Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Please Help! Ads are driving me crazy!

Started by Rjp20 , May 19 2008 08:32 PM

  • This topic is locked This topic is locked
17 replies to this topic

#1 Rjp20

Rjp20

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 19 May 2008 - 08:32 PM

I keep getting random ad popups while im surfing the internet. I also seem to keep getting a virus no matter how many times I scan and get rid of it... PLEASE HELP! Heres my log. Thanks! Logfile of HijackThis v1.99.1 Scan saved at 9:30:59 PM, on 5/19/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ufdsvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Ray II\Desktop\HijackThis.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Defender Pro Internet Security (AVP) - Unknown owner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe" -r (file missing) O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

    Advertisements

Register to Remove

#2 RatHat

RatHat

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPip
  • 816 posts

Posted 19 May 2008 - 10:59 PM

Hi there,

Welcome to WhatTheTech. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with. Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now I am not seeing anything in your log, so lets have a deeper look. Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following logs:
  • The contents of DSS main.txt
  • The contents of DSS extra.txt
Note that you may need to make two posts if the logs are very long.

Regards,
RatHat

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Want to join the fight against Malware? Click here to find out how.

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

Posted Image

If you feel I have helped you and would like to make a small donation, please click here

#3 Rjp20

Rjp20

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 20 May 2008 - 10:36 AM

Here are the logs... Thanks!

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Turion™ 64 Mobile Technology ML-40
Percentage of Memory in Use: 23%
Physical Memory (total/avail): 2046.17 MiB / 1573.73 MiB
Pagefile Memory (total/avail): 3938.58 MiB / 3648.68 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1923.29 MiB

C: is Fixed (NTFS) - 93.15 GiB total, 11.27 GiB free.
D: is CDROM (UDF)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2100AT PL - 93.16 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 93.15 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.
FirewallOverride is set.

FW: Defender Pro Internet Security v6.0.2.621 ()
AV: AVG Anti-Virus Free v8.0 (AVG Technologies)
AV: Defender Pro Internet Security v6.0.2.621 ()

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Valve\\Condition Zero\\czero.exe"="C:\\Program Files\\Valve\\Condition Zero\\czero.exe:*:Enabled:Condition Zero Launcher"
"C:\\Program Files\\Red Storm Entertainment\\Ghost Recon\\GhostRecon.exe"="C:\\Program Files\\Red Storm Entertainment\\Ghost Recon\\GhostRecon.exe:*:Disabled:GhostRecon"
"C:\\Program Files\\Defender Pro\\Defender Pro Internet Security 6.0\\avp.exe"="C:\\Program Files\\Defender Pro\\Defender Pro Internet Security 6.0\\avp.exe:*:Enabled:Defender Pro"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ray II\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LAP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ray II
LOGONSERVER=\\LAP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2402
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\RAYII~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\RAYII~1\LOCALS~1\Temp
USERDOMAIN=LAP
USERNAME=Ray II
USERPROFILE=C:\Documents and Settings\Ray II
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Ray II (admin)
Administrator.LAP (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Adobe Acrobat 8 Professional - English, Français, Deutsch --> msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Broadcom 802.11 Wireless LAN Adapter --> C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11\UninstallInfo
Call of Duty® 4 - Modern Warfare™ --> C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
CloneCD --> "C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD"
Conexant AC-Link Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO\UIU32a.exe -U -ICPL309BA.INF
Counter-Strike: Condition Zero --> C:\PROGRA~1\Valve\CONDIT~1\UNWISE.EXE C:\PROGRA~1\Valve\CONDIT~1\INSTALL.LOG
Defender Pro Internet Security --> MsiExec.exe /I{D0DCD54F-C829-41A5-AF32-71E632BB0E2C}
Defender Pro Internet Security --> MsiExec.exe /I{D0DCD54F-C829-41A5-AF32-71E632BB0E2C}
deskPDF 2.5 Professional Edition --> "C:\Program Files\Docudesk\deskPDF\unins001.exe"
deskPDF 2.5 Standard Edition --> "C:\Program Files\Docudesk\deskPDF\unins000.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Docudesk GPL Ghostscript 8.15 --> "C:\Program Files\Docudesk\GPL Ghostscript\unins000.exe"
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
Ghost Recon --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D89EF3B3-6F17-4665-B7A9-A4235A6DC787}\Setup.exe"
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 1.99.1 --> C:\Documents and Settings\Ray II\Desktop\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Customer Participation Program 8.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Deskjet 8.0 Software --> C:\Program Files\HP\Digital Imaging\{58535A90-1788-44f5-80BB-CFF62D9CE6D5}\setup\hpzscr01.exe -datfile hphscr13.dat -showdisconnect -forcereboot
HP Help and Support --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}\setup.exe" -l0x9 -removeonly
HP Imaging Device Functions 8.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Integrated Module with Bluetooth wireless technology --> MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
HP Photosmart Essential --> MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP Solution Center 8.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}
HP User Guides 0012 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{984DED38-AD2A-4143-8412-C3827A920BE5}\setup.exe" -l0x9 -removeonly
HP Wireless Assistant 1.01 C1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\setup.exe" -l0x9 hpquninst
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE20E2F5-1903-4AAE-B1AF-2046E586C925}
J2SE Runtime Environment 5.0 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150050}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LimeWire 4.16.7 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Project Professional 2003 --> MsiExec.exe /I{903B0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
muvee autoProducer 4.0 - SE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{534AA552-E1F1-4965-B2AA-FBDEB0730D60}\setup.exe" -l0x9
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
Quick Launch Buttons 5.20 D2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe" -l0x9 -uninst
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Shop for HP Supplies --> C:\Program Files\HP\Digital Imaging\HPSSupply\hpzscr01.exe -datfile hpqbud16.dat
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378\HXFSETUP.EXE -U -Icpl309bk.inf
Sonic Audio Module --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic Copy Module --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic Data Module --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic MyDVD Plus --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Star Wars Jedi Knight Jedi Academy --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EECBA68-8BE4-4076-94DF-E9ED206B1D21}\Setup.exe" -l0x9
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FF6F491D-BC82-4DCC-A72F-1824957C6466} /l1033
ubi.com --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AEDDF5A3-29CE-11D5-A8C2-000102246AAE}\Setup.exe" UNINSTALL-L0x9 -uninst
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
Update Rollup 2 for Windows XP Media Center Edition 2005 -->
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Win2PDF 3.30 --> "C:\WINDOWS\system32\spool\drivers\w32x86\3\Win2PDF\unins000.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{7BC43F11-02C8-45FA-ABDC-E2F9FF31F825}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{0ED47137-C071-46CC-A243-E5E33271E10E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Media Center Edition 2005 KB894553 --> C:\WINDOWS\$NtUninstallKB894553$\spuninst\spuninst.exe
Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinSCP 4.0.2 beta --> "C:\Program Files\WinSCP\unins000.exe"
XML Paper Specification Shared Components Pack 1.0 -->
Zone Deluxe Games --> MsiExec.exe /I{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}


-- Application Event Log -------------------------------------------------------

Event Record #/Type7147 / Error
Event Submitted/Written: 05/19/2008 06:21:48 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module flash9c.ocx, version 9.0.45.0, fault address 0x00187d1b.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type7146 / Error
Event Submitted/Written: 05/19/2008 04:25:46 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application acrobat.exe, version 8.1.0.137, faulting module acrobat.dll, version 8.0.0.456, fault address 0x00104dbe.
Processing media-specific event for [acrobat.exe!ws!]

Event Record #/Type7133 / Warning
Event Submitted/Written: 05/16/2008 00:05:39 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{AC76BA86-1033-F400-7760-000000000003}', feature 'AcrobatElements' failed during request for component '{551570F5-5C50-4312-9247-B6919900D522}'

Event Record #/Type7132 / Warning
Event Submitted/Written: 05/16/2008 00:05:39 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{AC76BA86-1033-F400-7760-000000000003}', feature 'Distiller', component '{745064ED-3BE1-4C3B-8371-658F7D7A9E28}' failed. The resource 'C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Data\Fonts\COO_____.PFM' does not exist.

Event Record #/Type7130 / Warning
Event Submitted/Written: 05/16/2008 00:05:27 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{AC76BA86-1033-F400-7760-000000000003}', feature 'AcrobatElements' failed during request for component '{551570F5-5C50-4312-9247-B6919900D522}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type15752 / Warning
Event Submitted/Written: 05/20/2008 10:58:05 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type15694 / Warning
Event Submitted/Written: 05/18/2008 08:37:18 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type15690 / Warning
Event Submitted/Written: 05/17/2008 08:37:15 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type15689 / Warning
Event Submitted/Written: 05/16/2008 07:57:13 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type15565 / Error
Event Submitted/Written: 05/15/2008 05:11:11 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-05-20 11:32:10 ------------


------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Ray II on 2008-05-20 11:29:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2008-05-20 16:29:38 UTC - RP6 - Deckard's System Scanner Restore Point
5: 2008-05-19 21:42:43 UTC - RP5 - System Checkpoint
4: 2008-05-18 18:54:40 UTC - RP4 - System Checkpoint
3: 2008-05-17 18:02:44 UTC - RP3 - System Checkpoint
2: 2008-05-16 17:10:11 UTC - RP2 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-05-16 16:44:27 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 11.27 GiB (less than 15%) free.


