responses.cache
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\secureMessage.key
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\simpp.xml
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\spam.dat
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\tables.props
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme.lwtp
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\01_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\02_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\03_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\04_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\05_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\chat.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\dir_closed.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\dir_open.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\forward_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\forward_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\kill.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\kill_on.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\lime.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\logo.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\notsearching.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\pause_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\pause_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\play_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\play_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\question.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\rewind_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\rewind_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\searching.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\splash.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\splashpro.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\stop_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\stop_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\theme.txt
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\black_theme\warning.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme.lwtp
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\01_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\02_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\03_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\04_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\05_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\chat.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\dir_closed.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\dir_open.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\forward_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\forward_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\kill.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\logo.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\notsearching.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\pause_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\pause_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\play_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\play_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\question.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\rewind_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\rewind_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\search.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\searching.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\splash.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\splashpro.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\stop_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\stop_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\theme.txt
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\classic_theme\warning.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme.lwtp
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\01_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\02_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\03_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\04_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\05_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\chat.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\dir_closed.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\dir_open.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\forward_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\forward_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\kill.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\kill_on.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\lime.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\logo.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\notsearching.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\pause_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\pause_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\play_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\play_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\question.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\rewind_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\rewind_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\searching.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\splash.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\splashpro.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\stop_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\stop_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\theme.txt
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewire_theme\warning.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme.lwtp
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\01_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\02_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\03_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\04_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\05_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\chat.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\dir_closed.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\dir_open.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\forward_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\forward_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\kill.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\kill_on.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\lime.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\logo.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\notsearching.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\pause_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\pause_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\play_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\play_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\question.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\rewind_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\rewind_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\searching.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\splash.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\splashpro.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\stop_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\stop_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\theme.txt
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\limewirePro_theme\warning.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme.lwtp
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\01_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\02_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\03_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\04_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\05_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\chat.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\forward_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\forward_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\kill.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\kill_on.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\logo.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\notsearching.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\pause_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\pause_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\play_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\play_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\question.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\rewind_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\rewind_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\searching.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\splash.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\splashpro.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\stop_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\stop_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\theme.txt
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\other_theme\warning.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme.lwtp
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\01_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\02_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\03_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\04_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\05_star.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\chat.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\forward_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\kill.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\kill_on.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\logo.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\notsearching.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\pause_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\play_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\play_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\question.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\searching.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\splash.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\splashpro.png
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\stop_up.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\theme.txt
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\themes\windows_theme\warning.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\ttree.cache
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\update.xml
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\version.key
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\version.xml
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\xml\data\audio.sxml
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\xml\data\delete_me
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\xml\data\image.sxml
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\xml\data\video.sxml
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\xml\misc\application.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\xml\misc\audio.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\xml\misc\document.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\xml\misc\image.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\xml\misc\video.gif
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\xml\schemas\application.xsd
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\xml\schemas\audio.xsd
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\xml\schemas\document.xsd
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\xml\schemas\image.xsd
C:\Documents and Settings\Rich.HAL\Application Data\LimeWire\xml\schemas\video.xsd
C:\VundoFix Backups
C:\VundoFix Backups\awvvv.dll.bad
C:\VundoFix Backups\pdoowccg.ini.bad
C:\VundoFix Backups\vvvwa.bak1.bad
C:\VundoFix Backups\vvvwa.ini.bad
C:\VundoFix Backups\vvvwa.ini2.bad
C:\VundoFix Backups\vvvwa.tmp.bad
C:\WINDOWS\system32\nqfalz.exe
C:\WINDOWS\system32\qpruay.exe
C:\WINDOWS\system32\wpczsz.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.