-- HijackThis (run as Ray II.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:31:40 AM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ufdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Documents and Settings\Ray II\Desktop\dss.exe
C:\DOCUME~1\RAYII~1\Desktop\Ray II.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Defender Pro Internet Security (AVP) - Unknown owner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe" -r (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe


-- HijackThis Fixed Entries (C:\DOCUME~1\RAYII~1\Desktop\backups\) -------------

backup-20080515-171030-173 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
backup-20080515-171030-193 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
backup-20080515-171030-262 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20080515-171030-337 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
backup-20080515-171030-422 O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
backup-20080515-171030-461 R3 - Default URLSearchHook is missing
backup-20080515-171030-558 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
backup-20080515-171030-640 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20080515-171030-685 O2 - BHO: {7abd113c-a865-04a9-a834-84df6fb130e8} - {8e031bf6-fd48-438a-9a40-568ac311dba7} - C:\WINDOWS\system32\idstrjeh.dll (file missing)
backup-20080515-171030-733 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
backup-20080515-171030-937 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
backup-20080515-171030-995 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20080515-171031-110 O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
backup-20080515-171031-127 O2 - BHO: (no name) - {F50B3F5E-856E-4757-9BB1-B35D46CA7719} - C:\WINDOWS\system32\pmnmnMgG.dll (file missing)
backup-20080515-171031-189 O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
backup-20080515-171031-203 O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
backup-20080515-171031-231 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080515-171031-243 O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
backup-20080515-171031-273 O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
backup-20080515-171031-354 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20080515-171031-363 O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
backup-20080515-171031-367 O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
backup-20080515-171031-381 O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
backup-20080515-171031-402 O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
backup-20080515-171031-463 O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Ray II\lsass.exe
backup-20080515-171031-471 O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
backup-20080515-171031-507 O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
backup-20080515-171031-521 O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
backup-20080515-171031-591 O4 - Global Startup: Bluetooth.lnk = ?
backup-20080515-171031-649 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
backup-20080515-171031-651 O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
backup-20080515-171031-687 O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
backup-20080515-171031-706 O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
backup-20080515-171031-773 O2 - BHO: (no name) - {9D5C80F0-B9E7-4C4E-95DD-48ECB408956E} - C:\WINDOWS\system32\rqRKAsQK.dll (file missing)
backup-20080515-171031-802 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
backup-20080515-171031-912 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
backup-20080515-171031-929 O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
backup-20080515-171031-978 O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
backup-20080515-171031-980 O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
backup-20080515-171032-156 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20080515-171032-225 O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\scieplugin.dll
backup-20080515-171032-338 O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
backup-20080515-171032-421 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080515-171032-492 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
backup-20080515-171032-639 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
backup-20080515-171032-930 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20080515-171032-935 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
backup-20080515-171033-182 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
backup-20080515-171033-326 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1179785135734
backup-20080515-171033-347 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
backup-20080515-171033-447 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080515-171033-453 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
backup-20080515-171033-507 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
backup-20080515-171033-595 O11 - Options group: [INTERNATIONAL] International*
backup-20080515-171033-733 O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
backup-20080515-171033-890 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
backup-20080515-171037-118 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
backup-20080515-171037-129 O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
backup-20080515-171037-224 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
backup-20080515-171037-242 O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20080515-171037-306 O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
backup-20080515-171037-316 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080515-171037-331 O20 - Winlogon Notify: pmnmnMgG - pmnmnMgG.dll (file missing)
backup-20080515-171037-385 O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe
backup-20080515-171037-389 O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
backup-20080515-171037-392 O23 - Service: Defender Pro Internet Security (AVP) - Unknown owner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe" -r (file missing)
backup-20080515-171037-548 O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
backup-20080515-171037-575 O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
backup-20080515-171037-577 O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
backup-20080515-171037-599 O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
backup-20080515-171037-652 O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
backup-20080515-171037-883 O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
backup-20080515-171037-943 O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
backup-20080515-174022-105 O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (file missing)
backup-20080515-174022-178 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
backup-20080515-174022-194 O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
backup-20080515-174022-313 O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
backup-20080515-174022-327 O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
backup-20080515-174022-353 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
backup-20080515-174022-360 O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
backup-20080515-174022-393 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080515-174022-536 O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
backup-20080515-174022-555 O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
backup-20080515-174022-594 O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
backup-20080515-174022-600 O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
backup-20080515-174022-679 O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
backup-20080515-174022-712 O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
backup-20080515-174022-748 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
backup-20080515-174022-761 O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
backup-20080515-174022-810 O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
backup-20080515-174022-822 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...n&pf=laptop
backup-20080515-174022-871 O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
backup-20080515-174022-883 O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
backup-20080515-174022-889 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
backup-20080515-174022-892 O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
backup-20080515-174022-927 O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (file missing)
backup-20080515-174022-947 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
backup-20080515-174022-958 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...n&pf=laptop
backup-20080515-174022-990 O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
backup-20080515-174023-113 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080515-174023-197 O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
backup-20080515-174023-214 O23 - Service: Defender Pro Internet Security (AVP) - Unknown owner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe" -r (file missing)
backup-20080515-174023-225 O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe
backup-20080515-174023-227 O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
backup-20080515-174023-407 O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
backup-20080515-174023-439 O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
backup-20080515-174023-500 O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
backup-20080515-174023-785 O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20080515-222440-107 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080515-222440-136 O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20080515-222440-139 O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
backup-20080515-222440-317 O23 - Service: Defender Pro Internet Security (AVP) - Unknown owner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe" -r (file missing)
backup-20080515-222440-327 O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
backup-20080515-222440-406 O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
backup-20080515-222440-410 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080515-222440-502 O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
backup-20080515-222440-553 O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
backup-20080515-222440-799 O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe
backup-20080515-222440-805 O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
backup-20080515-222505-222 O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe
backup-20080515-222505-421 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080515-222505-581 O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
backup-20080515-222505-585 O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
backup-20080515-222505-645 O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20080515-222505-663 O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
backup-20080515-222505-724 O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
backup-20080515-222505-916 O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
backup-20080515-222505-938 O23 - Service: Defender Pro Internet Security (AVP) - Unknown owner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe" -r (file missing)
backup-20080515-222505-994 O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
backup-20080518-133926-137 O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe
backup-20080518-133926-152 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080518-133926-193 O23 - Service: Defender Pro Internet Security (AVP) - Unknown owner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe" -r (file missing)
backup-20080518-133926-370 O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
backup-20080518-133926-383 O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
backup-20080518-133926-390 O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20080518-133926-460 O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
backup-20080518-133926-556 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080518-133926-659 O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
backup-20080518-133926-833 O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
backup-20080518-133926-874 O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
backup-20080518-224956-163 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20080518-224956-221 O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
backup-20080518-224956-255 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080518-224956-420 O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
backup-20080518-224956-527 O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe
backup-20080518-224956-574 O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
backup-20080518-224956-769 O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
backup-20080518-224956-837 O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20080518-224956-860 O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
backup-20080518-224956-866 O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
backup-20080518-224956-954 O23 - Service: Defender Pro Internet Security (AVP) - Unknown owner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe" -r (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S1 drmkaudd - c:\windows\system32\drivers\drmkaudd.sys (file missing)
S3 jbridgep - c:\docume~1\rayii~1\locals~1\temp\jbridgep.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 UFDSVC (UFD Command Service) - c:\windows\system32\ufdsvc.exe <Not Verified; Generic; Generic UFDSVC>

S3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>
S4 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-20 and 2008-05-20 -----------------------------

2008-05-13 19:56:03 0 d-------- C:\Documents and Settings\All Users\Application Data\AcrobatInstall
2008-05-11 19:41:40 87328 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-11 19:41:40 3016736 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-11 00:27:53 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-10 20:36:55 0 d-------- C:\Documents and Settings\Ray II\Application Data\Viewpoint
2008-05-02 19:37:51 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-02 19:37:37 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-02 19:25:26 0 d-------- C:\Adobe Acrobat 8 Professional
2008-04-27 20:50:35 0 d-------- C:\Documents and Settings\Administrator.LAP\Application Data\Macromedia
2008-04-27 20:50:35 0 d-------- C:\Documents and Settings\Administrator.LAP\Application Data\Adobe
2008-04-27 18:43:50 0 d-------- C:\Documents and Settings\Administrator.LAP\Application Data\Mozilla
2008-04-27 18:03:36 0 d--hs---- C:\WINDOWS\CSC
2008-04-27 17:05:06 0 d--h----- C:\$AVG8.VAULT$
2008-04-27 17:01:22 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-27 17:00:36 0 d-------- C:\Program Files\AVG
2008-04-27 17:00:33 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-27 16:49:09 0 d-------- C:\WINDOWS\pss
2008-04-26 19:23:16 0 d-------- C:\Documents and Settings\Administrator.LAP\My Documents
2008-04-26 19:23:16 0 d--h----- C:\Documents and Settings\Administrator.LAP\Local Settings
2008-04-26 19:23:16 0 d-------- C:\Documents and Settings\Administrator.LAP\Favorites
2008-04-26 19:23:16 0 d-------- C:\Documents and Settings\Administrator.LAP\Desktop
2008-04-26 19:23:16 0 d--hs---- C:\Documents and Settings\Administrator.LAP\Cookies
2008-04-26 19:23:16 0 dr-h----- C:\Documents and Settings\Administrator.LAP\Application Data
2008-04-26 19:23:16 0 d---s---- C:\Documents and Settings\Administrator.LAP\Application Data\Microsoft
2008-04-26 19:23:15 0 d--h----- C:\Documents and Settings\Administrator.LAP\Templates
2008-04-26 19:23:15 0 dr------- C:\Documents and Settings\Administrator.LAP\Start Menu
2008-04-26 19:23:15 0 dr-h----- C:\Documents and Settings\Administrator.LAP\SendTo
2008-04-26 19:23:15 0 d--h----- C:\Documents and Settings\Administrator.LAP\Recent
2008-04-26 19:23:15 0 d--h----- C:\Documents and Settings\Administrator.LAP\PrintHood
2008-04-26 19:23:15 0 d--h----- C:\Documents and Settings\Administrator.LAP\NetHood
2008-04-26 19:23:14 786432 --a------ C:\Documents and Settings\Administrator.LAP\NTUSER.DAT
2008-04-26 18:16:00 0 d-------- C:\WINDOWS\system32\bits
2008-04-26 17:58:28 0 d-------- C:\751f87b2e1aa8f71566681e9fc0b
2008-04-26 17:52:19 0 d-------- C:\Documents and Settings\Ray II\Application Data\HouseCall 6.6
2008-04-26 16:59:57 1483316 --ahs---- C:\WINDOWS\system32\oessjajy.ini2
2008-04-25 20:58:21 0 d-------- C:\Program Files\Common Files\zmir
2008-04-25 20:58:19 0 d-------- C:\WINDOWS\zmir
2008-04-25 18:25:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2008-04-25 18:15:02 0 d-------- C:\Program Files\Outerinfo
2008-04-24 19:09:22 0 d-------- C:\Documents and Settings\Administrator\Templates
2008-04-24 19:09:22 0 d-------- C:\Documents and Settings\Administrator\Local Settings
2008-04-24 19:09:22 0 d-------- C:\Documents and Settings\Administrator\Cookies
2008-04-24 19:09:22 0 d-------- C:\Documents and Settings\Administrator\Application Data
2008-04-24 19:09:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-24 19:09:21 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-24 17:49:29 4194304 --a------ C:\Documents and Settings\Ray II\ntuser.dat
2008-04-24 17:46:39 523426 --ahs---- C:\WINDOWS\system32\KQsAKRqr.ini2
2008-04-24 17:45:15 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-04-24 17:41:44 0 d-------- C:\WINDOWS\system32\pb1
2008-04-24 17:41:44 0 d-------- C:\WINDOWS\system32\hn3
2008-04-24 17:41:33 0 d-------- C:\WINDOWS\system32\pnVes18
2008-04-24 17:41:32 0 d-------- C:\Temp