2007-10-20 23:32 <DIR> d-------- C:\Program Files\BricksOfCamelot_at
2007-10-20 14:22 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-10-20 14:21 <DIR> d-------- C:\Program Files\MSBuild
2007-10-20 14:21 <DIR> d-------- C:\Program Files\Microsoft Works
2007-10-20 14:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Microsoft Help
2007-10-20 14:16 <DIR> dr-h----- C:\MSOCache
2007-10-20 13:28 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-19 21:31 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-18 09:45 <DIR> d-------- C:\HijackThis
2007-10-18 00:00 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2007-10-15 18:23 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-10-12 20:39 15,844 --a------ C:\WINDOWS\system32\guhbuyrt.dll
2007-10-10 19:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\WinZip
2007-09-27 12:32 <DIR> d-------- C:\Program Files\Jetico
2007-09-26 09:27 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-09-26 09:27 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-09-26 09:27 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-09-26 09:27 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-09-26 09:26 <DIR> d-------- C:\Documents and Settings\Rich.HAL\Application Data\PC Tools
2007-09-26 09:26 <DIR> d-------- C:\DOCUME~1\Rich.HAL\APPLIC~1\PC Tools
2007-09-26 09:25 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-20 21:04 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-18 22:50 --------- d-----w C:\Program Files\3wPlayer
2007-10-05 00:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-04 01:23 --------- d-----w C:\Program Files\Doom 3
2007-09-27 10:34 --------- d-----w C:\Program Files\Spyware Doctor
2007-09-20 18:25 --------- d-----w C:\Documents and Settings\Rich.HAL\Application Data\Forcashfast
2007-09-20 18:25 --------- d-----w C:\DOCUME~1\Rich.HAL\APPLIC~1\Forcashfast
2007-09-20 18:25 --------- d-----w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\third lies itch ford
2007-09-20 18:24 --------- d-----w C:\Program Files\Forcashfast
2007-09-20 08:39 --------- d-----w C:\Program Files\Black Isle
2007-09-19 22:35 --------- d-----w C:\Documents and Settings\Rich.HAL\Application Data\Tenebril
2007-09-19 22:35 --------- d-----w C:\DOCUME~1\Rich.HAL\APPLIC~1\Tenebril
2007-09-19 22:33 --------- d-----w C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Tenebril
2007-09-19 04:16 --------- d-----w C:\Documents and Settings\Rich.HAL\Application Data\Vso
2007-09-19 04:16 --------- d-----w C:\DOCUME~1\Rich.HAL\APPLIC~1\Vso
2007-09-19 01:16 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2007-09-19 01:16 47,360 ----a-w C:\Documents and Settings\Rich.HAL\Application Data\pcouffin.sys
2007-09-19 01:16 47,360 ----a-w C:\DOCUME~1\Rich.HAL\APPLIC~1\pcouffin.sys
2007-09-19 01:16 --------- d-----w C:\Program Files\VSO
2007-09-18 21:42 --------- d-----w C:\Program Files\Common Files\AVSMedia
2007-09-18 21:41 --------- d-----w C:\Program Files\AVSMedia
2007-09-18 13:39 --------- d-----w C:\Program Files\AllToAVI
2007-09-17 23:51 --------- d-----w C:\Program Files\WinAVI Video Converter
2007-09-17 09:32 --------- d-----w C:\Documents and Settings\Rich.HAL\Application Data\vlc
2007-09-17 09:32 --------- d-----w C:\DOCUME~1\Rich.HAL\APPLIC~1\vlc
2007-09-17 09:29 --------- d-----w C:\Program Files\VideoLAN
2007-09-12 03:44 --------- d-----w C:\Program Files\LightScribe
2007-09-12 03:44 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-08-28 00:41 --------- d-----w C:\Documents and Settings\Rich.HAL\Application Data\Ahead
2007-08-28 00:41 --------- d-----w C:\DOCUME~1\Rich.HAL\APPLIC~1\Ahead
2007-08-28 00:30 --------- d-----w C:\Program Files\Nero
2007-08-28 00:30 --------- d-----w C:\Program Files\Common Files\Ahead
2007-08-28 00:16 --------- d-----w C:\Program Files\Ahead
2007-08-16 02:13 21,920 ----a-w C:\Documents and Settings\Rich.HAL\Application Data\GDIPFONTCACHEV1.DAT
2007-08-16 02:13 21,920 ----a-w C:\DOCUME~1\Rich.HAL\APPLIC~1\GDIPFONTCACHEV1.DAT
2006-11-17 00:39 32,168 ----a-w C:\Documents and Settings\Rich\Application Data\GDIPFONTCACHEV1.DAT
2005-07-05 06:44 184,808 ----a-w C:\Documents and Settings\Rich\Application Data\shb.dat
2003-08-27 22:19 36,963 ------w C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-20_13.40.41.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-03 23:56:42 61,440 -c----w C:\WINDOWS\ie7\admparse.dll
+ 2004-08-03 23:56:42 99,840 -c----w C:\WINDOWS\ie7\advpack.dll
+ 2006-01-16 20:39:10 1,022,464 -c----w C:\WINDOWS\ie7\browseui.dll
+ 2004-08-03 23:56:42 35,328 -c----w C:\WINDOWS\ie7\corpol.dll
+ 2005-05-23 14:48:48 28,672 -c----w C:\WINDOWS\ie7\custsat.dll
+ 2004-08-03 23:56:44 357,888 -c----w C:\WINDOWS\ie7\dxtmsft.dll
+ 2006-01-16 20:39:14 205,312 -c----w C:\WINDOWS\ie7\dxtrans.dll
+ 2006-01-16 20:39:16 55,808 -c----w C:\WINDOWS\ie7\extmgr.dll
+ 2004-08-03 23:56:44 38,912 -c----w C:\WINDOWS\ie7\hmmapi.dll
+ 2004-08-03 23:56:52 34,304 -c----w C:\WINDOWS\ie7\ie4uinit.exe
+ 2004-08-03 23:56:44 139,264 -c----w C:\WINDOWS\ie7\ieakeng.dll
+ 2004-08-03 23:56:44 216,576 -c----w C:\WINDOWS\ie7\ieaksie.dll
+ 2001-08-23 12:00:00 221,184 -c----w C:\WINDOWS\ie7\ieakui.dll
+ 2004-08-03 23:56:44 323,584 -c----w C:\WINDOWS\ie7\iedkcs32.dll
+ 2006-01-16 20:39:16 18,432 -c----w C:\WINDOWS\ie7\iedw.exe
+ 2004-08-03 23:56:44 81,920 -c----w C:\WINDOWS\ie7\ieencode.dll
+ 2006-01-16 20:39:16 251,904 -c----w C:\WINDOWS\ie7\iepeers.dll
+ 2004-08-03 23:56:44 48,640 -c----w C:\WINDOWS\ie7\iernonce.dll
+ 2004-08-03 23:56:44 62,976 -c----w C:\WINDOWS\ie7\iesetup.dll
+ 2004-08-03 23:56:52 93,184 -c----w C:\WINDOWS\ie7\iexplore.exe
+ 2004-08-03 23:56:44 35,840 -c----w C:\WINDOWS\ie7\imgutil.dll
+ 2006-01-16 20:39:16 96,256 -c----w C:\WINDOWS\ie7\inseng.dll
+ 2005-10-12 16:14:04 466,944 -c----w C:\WINDOWS\ie7\jscript.dll
+ 2004-08-03 23:56:44 15,872 -c----w C:\WINDOWS\ie7\jsproxy.dll
+ 2004-08-03 23:56:44 22,016 -c----w C:\WINDOWS\ie7\licmgr10.dll
+ 2004-08-03 23:56:54 29,184 -c----w C:\WINDOWS\ie7\mshta.exe
+ 2006-01-16 20:39:26 3,018,240 -c----w C:\WINDOWS\ie7\mshtml.dll
+ 2006-01-16 20:39:26 448,512 -c----w C:\WINDOWS\ie7\mshtmled.dll
+ 2004-08-03 23:56:16 56,832 -c----w C:\WINDOWS\ie7\mshtmler.dll
+ 2001-08-23 12:00:00 146,432 -c----w C:\WINDOWS\ie7\msls31.dll
+ 2006-01-16 20:39:28 146,432 -c----w C:\WINDOWS\ie7\msrating.dll
+ 2006-01-16 20:39:28 530,944 -c----w C:\WINDOWS\ie7\mstime.dll
+ 2004-08-03 23:56:46 96,256 -c----w C:\WINDOWS\ie7\occache.dll
+ 2006-01-16 20:39:32 39,424 -c----w C:\WINDOWS\ie7\pngfilt.dll
+ 2006-01-16 20:39:36 1,495,040 -c----w C:\WINDOWS\ie7\shdocvw.dll
+ 2006-01-16 20:39:42 474,112 -c----w C:\WINDOWS\ie7\shlwapi.dll
+ 2006-11-01 07:50:05 239,176 -c----w C:\WINDOWS\ie7\spuninst\iecustom.dll
+ 2006-09-07 00:43:16 213,216 -c----w C:\WINDOWS\ie7\spuninst\spuninst.exe
+ 2006-09-07 00:43:18 371,424 -c----w C:\WINDOWS\ie7\spuninst\updspapi.dll
+ 2004-08-03 23:56:48 37,888 -c----w C:\WINDOWS\ie7\url.dll
+ 2006-01-16 20:39:44 610,304 -c----w C:\WINDOWS\ie7\urlmon.dll
+ 2005-10-12 16:14:14 438,272 -c----w C:\WINDOWS\ie7\vbscript.dll
+ 2004-08-03 23:56:48 848,384 -c----w C:\WINDOWS\ie7\vgx.dll
+ 2004-08-03 23:56:48 276,480 -c----w C:\WINDOWS\ie7\webcheck.dll
+ 2006-01-16 20:39:44 661,504 -c----w C:\WINDOWS\ie7\wininet.dll
+ 2007-10-20 21:22:17 1,165,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2007-10-20 21:22:17 20,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2007-10-20 21:22:17 159,504 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2007-10-20 21:22:17 184,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2007-10-20 21:22:17 217,864 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2007-10-20 21:22:17 18,704 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2007-10-20 21:22:17 35,088 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2007-10-20 21:22:17 845,584 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2007-10-20 21:22:17 922,384 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2007-10-20 21:22:17 272,648 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2007-10-20 21:22:17 888,080 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2007-10-20 21:22:17 1,172,240 ----a-r C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2007-10-20 21:17:11 217,864 ----a-r C:\WINDOWS\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2004-08-03 23:56:42 61,440 ----a-w C:\WINDOWS\system32\admparse.dll
+ 2006-10-17 20:01:08 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
- 2004-08-03 23:56:42 99,840 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2006-10-17 20:00:50 123,904 ----a-w C:\WINDOWS\system32\advpack.dll
- 2006-01-16 20:39:10 1,022,464 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2006-09-23 20:12:50 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
- 2004-08-03 23:56:42 61,440 -c--a-w C:\WINDOWS\system32\dllcache\admparse.dll
+ 2006-10-17 20:01:08 71,680 -c--a-w C:\WINDOWS\system32\dllcache\admparse.dll
- 2004-08-03 23:56:42 99,840 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2006-10-17 20:00:50 123,904 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2006-01-16 20:39:10 1,022,464 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2006-09-23 20:12:50 1,022,976 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2005-05-23 14:48:48 28,672 -c--a-w C:\WINDOWS\system32\dllcache\custsat.dll