-- Find3M Report ---------------------------------------------------------------

2008-05-16 19:56:57 0 d-------- C:\Documents and Settings\Ray II\Application Data\LimeWire
2008-05-11 00:00:42 0 d-------- C:\Program Files\Defender Pro
2008-05-10 23:03:34 0 d-------- C:\Program Files\PeerGuardian2
2008-05-03 20:58:05 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-03 20:58:04 0 d-------- C:\Program Files\Symantec
2008-05-02 19:40:45 0 d-------- C:\Documents and Settings\Ray II\Application Data\Adobe
2008-05-02 19:38:06 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-02 19:37:37 0 d-------- C:\Program Files\Common Files
2008-05-01 12:59:31 0 d-------- C:\Program Files\LimeWire
2008-04-27 17:50:29 130496 --a------ C:\WINDOWS\HPHins13.dat
2008-04-25 18:09:09 10 --a------ C:\Program Files\.autoreg <AUTORE~1>
2008-04-24 19:41:58 0 d-------- C:\Documents and Settings\Ray II\Application Data\Def
2008-04-24 17:23:50 0 d-------- C:\Program Files\Docudesk
2008-04-22 13:13:42 0 d-------- C:\Program Files\DivX
2008-04-13 23:25:48 0 d-------- C:\Program Files\Java
2008-04-12 14:25:08 0 d-------- C:\Documents and Settings\Ray II\Application Data\uTorrent
2008-04-10 21:38:28 0 d-------- C:\Documents and Settings\Ray II\Application Data\AdobeUM
2008-04-08 12:29:38 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-08 12:10:56 0 d-------- C:\Program Files\Activision
2008-04-08 11:57:26 96577 --a------ C:\WINDOWS\hpqins16.dat
2008-04-08 11:57:03 0 d-------- C:\Program Files\Hp
2008-04-07 21:26:54 0 d-------- C:\Documents and Settings\Ray II\Application Data\Bin
2008-03-31 16:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 16:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 16:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 16:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 16:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-25 13:51:16 18790 --a------ C:\WINDOWS\system32\ddmon.dll
2008-03-21 15:30:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 15:28:54 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 15:28:54 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 15:28:20 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\rqRKAsQK


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{212590f8-05fb-11dc-ac42-806d6172696f}]
AutoRun\command- nsv.bat
explore\Command- nsv.bat
open\Command- nsv.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a6ceec2-05fc-11dc-b114-806d6172696f}]
AutoRun\command- D:\setup\rsrc\Autorun.exe
dinstall\command- D:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d9b79fb-0cb2-11dd-b1f1-0014a564aead}]
AutoRun\command- nsv.bat
explore\Command- nsv.bat
open\Command- nsv.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab8ea3fb-81dc-11dc-b15c-0014a564aead}]
Auto\command- Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc6108a8-0ed8-11dc-b11d-0014a564aead}]
AutoRun\command- E:\f2ir.com
explore\Command- E:\f2ir.com
open\Command- E:\f2ir.com




-- End of Deckard's System Scanner: finished at 2008-05-20 11:32:10 ------------

#4 RatHat

RatHat

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPip
  • 816 posts

Posted 20 May 2008 - 05:54 PM

Have you received help at another forum for this problem?


Please uninstall the following programs:

µTorrent
J2SE Runtime Environment 5.0 Update 5
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1
LimeWire 4.16.7
Viewpoint Media Player

  • Go to Start then Settings, then Control Panel
  • Choose Add or Remove Programs
  • Remove all of the above
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Regards,
RatHat

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Want to join the fight against Malware? Click here to find out how.

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

Posted Image

If you feel I have helped you and would like to make a small donation, please click here

#5 Rjp20

Rjp20

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 20 May 2008 - 09:51 PM

No, I haven't received help from another forum. Heres the combofix log and the hijackthis log... Thanks