+ 2006-10-17 20:33:40 33,792 -c--a-w C:\WINDOWS\system32\dllcache\custsat.dll
- 2004-08-03 23:56:44 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2006-10-17 19:58:06 346,624 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2006-01-16 20:39:14 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2006-10-17 19:57:50 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2006-01-16 20:39:16 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2006-10-17 20:33:40 131,584 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2004-08-03 23:56:44 38,912 -c--a-w C:\WINDOWS\system32\dllcache\hmmapi.dll
+ 2006-10-17 19:44:36 60,416 -c--a-w C:\WINDOWS\system32\dllcache\hmmapi.dll
- 2004-08-03 23:56:52 34,304 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2006-10-17 20:00:56 54,784 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2004-08-03 23:56:44 139,264 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2006-10-17 20:01:20 152,064 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2004-08-03 23:56:44 216,576 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2006-10-17 20:01:34 229,376 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2001-08-23 12:00:00 221,184 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2006-10-17 19:23:08 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2004-08-03 23:56:44 323,584 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2006-10-17 20:01:22 382,976 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2006-01-16 20:39:16 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2006-10-17 20:04:50 69,120 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2004-08-03 23:56:44 81,920 -c--a-w C:\WINDOWS\system32\dllcache\ieencode.dll
+ 2006-10-17 20:06:00 78,336 -c--a-w C:\WINDOWS\system32\dllcache\ieencode.dll
- 2006-01-16 20:39:16 251,904 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2006-10-17 20:33:40 191,488 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2004-08-03 23:56:44 48,640 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2006-10-17 20:00:58 43,008 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2004-08-03 23:56:44 62,976 -c--a-w C:\WINDOWS\system32\dllcache\iesetup.dll
+ 2006-10-17 20:01:06 55,296 -c--a-w C:\WINDOWS\system32\dllcache\iesetup.dll
- 2004-08-03 23:56:52 93,184 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2006-10-17 20:04:40 622,080 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2004-08-03 23:56:44 35,840 -c--a-w C:\WINDOWS\system32\dllcache\imgutil.dll
+ 2006-10-17 19:57:58 36,352 -c--a-w C:\WINDOWS\system32\dllcache\imgutil.dll
- 2006-01-16 20:39:16 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2006-10-17 20:00:54 92,672 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2005-10-12 16:14:04 466,944 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2006-10-17 20:00:00 491,520 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2004-08-03 23:56:44 15,872 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2006-10-17 20:33:40 27,136 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2004-08-03 23:56:44 22,016 -c--a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
+ 2006-10-17 20:05:10 40,960 -c--a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
- 2004-08-03 23:56:54 29,184 -c--a-w C:\WINDOWS\system32\dllcache\mshta.exe
+ 2006-10-17 19:56:10 45,568 -c--a-w C:\WINDOWS\system32\dllcache\mshta.exe
- 2006-01-16 20:39:26 3,018,240 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2006-10-17 20:33:42 3,577,856 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2006-01-16 20:39:26 448,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2006-10-17 20:33:40 475,648 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2004-08-03 23:56:16 56,832 -c--a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
+ 2006-10-17 19:28:56 48,128 -c--a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
- 2001-08-23 12:00:00 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
+ 2006-10-17 20:33:40 156,160 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
- 2006-01-16 20:39:28 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2006-10-17 20:05:10 192,000 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2006-01-16 20:39:28 530,944 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2006-10-17 20:33:40 670,720 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2004-08-03 23:56:46 96,256 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2006-10-17 20:04:46 101,376 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2006-01-16 20:39:32 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2006-10-17 19:58:08 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2006-01-16 20:39:36 1,495,040 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2006-09-23 20:12:50 1,497,088 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2006-01-16 20:39:42 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2006-09-23 20:12:50 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2004-08-03 23:56:48 37,888 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2006-10-17 20:05:22 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2006-01-16 20:39:44 610,304 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2006-10-17 20:33:40 1,162,240 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2005-10-12 16:14:14 438,272 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2006-10-17 20:33:40 413,696 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2004-08-03 23:56:48 848,384 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2006-10-17 20:33:40 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
- 2004-08-03 23:56:48 276,480 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2006-10-17 20:33:40 231,424 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2006-01-16 20:39:44 661,504 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2006-10-17 20:33:40 818,688 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2004-08-03 23:56:44 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2006-10-17 19:58:06 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2006-01-16 20:39:14 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2006-10-17 19:57:50 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2006-01-16 20:39:16 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2006-10-17 20:33:40 131,584 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2003-09-25 19:07:00 1,139,472 ----a-w C:\WINDOWS\system32\FM20.DLL
+ 2006-10-26 21:10:08 1,190,688 ----a-w C:\WINDOWS\system32\FM20.DLL
- 2003-08-18 21:26:32 25,872 ----a-w C:\WINDOWS\system32\FM20ENU.DLL
+ 2006-10-26 21:10:06 33,088 ----a-w C:\WINDOWS\system32\FM20ENU.DLL
- 2007-06-24 22:55:42 125,320 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-10-20 21:25:13 277,352 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2006-10-17 19:58:20 61,952 ------w C:\WINDOWS\system32\icardie.dll
+ 2006-06-29 15:05:44 26,112 ------w C:\WINDOWS\system32\idndl.dll
- 2004-08-03 23:56:52 34,304 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2006-10-17 20:00:56 54,784 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2004-08-03 23:56:44 139,264 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2006-10-17 20:01:20 152,064 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2004-08-03 23:56:44 216,576 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2006-10-17 20:01:34 229,376 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2001-08-23 12:00:00 221,184 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2006-10-17 19:23:08 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2006-09-06 07:01:26 2,451,824 ------w C:\WINDOWS\system32\ieapfltr.dat
+ 2006-10-17 19:27:56 380,928 ------w C:\WINDOWS\system32\ieapfltr.dll
- 2004-08-03 23:56:44 323,584 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2006-10-17 20:01:22 382,976 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2004-08-03 23:56:44 81,920 ----a-w C:\WINDOWS\system32\ieencode.dll
+ 2006-10-17 20:06:00 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
+ 2006-10-17 20:33:42 6,049,280 ------w C:\WINDOWS\system32\ieframe.dll
- 2006-01-16 20:39:16 251,904 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2006-10-17 20:33:40 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2004-08-03 23:56:44 48,640 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2006-10-17 20:00:58 43,008 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2006-10-17 19:57:20 266,752 ------w C:\WINDOWS\system32\iertutil.dll
- 2004-08-03 23:56:44 62,976 ----a-w C:\WINDOWS\system32\iesetup.dll
+ 2006-10-17 20:01:06 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
+ 2006-10-17 20:01:00 13,312 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2006-10-17 20:33:40 180,736 ------w C:\WINDOWS\system32\ieui.dll
- 2004-08-03 23:56:44 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
+ 2006-10-17 19:57:58 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
+ 2006-10-26 20:45:04 207,360 ----a-w C:\WINDOWS\system32\INKED.DLL
- 2006-01-16 20:39:16 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2006-10-17 20:00:54 92,672 ----a-w C:\WINDOWS\system32\inseng.dll
- 2005-10-12 16:14:04 466,944 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2006-10-17 20:00:00 491,520 ----a-w C:\WINDOWS\system32\jscript.dll