ComboFix 08-05-20.4 - Ray II 2008-05-20 21:49:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1521 [GMT -5:00]
Running from: C:\Documents and Settings\Ray II\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Ray II\Application Data\Def\CnsMin.dsc
C:\Documents and Settings\Ray II\Application Data\Def\CnsMin.prf
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BMa3026a8b.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\'
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\KQsAKRqr.ini
C:\WINDOWS\system32\KQsAKRqr.ini2
C:\WINDOWS\system32\loywtawu.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\oessjajy.ini
C:\WINDOWS\system32\oessjajy.ini2
C:\WINDOWS\system32\oessjajy.tmp
C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-20 16:25 . 2008-05-20 21:44 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-20 11:28 . 2008-05-20 11:28 <DIR> d-------- C:\Deckard
2008-05-16 19:58 . 2008-05-16 19:59 2,135,438 --a------ C:\Rich Boy & Lil Wayne - Throw Some D's (JF Remix).mp3
2008-05-16 11:45 . 2008-05-16 11:49 5,403,013 --a------ C:\Jean Carne - You Are All I Need.mp3
2008-05-16 11:45 . 2008-05-16 11:47 4,956,995 --a------ C:\Mary J Blige, Method Man - You Are All I Need.mp3
2008-05-16 11:45 . 2008-05-16 11:47 3,406,913 --a------ C:\Aretha Franklin - You're all I need to get by.mp3
2008-05-15 17:32 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-05-15 17:32 . 2007-07-30 19:19 203,096 --a--c--- C:\WINDOWS\system32\dllcache\wuweb.dll
2008-05-13 19:56 . 2008-05-13 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AcrobatInstall
2008-05-11 19:41 . 2008-05-20 21:53 4,300,832 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-11 19:41 . 2008-05-20 21:53 187,680 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-11 19:41 . 2008-05-20 21:53 51,476 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-11 19:41 . 2008-05-20 21:53 18,668 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-11 00:27 . 2008-05-11 00:27 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-10 22:34 . 2008-05-10 22:52 5,738,676 --a------ C:\The Isley Brothers ft r. kelly & kelly price - Busted.mp3
2008-05-10 22:34 . 2008-05-10 22:46 5,688,214 --a------ C:\Swiss Beats ft. Ron Isley, P. Diddy, Baby, Jadakiss Snoop Dogg, Cassidy & TQ - Bigger Business.mp3
2008-05-10 22:34 . 2008-05-10 22:46 5,482,496 --a------ C:\Slow Jams - Isley Brothers - Between The Sheets.mp3
2008-05-10 22:34 . 2008-05-10 22:46 5,215,388 --a------ C:\R. Kelly, Ron Isley, Aaron Hall, Charlie Wilson.. Heaven's Girl.mp3
2008-05-10 22:34 . 2008-05-10 22:49 4,529,946 --a------ C:\Kelley Price ft. R Kelly & Ron Isley- Friend of Mine.mp3
2008-05-10 22:34 . 2008-05-10 22:50 4,431,203 --a------ C:\Tupac feat Snoop, Nate Dogg, Dru Hill - All About You.mp3
2008-05-10 22:34 . 2008-05-10 22:51 4,322,096 --a------ C:\R. Kelly-12 Play-Down Low (remix) f. Ron Isley.mp3
2008-05-10 22:34 . 2008-05-10 22:46 4,049,940 --a------ C:\R Kelly f. The Isley Brothers - Down Low.mp3
2008-05-10 22:34 . 2008-05-10 22:46 3,328,488 --a------ C:\Dru Hill - Baby I'm Sorry.mp3
2008-05-10 22:33 . 2008-05-10 22:48 6,386,294 --a------ C:\Dru Hill - I Should Be Your Boyfriend.mp3
2008-05-10 22:33 . 2008-05-10 22:40 4,335,688 --a------ C:\Dru Hill - Beauty is Her Name.mp3
2008-05-10 22:33 . 2008-05-10 22:48 4,294,784 --a------ C:\Dru Hill & Sisqo - Incomplete.mp3
2008-05-02 19:37 . 2008-05-02 19:37 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-02 19:37 . 2008-05-02 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-02 19:25 . 2008-05-02 19:27 <DIR> d-------- C:\Adobe Acrobat 8 Professional
2008-05-01 23:56 . 2008-05-01 23:57 570,025,984 --a------ C:\Adobe Acrobat 8 Professional.iso
2008-05-01 21:38 . 2008-05-01 21:39 57,884 --a------ C:\trend micro anti-spyware 3.0.zip
2008-05-01 13:28 . 2008-05-01 13:39 4,386,688 --a------ C:\Paul Wall - Hustle and Flow.mp3
2008-05-01 13:28 . 2008-05-01 13:40 4,335,366 --a------ C:\Eighties classic.wma
2008-05-01 13:28 . 2008-05-01 13:42 2,948,756 --a------ C:\Hustle and Flow the soundtrack - DJay - It Ain't Over.MP3
2008-05-01 13:27 . 2008-05-01 13:39 5,812,869 --a------ C:\Hustle and Flow Soundtrack-Whoop That Trick.mp3
2008-04-28 21:29 . 2008-05-13 17:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-28 21:29 . 2008-04-28 21:29 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-27 17:05 . 2008-05-20 12:35 <DIR> d--h----- C:\$AVG8.VAULT$
2008-04-27 17:01 . 2008-05-19 21:09 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-27 17:01 . 2008-04-27 17:01 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-27 17:01 . 2008-04-27 17:01 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-27 17:00 . 2008-04-27 17:00 <DIR> d-------- C:\Program Files\AVG
2008-04-27 17:00 . 2008-04-27 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-26 19:23 . 2008-04-27 17:02 <DIR> d-------- C:\Documents and Settings\Administrator.LAP
2008-04-26 18:16 . 2008-04-26 18:16 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-26 18:15 . 2007-03-29 07:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-26 18:15 . 2007-03-29 07:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-04-26 17:58 . 2008-04-26 17:58 <DIR> d-------- C:\751f87b2e1aa8f71566681e9fc0b
2008-04-26 17:52 . 2008-04-26 17:52 <DIR> d-------- C:\Documents and Settings\Ray II\Application Data\HouseCall 6.6
2008-04-25 20:58 . 2008-04-25 20:58 <DIR> d-------- C:\WINDOWS\zmir
2008-04-25 20:58 . 2008-04-26 16:49 <DIR> d-------- C:\Program Files\Common Files\zmir
2008-04-25 18:26 . 2008-04-25 18:26 687,592 --a------ C:\WINDOWS\system32\atmtd.dll._
2008-04-25 18:09 . 2008-04-25 18:09 10 --a------ C:\Program Files\.autoreg
2008-04-24 19:09 . 2008-04-26 16:50 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-04-24 17:45 . 2008-04-24 17:45 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-24 17:42 . 2008-04-25 11:15 37,376 --a------ C:\WINDOWS\mrofinu1188.exe.tmp
2008-04-24 17:41 . 2008-04-27 17:56 <DIR> d-------- C:\WINDOWS\system32\pnVes18
2008-04-24 17:41 . 2008-04-27 17:56 <DIR> d-------- C:\WINDOWS\system32\pb1
2008-04-24 17:41 . 2008-04-27 17:52 <DIR> d-------- C:\WINDOWS\system32\hn3
2008-04-24 17:41 . 2008-04-24 17:41 <DIR> d-------- C:\Temp\zvebs14
2008-04-24 17:41 . 2008-04-24 17:41 <DIR> d-------- C:\Temp\kvebs14
2008-04-24 17:41 . 2008-05-20 21:49 <DIR> d-------- C:\Temp
2008-04-24 17:41 . 2008-04-24 17:41 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-04-24 17:41 . 2008-04-24 17:41 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache(4).dsk
2008-04-24 17:41 . 2008-04-24 17:41 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache(3).dsk
2008-04-24 17:41 . 2008-04-24 17:41 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache(2).dsk
2008-04-24 17:24 . 2007-03-22 10:31 152,624 --a------ C:\WINDOWS\system32\WIN2PDFS.DLL
2008-04-24 17:24 . 2007-03-22 10:31 21,552 --a------ C:\WINDOWS\system32\WIN2PDFM.DLL
2008-04-24 17:24 . 2006-03-08 18:21 2 --a------ C:\WINDOWS\1way.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 02:53 --------- d-----w C:\Documents and Settings\Ray II\Application Data\Def
2008-05-21 01:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-21 01:54 --------- d-----w C:\Program Files\LimeWire
2008-05-21 01:53 --------- d-----w C:\Program Files\Java
2008-05-20 18:35 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-17 00:56 --------- d-----w C:\Documents and Settings\Ray II\Application Data\LimeWire
2008-05-15 22:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-11 05:00 --------- d-----w C:\Program Files\Defender Pro
2008-05-11 04:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Defender Pro
2008-05-11 04:03 --------- d-----w C:\Program Files\PeerGuardian2
2008-05-04 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-04 01:58 --------- d-----w C:\Program Files\Symantec
2008-05-04 01:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-03 00:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-24 22:23 --------- d-----w C:\Program Files\Docudesk
2008-04-22 18:13 --------- d-----w C:\Program Files\DivX
2008-04-19 03:10 96,645 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-04-19 03:10 87,941 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-04-12 19:25 --------- d-----w C:\Documents and Settings\Ray II\Application Data\uTorrent
2008-04-11 02:38 --------- d-----w C:\Documents and Settings\Ray II\Application Data\AdobeUM
2008-04-08 17:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-08 17:10 --------- d-----w C:\Program Files\Activision
2008-04-08 16:57 --------- d-----w C:\Program Files\Hp
2008-04-08 02:26 --------- d-----w C:\Documents and Settings\Ray II\Application Data\Bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Valve\\Condition Zero\\czero.exe"=
"C:\\Program Files\\Red Storm Entertainment\\Ghost Recon\\GhostRecon.exe"=
"C:\\Program Files\\Defender Pro\\Defender Pro Internet Security 6.0\\avp.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-27 17:01]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-27 17:00]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 16:06]
S1 drmkaudd;drmkaudd;C:\WINDOWS\system32\drivers\drmkaudd.sys []
S3 jbridgep;jbridgep;C:\DOCUME~1\RAYII~1\LOCALS~1\Temp\jbridgep.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d9b79fb-0cb2-11dd-b1f1-0014a564aead}]
\Shell\AutoRun\command - nsv.bat
\Shell\explore\Command - nsv.bat
\Shell\open\Command - nsv.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab8ea3fb-81dc-11dc-b15c-0014a564aead}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc6108a8-0ed8-11dc-b11d-0014a564aead}]
\Shell\AutoRun\command - E:\f2ir.com
\Shell\explore\Command - E:\f2ir.com
\Shell\open\Command - E:\f2ir.com

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 21:54:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\GPX5DLT19GOW4BJR

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\ufdsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-05-20 22:01:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 03:01:19

Pre-Run: 11,596,070,912 bytes free
Post-Run: 11,595,399,168 bytes free

231 --- E O F --- 2008-05-20 18:35:56

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:47:06 PM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ufdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Ray II\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Defender Pro Internet Security (AVP) - Unknown owner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe" -r (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

#6 RatHat

RatHat

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPip
  • 816 posts

Posted 21 May 2008 - 02:10 AM

I asked if you were receiving help as there are a lot of HijackThis backups in your log. These are created each time a line is removed, and you have a lot of legitimate entries that have been removed, alsong with some bad ones. Did you remove these yourself?

First lets install the recovery console.

Delete the version of Combofix that you have. Download a new version from Here, Here or Here and save it to your Desktop.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, lets run a Combofix script next:

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\mrofinu1188.exe.tmp

Folder::
C:\Temp\zvebs14
C:\Temp\kvebs14
C:\Program Files\LimeWire
C:\Documents and Settings\Ray II\Application Data\LimeWire

Driver::
drmkaudd
jbridgep

DirLook::
C:\751f87b2e1aa8f71566681e9fc0b

C:\WINDOWS\zmir

C:\Program Files\Common Files\zmir

C:\WINDOWS\system32\pnVes18

C:\WINDOWS\system32\pb1

C:\WINDOWS\system32\hn3

Rootkit::
C:\WINDOWS\GPX5DLT19GOW4BJR


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), the new Combofix.txt which will be located in your C:\Dribe.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now lets clean your flash drives and other USB devices:

Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.[/list] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.
Regards,
RatHat

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Want to join the fight against Malware? Click here to find out how.

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

Posted Image

If you feel I have helped you and would like to make a small donation, please click here

#7 Rjp20

Rjp20

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 23 May 2008 - 09:11 AM

Ive used HijackThis many years ago, so i kinda understand how to use it. Yes you are right, i should probably try to recover those removed entries... It was just a not so smart attempt to speed up my computer.... What do you think i should do about it.

here are my logs... Thanks!

ComboFix 08-05-21.2 - Ray II 2008-05-22 22:02:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1553 [GMT -5:00]
Running from: C:\Documents and Settings\Ray II\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ray II\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ray II\Local Settings\Temporary Internet Files\CPV.stt
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk

.
((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-21 00:00 . 2008-05-21 00:00 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-05-21 00:00 . 2008-05-21 00:00 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-05-20 23:50 . 2008-05-20 23:53 1,206 --a------ C:\WINDOWS\mozver.dat
2008-05-20 16:25 . 2008-05-20 21:44 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-20 11:28 . 2008-05-20 11:28 <DIR> d-------- C:\Deckard
2008-05-16 19:58 . 2008-05-16 19:59 2,135,438 --a------ C:\Rich Boy & Lil Wayne - Throw Some D's (JF Remix).mp3
2008-05-16 11:45 . 2008-05-16 11:49 5,403,013 --a------ C:\Jean Carne - You Are All I Need.mp3
2008-05-16 11:45 . 2008-05-16 11:47 4,956,995 --a------ C:\Mary J Blige, Method Man - You Are All I Need.mp3
2008-05-16 11:45 . 2008-05-16 11:47 3,406,913 --a------ C:\Aretha Franklin - You're all I need to get by.mp3
2008-05-15 17:32 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-05-15 17:32 . 2007-07-30 19:19 203,096 --a--c--- C:\WINDOWS\system32\dllcache\wuweb.dll
2008-05-13 19:56 . 2008-05-13 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AcrobatInstall
2008-05-11 19:41 . 2008-05-20 21:53 4,300,832 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-11 19:41 . 2008-05-20 21:53 187,936 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-11 19:41 . 2008-05-20 21:53 51,476 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-11 19:41 . 2008-05-20 21:53 18,668 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-11 00:27 . 2008-05-11 00:27 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-10 22:34 . 2008-05-10 22:52 5,738,676 --a------ C:\The Isley Brothers ft r. kelly & kelly price - Busted.mp3
2008-05-10 22:34 . 2008-05-10 22:46 5,688,214 --a------ C:\Swiss Beats ft. Ron Isley, P. Diddy, Baby, Jadakiss Snoop Dogg, Cassidy & TQ - Bigger Business.mp3
2008-05-10 22:34 . 2008-05-10 22:46 5,482,496 --a------ C:\Slow Jams - Isley Brothers - Between The Sheets.mp3
2008-05-10 22:34 . 2008-05-10 22:46 5,215,388 --a------ C:\R. Kelly, Ron Isley, Aaron Hall, Charlie Wilson.. Heaven's Girl.mp3
2008-05-10 22:34 . 2008-05-10 22:49 4,529,946 --a------ C:\Kelley Price ft. R Kelly & Ron Isley- Friend of Mine.mp3
2008-05-10 22:34 . 2008-05-10 22:50 4,431,203 --a------ C:\Tupac feat Snoop, Nate Dogg, Dru Hill - All About You.mp3
2008-05-10 22:34 . 2008-05-10 22:51 4,322,096 --a------ C:\R. Kelly-12 Play-Down Low (remix) f. Ron Isley.mp3
2008-05-10 22:34 . 2008-05-10 22:46 4,049,940 --a------ C:\R Kelly f. The Isley Brothers - Down Low.mp3
2008-05-10 22:34 . 2008-05-10 22:46 3,328,488 --a------ C:\Dru Hill - Baby I'm Sorry.mp3
2008-05-10 22:33 . 2008-05-10 22:48 6,386,294 --a------ C:\Dru Hill - I Should Be Your Boyfriend.mp3
2008-05-10 22:33 . 2008-05-10 22:39 4,827,136 --a------ C:\Slow Jams - Dru Hill - 5 Steps.mp3
2008-05-10 22:33 . 2008-05-10 22:40 4,335,688 --a------ C:\Dru Hill - Beauty is Her Name.mp3
2008-05-10 22:33 . 2008-05-10 22:48 4,294,784 --a------ C:\Dru Hill & Sisqo - Incomplete.mp3
2008-05-02 19:37 . 2008-05-02 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-02 19:25 . 2008-05-02 19:27 <DIR> d-------- C:\Adobe Acrobat 8 Professional
2008-05-01 23:56 . 2008-05-01 23:57 570,025,984 --a------ C:\Adobe Acrobat 8 Professional.iso
2008-05-01 21:38 . 2008-05-01 21:39 57,884 --a------ C:\trend micro anti-spyware 3.0.zip
2008-05-01 13:28 . 2008-05-06 10:59 4,170,231 --a------ C:\Hustle & Flow Soundtrack - DJay - Hard Out Here For A Pimp.mp3
2008-05-01 13:28 . 2008-05-01 13:42 2,948,756 --a------ C:\Hustle and Flow the soundtrack - DJay - It Ain't Over.MP3
2008-05-01 13:27 . 2008-05-01 13:39 5,812,869 --a------ C:\Hustle and Flow Soundtrack-Whoop That Trick.mp3
2008-04-28 21:29 . 2008-05-13 17:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-28 21:29 . 2008-04-28 21:29 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-27 17:05 . 2008-05-20 12:35 <DIR> d--h----- C:\$AVG8.VAULT$
2008-04-27 17:01 . 2008-05-21 22:44 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-27 17:01 . 2008-04-27 17:01 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-27 17:01 . 2008-04-27 17:01 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-27 17:00 . 2008-04-27 17:00 <DIR> d-------- C:\Program Files\AVG
2008-04-27 17:00 . 2008-04-27 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-26 19:23 . 2008-04-27 17:02 <DIR> d-------- C:\Documents and Settings\Administrator.LAP
2008-04-26 18:16 . 2008-04-26 18:16 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-26 18:15 . 2007-03-29 07:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-26 18:15 . 2007-03-29 07:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-04-26 17:58 . 2008-04-26 17:58 <DIR> d-------- C:\751f87b2e1aa8f71566681e9fc0b
2008-04-26 17:52 . 2008-04-26 17:52 <DIR> d-------- C:\Documents and Settings\Ray II\Application Data\HouseCall 6.6
2008-04-25 20:58 . 2008-04-25 20:58 <DIR> d-------- C:\WINDOWS\zmir
2008-04-25 20:58 . 2008-04-26 16:49 <DIR> d-------- C:\Program Files\Common Files\zmir
2008-04-25 18:09 . 2008-04-25 18:09 10 --a------ C:\Program Files\.autoreg
2008-04-24 19:09 . 2008-04-26 16:50 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-04-24 17:45 . 2008-04-24 17:45 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-24 17:41 . 2008-04-27 17:56 <DIR> d-------- C:\WINDOWS\system32\pnVes18
2008-04-24 17:41 . 2008-04-27 17:56 <DIR> d-------- C:\WINDOWS\system32\pb1
2008-04-24 17:41 . 2008-04-27 17:52 <DIR> d-------- C:\WINDOWS\system32\hn3
2008-04-24 17:41 . 2008-04-24 17:41 <DIR> d-------- C:\Temp\zvebs14
2008-04-24 17:41 . 2008-04-24 17:41 <DIR> d-------- C:\Temp\kvebs14
2008-04-24 17:41 . 2008-05-20 21:49 <DIR> d-------- C:\Temp
2008-04-24 17:24 . 2007-03-22 10:31 152,624 --a------ C:\WINDOWS\system32\WIN2PDFS.DLL
2008-04-24 17:24 . 2007-03-22 10:31 21,552 --a------ C:\WINDOWS\system32\WIN2PDFM.DLL
2008-04-24 17:24 . 2006-03-08 18:21 2 --a------ C:\WINDOWS\1way.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 05:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-21 02:53 --------- d-----w C:\Documents and Settings\Ray II\Application Data\Def
2008-05-21 01:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-21 01:54 --------- d-----w C:\Program Files\LimeWire
2008-05-21 01:53 --------- d-----w C:\Program Files\Java
2008-05-20 18:35 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-17 00:56 --------- d-----w C:\Documents and Settings\Ray II\Application Data\LimeWire
2008-05-15 22:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-11 05:00 --------- d-----w C:\Program Files\Defender Pro
2008-05-11 04:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Defender Pro
2008-05-11 04:03 --------- d-----w C:\Program Files\PeerGuardian2
2008-05-04 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-04 01:58 --------- d-----w C:\Program Files\Symantec
2008-05-04 01:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-24 22:23 --------- d-----w C:\Program Files\Docudesk
2008-04-22 18:13 --------- d-----w C:\Program Files\DivX
2008-04-19 03:10 96,645 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-04-19 03:10 87,941 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-04-12 19:25 --------- d-----w C:\Documents and Settings\Ray II\Application Data\uTorrent
2008-04-11 02:38 --------- d-----w C:\Documents and Settings\Ray II\Application Data\AdobeUM
2008-04-08 17:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-08 17:10 --------- d-----w C:\Program Files\Activision
2008-04-08 16:57 --------- d-----w C:\Program Files\Hp
2008-04-08 02:26 --------- d-----w C:\Documents and Settings\Ray II\Application Data\Bin
.

((((((((((((((((((((((((((((( snapshot@2008-05-20_22.01.03.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 02:54:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 03:07:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 05:07:54 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
- 2008-05-16 06:12:49 294,072 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-05-23 03:07:18 293,272 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Valve\\Condition Zero\\czero.exe"=
"C:\\Program Files\\Red Storm Entertainment\\Ghost Recon\\GhostRecon.exe"=
"C:\\Program Files\\Defender Pro\\Defender Pro Internet Security 6.0\\avp.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-27 17:01]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-27 17:00]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 16:06]
S1 drmkaudd;drmkaudd;C:\WINDOWS\system32\drivers\drmkaudd.sys []
S3 jbridgep;jbridgep;C:\DOCUME~1\RAYII~1\LOCALS~1\Temp\jbridgep.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d9b79fb-0cb2-11dd-b1f1-0014a564aead}]
\Shell\AutoRun\command - nsv.bat
\Shell\explore\Command - nsv.bat
\Shell\open\Command - nsv.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab8ea3fb-81dc-11dc-b15c-0014a564aead}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc6108a8-0ed8-11dc-b11d-0014a564aead}]
\Shell\AutoRun\command - E:\f2ir.com
\Shell\explore\Command - E:\f2ir.com
\Shell\open\Command - E:\f2ir.com

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 22:08:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\ufdsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-05-22 22:15:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-23 03:15:44
ComboFix2.txt 2008-05-21 03:01:24

Pre-Run: 11,603,664,896 bytes free
Post-Run: 11,782,406,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

221 --- E O F --- 2008-05-20 18:35:56

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 08-05-21.2 - Ray II 2008-05-22 22:48:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1586 [GMT -5:00]
Running from: C:\Documents and Settings\Ray II\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ray II\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\vbzip10.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ray II\Application Data\LimeWire
C:\Program Files\LimeWire
C:\Program Files\LimeWire\GenericWindowsUtils.dll
C:\Program Files\LimeWire\Incomplete\downloads.bak
C:\Program Files\LimeWire\Incomplete\downloads.dat
C:\Program Files\LimeWire\Incomplete\T-5528938-Isley Brothers - Between The Sheets.mp3
C:\Program Files\LimeWire\Incomplete\T-5764332-Rich Boy-Throw Some Ds.mp3
C:\Program Files\LimeWire\Incomplete\T-8455850-Rich Boy ft. Lil Jon, Andre 3000, Jim Jones, Too Short, Nelly, Murphy Lee, & Game- Throw Some D's On It (Remix).mp3
C:\Program Files\LimeWire\LimeWire20.dll
C:\Program Files\LimeWire\log4j.properties
C:\Program Files\LimeWire\MessagesBundle.properties
C:\Program Files\LimeWire\update.ver
C:\Program Files\LimeWire\WindowsFirewall.dll
C:\Program Files\LimeWire\WindowsV5PlusUtils.dll
C:\Temp\kvebs14
C:\Temp\kvebs14\zvKarru.log
C:\Temp\zvebs14
C:\WINDOWS\GPX5DLT19GOW4BJR
C:\WINDOWS\system32\vbzip10.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRMKAUDD
-------\Legacy_JBRIDGEP
-------\Service_drmkaudd
-------\Service_jbridgep