- 2004-08-03 23:56:44 15,872 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2006-10-17 20:33:40 27,136 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2004-08-03 23:56:44 22,016 ----a-w C:\WINDOWS\system32\licmgr10.dll
+ 2006-10-17 20:05:10 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
+ 2006-10-17 20:33:40 458,752 ------w C:\WINDOWS\system32\msfeeds.dll
+ 2006-10-17 20:33:40 50,688 ------w C:\WINDOWS\system32\msfeedsbs.dll
+ 2006-10-17 19:58:32 12,288 ------w C:\WINDOWS\system32\msfeedssync.exe
- 2004-08-03 23:56:54 29,184 ----a-w C:\WINDOWS\system32\mshta.exe
+ 2006-10-17 19:56:10 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
- 2006-01-16 20:39:26 3,018,240 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2006-10-17 20:33:42 3,577,856 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2006-01-16 20:39:26 448,512 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2006-10-17 20:33:40 475,648 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2004-08-03 23:56:16 56,832 ----a-w C:\WINDOWS\system32\mshtmler.dll
+ 2006-10-17 19:28:56 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
- 2001-08-23 12:00:00 146,432 ----a-w C:\WINDOWS\system32\msls31.dll
+ 2006-10-17 20:33:40 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
- 2006-01-16 20:39:28 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2006-10-17 20:05:10 192,000 ----a-w C:\WINDOWS\system32\msrating.dll
- 2006-01-16 20:39:28 530,944 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2006-10-17 20:33:40 670,720 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2006-06-29 00:59:26 24,576 ------w C:\WINDOWS\system32\nlsdl.dll
+ 2006-06-29 15:05:44 23,552 ------w C:\WINDOWS\system32\normaliz.dll
- 2004-08-03 23:56:46 96,256 ----a-w C:\WINDOWS\system32\occache.dll
+ 2006-10-17 20:04:46 101,376 ----a-w C:\WINDOWS\system32\occache.dll
- 2006-01-16 20:39:32 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2006-10-17 19:58:08 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 1998-03-25 04:54:08 15,872 ----a-w C:\WINDOWS\system32\SCP32.DLL
+ 2006-07-24 17:50:40 39,728 ----a-w C:\WINDOWS\system32\SCP32.DLL
- 2006-01-16 20:39:36 1,495,040 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2006-09-23 20:12:50 1,497,088 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2006-01-16 20:39:42 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2006-09-23 20:12:50 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2006-04-03 18:40:10 14,048 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2005-10-12 23:12:25 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2006-10-27 02:56:16 864,080 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\msonpdrv.dll
+ 2006-10-27 02:56:14 67,408 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\msonpui.dll
+ 2006-10-27 02:56:16 864,080 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\msonpdrv.dll
+ 2006-10-27 02:56:14 67,408 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\msonpui.dll
+ 2006-10-27 02:56:12 33,104 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
- 2005-06-28 18:21:34 22,752 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2006-05-24 19:32:48 22,752 ----a-w C:\WINDOWS\system32\spupdsvc.exe
- 2004-08-03 23:56:48 37,888 ----a-w C:\WINDOWS\system32\url.dll
+ 2006-10-17 20:05:22 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2006-01-16 20:39:44 610,304 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2006-10-17 20:33:40 1,162,240 ----a-w C:\WINDOWS\system32\urlmon.dll
- 1999-11-25 01:40:50 40,960 ----a-w C:\WINDOWS\system32\VBAME.DLL
+ 2006-07-24 17:50:40 47,920 ----a-w C:\WINDOWS\system32\VBAME.DLL
- 2005-10-12 16:14:14 438,272 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2006-10-17 20:33:40 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2004-08-03 23:56:48 276,480 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2006-10-17 20:33:40 231,424 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2006-10-17 20:05:58 206,336 ------w C:\WINDOWS\system32\WinFXDocObj.exe
- 2006-01-16 20:39:44 661,504 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2006-10-17 20:33:40 818,688 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2006-10-26 20:45:04 293,376 ----a-w C:\WINDOWS\system32\WISPTIS.EXE
+ 2006-07-14 15:51:51 121,856 ------w C:\WINDOWS\system32\xmllite.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 936,960 2003-04-08 05:41:01 C:\Program Files\BuyPin Software\Advertising Killer\bak\akiller.exe
----a-w 32,946 2006-11-13 22:24:43 C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe

----a-w 38,592 2002-09-15 04:22:06 C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe
----a-w 38,592 2002-09-15 04:22:06 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

----a-w 218,240 2004-11-03 00:59:52 C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
----a-w 32,946 2006-11-13 22:24:43 C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

----a-w 203,264 1999-04-12 08:00:00 C:\Program Files\Creative\SBLive\AudioHQ\bak\AHQTB.EXE
----a-w 203,264 2007-08-18 01:40:10 C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE

----a-w 282,624 2006-09-01 22:57:48 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 282,624 2006-09-01 23:57:48 C:\Program Files\QuickTime\qttask.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-27 13:54]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 14:26]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-09-14 21:22]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2007-08-17 18:40]
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-02 17:17]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"NWEReboot"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:56]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Monitor.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Monitor.lnk
backup=C:\WINDOWS\pss\Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Rich.HAL^Start Menu^Programs^Startup^Scheduler.lnk]
path=C:\Documents and Settings\Rich.HAL\Start Menu\Programs\Startup\Scheduler.lnk
backup=C:\WINDOWS\pss\Scheduler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneDVDElbyDelay]
"C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Launcher]
C:\Program Files\Creative\Launcher\CTLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ElbyCheckAnyDVD]
"C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
"C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MI4Tray]
C:\Program Files\Steinberg\MI4\MI4tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name of App]
C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickenScheduledUpdates]
C:\Program Files\Quicken\bagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
"C:\Program Files\TomTom HOME\TomTomHOME.exe" -s