((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-21 00:00 . 2008-05-21 00:00 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-05-21 00:00 . 2008-05-21 00:00 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-05-20 23:50 . 2008-05-20 23:53 1,206 --a------ C:\WINDOWS\mozver.dat
2008-05-20 16:25 . 2008-05-20 21:44 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-20 11:28 . 2008-05-20 11:28 <DIR> d-------- C:\Deckard
2008-05-16 19:58 . 2008-05-16 19:59 2,135,438 --a------ C:\Rich Boy & Lil Wayne - Throw Some D's (JF Remix).mp3
2008-05-16 11:45 . 2008-05-16 11:49 5,403,013 --a------ C:\Jean Carne - You Are All I Need.mp3
2008-05-16 11:45 . 2008-05-16 11:47 4,956,995 --a------ C:\Mary J Blige, Method Man - You Are All I Need.mp3
2008-05-16 11:45 . 2008-05-16 11:47 3,406,913 --a------ C:\Aretha Franklin - You're all I need to get by.mp3
2008-05-15 17:32 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-05-15 17:32 . 2007-07-30 19:19 203,096 --a--c--- C:\WINDOWS\system32\dllcache\wuweb.dll
2008-05-13 19:56 . 2008-05-13 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AcrobatInstall
2008-05-11 19:41 . 2008-05-20 21:53 4,300,832 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-11 19:41 . 2008-05-20 21:53 187,936 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-11 19:41 . 2008-05-20 21:53 51,476 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-11 19:41 . 2008-05-20 21:53 18,668 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-11 00:27 . 2008-05-11 00:27 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-10 22:34 . 2008-05-10 22:52 5,738,676 --a------ C:\The Isley Brothers ft r. kelly & kelly price - Busted.mp3
2008-05-10 22:34 . 2008-05-10 22:46 5,688,214 --a------ C:\Swiss Beats ft. Ron Isley, P. Diddy, Baby, Jadakiss Snoop Dogg, Cassidy & TQ - Bigger Business.mp3
2008-05-10 22:34 . 2008-05-10 22:46 5,482,496 --a------ C:\Slow Jams - Isley Brothers - Between The Sheets.mp3
2008-05-10 22:34 . 2008-05-10 22:46 5,215,388 --a------ C:\R. Kelly, Ron Isley, Aaron Hall, Charlie Wilson.. Heaven's Girl.mp3
2008-05-10 22:34 . 2008-05-10 22:49 4,529,946 --a------ C:\Kelley Price ft. R Kelly & Ron Isley- Friend of Mine.mp3
2008-05-10 22:34 . 2008-05-10 22:50 4,431,203 --a------ C:\Tupac feat Snoop, Nate Dogg, Dru Hill - All About You.mp3
2008-05-10 22:34 . 2008-05-10 22:51 4,322,096 --a------ C:\R. Kelly-12 Play-Down Low (remix) f. Ron Isley.mp3
2008-05-10 22:34 . 2008-05-10 22:46 4,049,940 --a------ C:\R Kelly f. The Isley Brothers - Down Low.mp3
2008-05-10 22:34 . 2008-05-10 22:46 3,328,488 --a------ C:\Dru Hill - Baby I'm Sorry.mp3
2008-05-10 22:33 . 2008-05-10 22:48 6,386,294 --a------ C:\Dru Hill - I Should Be Your Boyfriend.mp3
2008-05-10 22:33 . 2008-05-10 22:39 4,827,136 --a------ C:\Slow Jams - Dru Hill - 5 Steps.mp3
2008-05-10 22:33 . 2008-05-10 22:40 4,335,688 --a------ C:\Dru Hill - Beauty is Her Name.mp3
2008-05-10 22:33 . 2008-05-10 22:48 4,294,784 --a------ C:\Dru Hill & Sisqo - Incomplete.mp3
2008-05-02 19:37 . 2008-05-02 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-02 19:25 . 2008-05-02 19:27 <DIR> d-------- C:\Adobe Acrobat 8 Professional
2008-05-01 23:56 . 2008-05-01 23:57 570,025,984 --a------ C:\Adobe Acrobat 8 Professional.iso
2008-05-01 21:38 . 2008-05-01 21:39 57,884 --a------ C:\trend micro anti-spyware 3.0.zip
2008-05-01 13:28 . 2008-05-06 10:59 4,170,231 --a------ C:\Hustle & Flow Soundtrack - DJay - Hard Out Here For A Pimp.mp3
2008-05-01 13:28 . 2008-05-01 13:42 2,948,756 --a------ C:\Hustle and Flow the soundtrack - DJay - It Ain't Over.MP3
2008-05-01 13:27 . 2008-05-01 13:39 5,812,869 --a------ C:\Hustle and Flow Soundtrack-Whoop That Trick.mp3
2008-04-28 21:29 . 2008-05-13 17:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-28 21:29 . 2008-04-28 21:29 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-27 17:05 . 2008-05-20 12:35 <DIR> d--h----- C:\$AVG8.VAULT$
2008-04-27 17:01 . 2008-05-22 22:16 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-27 17:01 . 2008-04-27 17:01 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-27 17:01 . 2008-04-27 17:01 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-27 17:00 . 2008-04-27 17:00 <DIR> d-------- C:\Program Files\AVG
2008-04-27 17:00 . 2008-04-27 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-26 19:23 . 2008-04-27 17:02 <DIR> d-------- C:\Documents and Settings\Administrator.LAP
2008-04-26 18:16 . 2008-04-26 18:16 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-26 18:15 . 2007-03-29 07:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-26 18:15 . 2007-03-29 07:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-04-26 17:58 . 2008-04-26 17:58 <DIR> d-------- C:\751f87b2e1aa8f71566681e9fc0b
2008-04-26 17:52 . 2008-04-26 17:52 <DIR> d-------- C:\Documents and Settings\Ray II\Application Data\HouseCall 6.6
2008-04-25 20:58 . 2008-04-25 20:58 <DIR> d-------- C:\WINDOWS\zmir
2008-04-25 20:58 . 2008-04-26 16:49 <DIR> d-------- C:\Program Files\Common Files\zmir
2008-04-25 18:09 . 2008-04-25 18:09 10 --a------ C:\Program Files\.autoreg
2008-04-24 19:09 . 2008-04-26 16:50 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-04-24 17:41 . 2008-04-27 17:56 <DIR> d-------- C:\WINDOWS\system32\pnVes18
2008-04-24 17:41 . 2008-04-27 17:56 <DIR> d-------- C:\WINDOWS\system32\pb1
2008-04-24 17:41 . 2008-04-27 17:52 <DIR> d-------- C:\WINDOWS\system32\hn3
2008-04-24 17:41 . 2008-05-22 22:49 <DIR> d-------- C:\Temp
2008-04-24 17:24 . 2007-03-22 10:31 152,624 --a------ C:\WINDOWS\system32\WIN2PDFS.DLL
2008-04-24 17:24 . 2007-03-22 10:31 21,552 --a------ C:\WINDOWS\system32\WIN2PDFM.DLL
2008-04-24 17:24 . 2006-03-08 18:21 2 --a------ C:\WINDOWS\1way.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 05:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-21 02:53 --------- d-----w C:\Documents and Settings\Ray II\Application Data\Def
2008-05-21 01:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-21 01:53 --------- d-----w C:\Program Files\Java
2008-05-20 18:35 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-15 22:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-11 05:00 --------- d-----w C:\Program Files\Defender Pro
2008-05-11 04:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Defender Pro
2008-05-11 04:03 --------- d-----w C:\Program Files\PeerGuardian2
2008-05-04 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-04 01:58 --------- d-----w C:\Program Files\Symantec
2008-05-04 01:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-24 22:23 --------- d-----w C:\Program Files\Docudesk
2008-04-22 18:13 --------- d-----w C:\Program Files\DivX
2008-04-19 03:10 96,645 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-04-19 03:10 87,941 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-04-12 19:25 --------- d-----w C:\Documents and Settings\Ray II\Application Data\uTorrent
2008-04-11 02:38 --------- d-----w C:\Documents and Settings\Ray II\Application Data\AdobeUM
2008-04-08 17:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-08 17:10 --------- d-----w C:\Program Files\Activision
2008-04-08 16:57 --------- d-----w C:\Program Files\Hp
2008-04-08 02:26 --------- d-----w C:\Documents and Settings\Ray II\Application Data\Bin
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\751f87b2e1aa8f71566681e9fc0b ----