S2 Net message Service;Net message Service;C:\WINDOWS\system32\netmsg.exe
S2 WMP55AGSVC;WMP55AGSVC;"C:\Program Files\Dual-Band Wireless A+G PCI Network Adapter\WLService.exe" "WMP55AG.exe"
S4 BCSWAP;BCSWAP;C:\WINDOWS\system32\drivers\BCSWAP.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b443b2a-a1e7-11db-8d8b-000f66168064}]
AutoRun\command - G:\InstallTomTomHOME.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 19:32:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-23 19:40:11 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-20 13:45
.
--- E O F ---

AWF log:

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Tue 10/23/2007
The current time is: 18:21:40.67

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/01/2006 03:57 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\SPYWAR~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\BUYPIN~1\ADVERT~1\BAK

04/07/2003 10:41 PM 936,960 akiller.exe
1 File(s) 936,960 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

09/14/2002 09:22 PM 38,592 ccRegVfy.exe
1 File(s) 38,592 bytes

Directory of C:\PROGRA~1\CREATIVE\LAUNCHER\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

11/02/2004 05:59 PM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\PROGRA~1\CREATIVE\SBLIVE\AUDIOHQ\BAK

04/12/1999 01:00 AM 203,264 AHQTB.EXE
1 File(s) 203,264 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

282624 Sep 1 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Sep 1 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
32946 Nov 13 2006 "C:\Program Files\BuyPin Software\Advertising Killer\akiller.exe"
936960 Apr 7 2003 "C:\Britt's C Drive\Program Files\BuyPin Software\Advertising Killer\akiller.exe"
936960 Apr 7 2003 "C:\Program Files\BuyPin Software\Advertising Killer\bak\akiller.exe"
38592 Sep 14 2002 "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
38592 Sep 14 2002 "C:\Britt's C Drive\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
38592 Sep 14 2002 "C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe"
32946 Nov 13 2006 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Britt's C Drive\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
203264 Aug 17 2007 "C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE"
203264 Apr 12 1999 "C:\Program Files\Creative\SBLive\AudioHQ\bak\AHQTB.EXE"

end of report

New HJ log:

Logfile of HijackThis v1.99.1
Scan saved at 5:51:14 PM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Rich.HAL\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Net message Service - Unknown owner - C:\WINDOWS\system32\netmsg.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WMP55AGSVC - Unknown owner - C:\Program Files\Dual-Band Wireless A+G PCI Network Adapter\WLService.exe" "WMP55AG.exe (file missing)

Again, sorry this took so long to get to you. Hopefully it helps and if you need anything else, I promise I'll send it ASAP. Thanks.

magiclzrd

#13 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 24 October 2007 - 07:20 PM

thanks magiclzrd, looking at them now.

No worries about the delays, perfectly understandable.

jpshortstuff

Proud Graduate of the TC/WTT Classroom

#14 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 25 October 2007 - 08:37 AM

Hi magiclzrd

Fix AWF Infection Step 2
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\Program Files\BuyPin Software\Advertising Killer\bak\akiller.exe"
"C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
Press 2 then Enter
Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
The program will proceed to move the legit files and will perform another scan for bak folders.
It may take a few minutes to complete, so please be patient.
When it is complete, it will open a text file in Notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.

Download and Run NoLop
Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3

First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it.
Now click the button labelled "Search and Destroy"
(your computer will now be scanned for infected files)
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish.
Please post the contents of C:\NoLop.log later.

Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to C:\WINDOWS\system32\ folder then rerun the program.

Please Right Click your Start button, and click Explore.
Next, locate and delete the following files and folders (if present):

C:\WINDOWS\system32\guhbuyrt.dll <<FILE

If any of them aren't there then don't worry, but if you have a problem deleting one of them then please let me know.

Please reboot you computer and post a fresh HijackThis log in your next reply, along with the contents of AWF.txt and the NoLop log.

Thanks,

jpshortstuff

Proud Graduate of the TC/WTT Classroom

#15 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 30 October 2007 - 09:50 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

Body Background

skin color theme