2008-01-22 20:23 95744 --a------ C:\751f87b2e1aa8f71566681e9fc0b\atl80.dll
2008-01-22 20:23 69160 --a------ C:\751f87b2e1aa8f71566681e9fc0b\ochelpagent.dll
2008-01-22 20:23 626688 --a------ C:\751f87b2e1aa8f71566681e9fc0b\msvcr80.dll
2008-01-22 20:23 597146 --a------ C:\751f87b2e1aa8f71566681e9fc0b\ja-jp\eula.rtf
2008-01-22 20:23 58408 --a------ C:\751f87b2e1aa8f71566681e9fc0b\conflictingappmodule.dll
2008-01-22 20:23 56872 --a------ C:\751f87b2e1aa8f71566681e9fc0b\cert.dll
2008-01-22 20:23 554024 --a------ C:\751f87b2e1aa8f71566681e9fc0b\winssplatform.dll
2008-01-22 20:23 548864 --a------ C:\751f87b2e1aa8f71566681e9fc0b\msvcp80.dll
2008-01-22 20:23 54600 --a------ C:\751f87b2e1aa8f71566681e9fc0b\es-us\eula.rtf
2008-01-22 20:23 522 --a------ C:\751f87b2e1aa8f71566681e9fc0b\microsoft.vc80.crt.manifest
2008-01-22 20:23 4709 --a------ C:\751f87b2e1aa8f71566681e9fc0b\service.xml
2008-01-22 20:23 456 --a------ C:\751f87b2e1aa8f71566681e9fc0b\microsoft.vc80.atl.manifest
2008-01-22 20:23 339496 --a------ C:\751f87b2e1aa8f71566681e9fc0b\ocsetup.exe
2008-01-22 20:23 210984 --a------ C:\751f87b2e1aa8f71566681e9fc0b\winsscommon.dll
2008-01-22 20:23 162503 --a------ C:\751f87b2e1aa8f71566681e9fc0b\de-at\eula.rtf
2008-01-22 20:23 162165 --a------ C:\751f87b2e1aa8f71566681e9fc0b\de-de\eula.rtf
2008-01-22 20:23 161780 --a------ C:\751f87b2e1aa8f71566681e9fc0b\de-ch\eula.rtf
2008-01-22 20:23 159878 --a------ C:\751f87b2e1aa8f71566681e9fc0b\fr-fr\eula.rtf
2008-01-22 20:23 159258 --a------ C:\751f87b2e1aa8f71566681e9fc0b\fr-be\eula.rtf
2008-01-22 20:23 158870 --a------ C:\751f87b2e1aa8f71566681e9fc0b\fr-ca\eula.rtf
2008-01-22 20:23 158236 --a------ C:\751f87b2e1aa8f71566681e9fc0b\fr-ch\eula.rtf
2008-01-22 20:23 157952 --a------ C:\751f87b2e1aa8f71566681e9fc0b\es-es\eula.rtf
2008-01-22 20:23 157853 --a------ C:\751f87b2e1aa8f71566681e9fc0b\es-mx\eula.rtf
2008-01-22 20:23 157215 --a------ C:\751f87b2e1aa8f71566681e9fc0b\ko-kr\eula.rtf
2008-01-22 20:23 157215 --a------ C:\751f87b2e1aa8f71566681e9fc0b\ja-jp-psloc\eula.rtf
2008-01-22 20:23 155309 --a------ C:\751f87b2e1aa8f71566681e9fc0b\it-it\eula.rtf
2008-01-22 20:23 154394 --a------ C:\751f87b2e1aa8f71566681e9fc0b\nl-be\eula.rtf
2008-01-22 20:23 153735 --a------ C:\751f87b2e1aa8f71566681e9fc0b\nl-nl\eula.rtf
2008-01-22 20:23 148575 --a------ C:\751f87b2e1aa8f71566681e9fc0b\en-au\eula.rtf
2008-01-22 20:23 147589 --a------ C:\751f87b2e1aa8f71566681e9fc0b\en-ca\eula.rtf
2008-01-22 20:23 146554 --a------ C:\751f87b2e1aa8f71566681e9fc0b\en-sg\eula.rtf
2008-01-22 20:23 145964 --a------ C:\751f87b2e1aa8f71566681e9fc0b\eula.rtf
2008-01-22 20:23 145184 --a------ C:\751f87b2e1aa8f71566681e9fc0b\en-nz\eula.rtf
2008-01-22 20:23 145133 --a------ C:\751f87b2e1aa8f71566681e9fc0b\en-ie\eula.rtf
2008-01-22 20:23 145035 --a------ C:\751f87b2e1aa8f71566681e9fc0b\en-gb\eula.rtf
2008-01-22 20:23 132648 --a------ C:\751f87b2e1aa8f71566681e9fc0b\de-de\ocsetupro.dll
2008-01-22 20:23 132648 --a------ C:\751f87b2e1aa8f71566681e9fc0b\de-ch\ocsetupro.dll
2008-01-22 20:23 132648 --a------ C:\751f87b2e1aa8f71566681e9fc0b\de-at\ocsetupro.dll
2008-01-22 20:23 129576 --a------ C:\751f87b2e1aa8f71566681e9fc0b\nl-nl\ocsetupro.dll
2008-01-22 20:23 129576 --a------ C:\751f87b2e1aa8f71566681e9fc0b\nl-be\ocsetupro.dll
2008-01-22 20:23 127016 --a------ C:\751f87b2e1aa8f71566681e9fc0b\es-us\ocsetupro.dll
2008-01-22 20:23 127016 --a------ C:\751f87b2e1aa8f71566681e9fc0b\es-mx\ocsetupro.dll
2008-01-22 20:23 127016 --a------ C:\751f87b2e1aa8f71566681e9fc0b\es-es\ocsetupro.dll
2008-01-22 20:23 122920 --a------ C:\751f87b2e1aa8f71566681e9fc0b\ocsetupro.dll
2008-01-22 20:23 122920 --a------ C:\751f87b2e1aa8f71566681e9fc0b\en-sg\ocsetupro.dll
2008-01-22 20:23 122920 --a------ C:\751f87b2e1aa8f71566681e9fc0b\en-nz\ocsetupro.dll
2008-01-22 20:23 122920 --a------ C:\751f87b2e1aa8f71566681e9fc0b\en-ie\ocsetupro.dll
2008-01-22 20:23 122920 --a------ C:\751f87b2e1aa8f71566681e9fc0b\en-gb\ocsetupro.dll
2008-01-22 20:23 122920 --a------ C:\751f87b2e1aa8f71566681e9fc0b\en-ca\ocsetupro.dll
2008-01-22 20:23 122920 --a------ C:\751f87b2e1aa8f71566681e9fc0b\en-au\ocsetupro.dll
2008-01-22 20:23 121896 --a------ C:\751f87b2e1aa8f71566681e9fc0b\fr-fr\ocsetupro.dll
2008-01-22 20:23 121896 --a------ C:\751f87b2e1aa8f71566681e9fc0b\fr-ch\ocsetupro.dll
2008-01-22 20:23 121896 --a------ C:\751f87b2e1aa8f71566681e9fc0b\fr-ca\ocsetupro.dll
2008-01-22 20:23 121896 --a------ C:\751f87b2e1aa8f71566681e9fc0b\fr-be\ocsetupro.dll
2008-01-22 20:23 120360 --a------ C:\751f87b2e1aa8f71566681e9fc0b\it-it\ocsetupro.dll
2008-01-22 20:23 114728 --a------ C:\751f87b2e1aa8f71566681e9fc0b\ko-kr\ocsetupro.dll
2008-01-22 20:23 105000 --a------ C:\751f87b2e1aa8f71566681e9fc0b\ja-jp-psloc\ocsetupro.dll
2008-01-22 20:23 103976 --a------ C:\751f87b2e1aa8f71566681e9fc0b\ja-jp\ocsetupro.dll

---- Directory of C:\Program Files\Common Files\zmir ----

2004-04-19 21:26 4933375 --a------ C:\Program Files\Common Files\zmir\zmird\class-barrel
2004-04-19 21:26 1234193 --a------ C:\Program Files\Common Files\zmir\zmird\vocabulary

---- Directory of C:\WINDOWS\system32\hn3 ----


---- Directory of C:\WINDOWS\system32\pb1 ----


---- Directory of C:\WINDOWS\system32\pnVes18 ----


---- Directory of C:\WINDOWS\zmir ----

2008-04-25 21:02 4427 --a------ C:\WINDOWS\zmir\zmir.dat
2002-07-26 17:02 153088 --a------ C:\WINDOWS\zmir\wu


((((((((((((((((((((((((((((( snapshot@2008-05-20_22.01.03.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 02:54:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 03:52:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 05:07:54 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
- 2008-05-16 06:12:49 294,072 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-05-23 03:07:18 293,272 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Valve\\Condition Zero\\czero.exe"=
"C:\\Program Files\\Red Storm Entertainment\\Ghost Recon\\GhostRecon.exe"=
"C:\\Program Files\\Defender Pro\\Defender Pro Internet Security 6.0\\avp.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-27 17:01]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-27 17:00]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 16:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d9b79fb-0cb2-11dd-b1f1-0014a564aead}]
\Shell\AutoRun\command - nsv.bat
\Shell\explore\Command - nsv.bat
\Shell\open\Command - nsv.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab8ea3fb-81dc-11dc-b15c-0014a564aead}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc6108a8-0ed8-11dc-b11d-0014a564aead}]
\Shell\AutoRun\command - E:\f2ir.com
\Shell\explore\Command - E:\f2ir.com
\Shell\open\Command - E:\f2ir.com

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 22:52:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\ufdsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-05-22 22:58:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-23 03:58:45
ComboFix2.txt 2008-05-23 03:15:59
ComboFix3.txt 2008-05-21 03:01:24

Pre-Run: 11,773,710,336 bytes free
Post-Run: 11,761,995,776 bytes free

300 --- E O F --- 2008-05-20 18:35:56

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 23, 2008 10:05:32 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/05/2008
Kaspersky Anti-Virus database records: 797188
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 97017
Number of viruses found: 16
Number of infected objects: 43
Number of suspicious objects: 0
Duration of the scan process: 02:22:16

Infected Object Name / Virus Name / Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru10.tmp Infected: Trojan-PSW.Win32.OnLineGames.xtt skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru11.tmp Infected: Trojan-PSW.Win32.OnLineGames.acdy skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru12.tmp Infected: Trojan-PSW.Win32.OnLineGames.xtt skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru13.tmp Infected: Trojan-PSW.Win32.OnLineGames.xtt skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru14.tmp Infected: Worm.Win32.AutoRun.dkf skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru15.tmp Infected: Worm.Win32.AutoRun.dkf skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru16.tmp Infected: Worm.Win32.AutoRun.dlc skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru17.tmp Infected: Worm.Win32.AutoRun.dkw skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru18.tmp Infected: Worm.Win32.AutoRun.dkw skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru19.tmp Infected: Worm.Win32.AutoRun.dkw skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru1A.tmp Infected: Worm.Win32.AutoRun.dkw skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru1B.tmp Infected: Worm.Win32.AutoRun.dlc skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru1C.tmp Infected: Worm.Win32.AutoRun.dlc skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru1D.tmp Infected: Worm.Win32.AutoRun.dle skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru1E.tmp Infected: Worm.Win32.AutoRun.dle skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru1F.tmp Infected: Worm.Win32.AutoRun.dlz skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru20.tmp Infected: Worm.Win32.AutoRun.dlz skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru21.tmp Infected: Worm.Win32.AutoRun.dlz skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru22.tmp Infected: Worm.Win32.AutoRun.dlz skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru23.tmp Infected: Worm.Win32.AutoRun.dlz skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru24.tmp Infected: Worm.Win32.AutoRun.dlz skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru25.tmp Infected: Worm.Win32.AutoRun.dlz skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru26.tmp Infected: Worm.Win32.AutoRun.dmt skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru27.tmp Infected: Worm.Win32.AutoRun.dmt skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru28.tmp Infected: Worm.Win32.AutoRun.dmt skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru29.tmp Infected: Worm.Win32.AutoRun.dmt skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru2A.tmp Infected: Worm.Win32.AutoRun.dmt skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru2B.tmp Infected: Worm.Win32.AutoRun.dmt skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru48.tmp Infected: Worm.Win32.AutoRun.dlz skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru49.tmp Infected: Worm.Win32.AutoRun.dlz skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tru9.tmp Infected: Trojan-PSW.Win32.OnLineGames.xtt skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\truA.tmp Infected: Trojan-PSW.Win32.OnLineGames.xtt skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\truB.tmp Infected: Trojan-PSW.Win32.OnLineGames.xnw skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\truC.tmp Infected: Trojan-PSW.Win32.OnLineGames.xpu skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\truD.tmp Infected: Trojan-PSW.Win32.OnLineGames.xtt skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\truE.tmp Infected: Trojan-PSW.Win32.OnLineGames.xtt skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tsupdate_4_0_4_1_b3.exe/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tsupdate_4_0_4_1_b3.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tsupdate_4_0_4_1_b3.exe/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tsupdate_4_0_4_1_b3.exe/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Deckard\System Scanner\20080520162653\backup\DOCUME~1\RAYII~1\LOCALS~1\Temp\tsupdate_4_0_4_1_b3.exe WiseSFX: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ray II\Application Data\Mozilla\Firefox\Profiles\vkg2j1db.default\cert8.db Object is locked skipped
C:\Documents and Settings\Ray II\Application Data\Mozilla\Firefox\Profiles\vkg2j1db.default\history.dat Object is locked skipped
C:\Documents and Settings\Ray II\Application Data\Mozilla\Firefox\Profiles\vkg2j1db.default\key3.db Object is locked skipped
C:\Documents and Settings\Ray II\Application Data\Mozilla\Firefox\Profiles\vkg2j1db.default\parent.lock Object is locked skipped
C:\Documents and Settings\Ray II\Application Data\Mozilla\Firefox\Profiles\vkg2j1db.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Ray II\Application Data\Mozilla\Firefox\Profiles\vkg2j1db.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Ray II\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ray II\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ray II\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ray II\Local Settings\Application Data\Mozilla\Firefox\Profiles\vkg2j1db.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Ray II\Local Settings\Application Data\Mozilla\Firefox\Profiles\vkg2j1db.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Ray II\Local Settings\Application Data\Mozilla\Firefox\Profiles\vkg2j1db.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Ray II\Local Settings\Application Data\Mozilla\Firefox\Profiles\vkg2j1db.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Ray II\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ray II\Local Settings\History\History.IE5\MSHist012008052220080523\index.dat Object is locked skipped
C:\Documents and Settings\Ray II\Local Settings\Temp\~ROMFN_000005BC Object is locked skipped
C:\Documents and Settings\Ray II\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ray II\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ray II\ntuser.dat Object is locked skipped
C:\Documents and Settings\Ray II\ntuser.dat.LOG Object is locked skipped
C:\Eighties classic.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1188.exe.tmp.vir Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6A21C20C-F591-4FB3-9848-3C0A30AAE1C9}\RP15\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_AC97 Soft Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{663E42DE-3A1E-4E47-9B30-808F6257B2BD}.crmlog Object is locked skipped
C:\WINDOWS\S2AC0027E.tmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{FB0F43AA-82CB-437E-BAE0-54D0FA7ACE0B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#8 RatHat

RatHat

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPip
  • 816 posts

Posted 23 May 2008 - 06:15 PM

I think we are almost there!.


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Eighties classic.wma

Driver::
drmkaudd
jbridgep

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d9b79fb-0cb2-11dd-b1f1-0014a564aead}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab8ea3fb-81dc-11dc-b15c-0014a564aead}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc6108a8-0ed8-11dc-b11d-0014a564aead}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


Now please run Flash_Disinfector.exe again, and be sure to run it on all your USB flash drives.

Let me know how your machine is running after completing the above, and when I am happy that it is all OK, we can take a look at the HijackThis backups.

Regards,
RatHat

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Want to join the fight against Malware? Click here to find out how.

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

Posted Image

If you feel I have helped you and would like to make a small donation, please click here

#9 RatHat

RatHat

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPip
  • 816 posts

Posted 26 May 2008 - 10:58 PM

Do you still require assistance with this log? Regards, RatHat

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Want to join the fight against Malware? Click here to find out how.

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

Posted Image

If you feel I have helped you and would like to make a small donation, please click here

#10 Rjp20

Rjp20

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 27 May 2008 - 10:51 AM

Yes I still need help....

The system appears to be running fine.. I havent had anymore popups that ive seen.... Here are the logs. Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 11:49:09 AM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ufdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ray II\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Defender Pro Internet Security (AVP) - Unknown owner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe" -r (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 08-05-21.2 - Ray II 2008-05-26 0:08:31.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1525 [GMT -5:00]
Running from: C:\Documents and Settings\Ray II\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ray II\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Eighties classic.wma
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Eighties classic.wma

.
((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-24 20:04 . 2008-05-24 20:05 <DIR> d-------- C:\Documents and Settings\Ray II\Application Data\W Photo Studio Viewer
2008-05-23 22:58 . 2008-05-23 23:09 4,222,641 --a------ C:\504 Boys - Tootsie Roll.mp3
2008-05-23 22:57 . 2008-05-23 23:02 4,231,944 --a------ C:\Pretty Willie - Tootsie Roll Pop.mp3
2008-05-23 22:57 . 2008-05-23 22:59 2,089,088 --a------ C:\old school rap - tootsie roll.mp3
2008-05-23 22:55 . 2008-05-23 22:59 <DIR> d-------- C:\Documents and Settings\Ray II\Application Data\LimeWire
2008-05-22 23:15 . 2008-05-22 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-22 23:14 . 2008-05-22 23:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-21 00:00 . 2008-05-21 00:00 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-05-21 00:00 . 2008-05-21 00:00 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-05-20 23:50 . 2008-05-20 23:53 1,206 --a------ C:\WINDOWS\mozver.dat
2008-05-20 16:25 . 2008-05-20 21:44 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-20 11:28 . 2008-05-20 11:28 <DIR> d-------- C:\Deckard
2008-05-16 19:58 . 2008-05-16 19:59 2,135,438 --a------ C:\Rich Boy & Lil Wayne - Throw Some D's (JF Remix).mp3
2008-05-16 11:45 . 2008-05-16 11:49 5,403,013 --a------ C:\Jean Carne - You Are All I Need.mp3
2008-05-16 11:45 . 2008-05-16 11:47 4,956,995 --a------ C:\Mary J Blige, Method Man - You Are All I Need.mp3
2008-05-16 11:45 . 2008-05-16 11:47 3,406,913 --a------ C:\Aretha Franklin - You're all I need to get by.mp3
2008-05-15 17:32 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-05-15 17:32 . 2007-07-30 19:19 203,096 --a--c--- C:\WINDOWS\system32\dllcache\wuweb.dll
2008-05-13 19:56 . 2008-05-13 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AcrobatInstall
2008-05-11 19:41 . 2008-05-24 00:01 4,911,136 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-11 19:41 . 2008-05-24 00:01 190,752 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-11 19:41 . 2008-05-24 00:01 58,628 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-11 19:41 . 2008-05-24 00:01 18,956 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-11 00:27 . 2008-05-11 00:27 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-10 22:34 . 2008-05-10 22:52 5,738,676 --a------ C:\The Isley Brothers ft r. kelly & kelly price - Busted.mp3
2008-05-10 22:34 . 2008-05-10 22:46 5,688,214 --a------ C:\Swiss Beats ft. Ron Isley, P. Diddy, Baby, Jadakiss Snoop Dogg, Cassidy & TQ - Bigger Business.mp3
2008-05-10 22:34 . 2008-05-10 22:46 5,482,496 --a------ C:\Slow Jams - Isley Brothers - Between The Sheets.mp3
2008-05-10 22:34 . 2008-05-10 22:46 5,215,388 --a------ C:\R. Kelly, Ron Isley, Aaron Hall, Charlie Wilson.. Heaven's Girl.mp3
2008-05-10 22:34 . 2008-05-10 22:49 4,529,946 --a------ C:\Kelley Price ft. R Kelly & Ron Isley- Friend of Mine.mp3
2008-05-10 22:34 . 2008-05-10 22:50 4,431,203 --a------ C:\Tupac feat Snoop, Nate Dogg, Dru Hill - All About You.mp3
2008-05-10 22:34 . 2008-05-10 22:51 4,322,096 --a------ C:\R. Kelly-12 Play-Down Low (remix) f. Ron Isley.mp3
2008-05-10 22:34 . 2008-05-10 22:46 4,049,940 --a------ C:\R Kelly f. The Isley Brothers - Down Low.mp3
2008-05-10 22:34 . 2008-05-10 22:46 3,328,488 --a------ C:\Dru Hill - Baby I'm Sorry.mp3
2008-05-10 22:33 . 2008-05-10 22:48 6,386,294 --a------ C:\Dru Hill - I Should Be Your Boyfriend.mp3
2008-05-10 22:33 . 2008-05-10 22:39 4,827,136 --a------ C:\Slow Jams - Dru Hill - 5 Steps.mp3
2008-05-10 22:33 . 2008-05-10 22:40 4,335,688 --a------ C:\Dru Hill - Beauty is Her Name.mp3
2008-05-10 22:33 . 2008-05-10 22:48 4,294,784 --a------ C:\Dru Hill & Sisqo - Incomplete.mp3
2008-05-02 19:37 . 2008-05-02 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-02 19:25 . 2008-05-02 19:27 <DIR> d-------- C:\Adobe Acrobat 8 Professional
2008-05-01 23:56 . 2008-05-01 23:57 570,025,984 --a------ C:\Adobe Acrobat 8 Professional.iso
2008-05-01 21:38 . 2008-05-01 21:39 57,884 --a------ C:\trend micro anti-spyware 3.0.zip
2008-05-01 13:28 . 2008-05-06 10:59 4,170,231 --a------ C:\Hustle & Flow Soundtrack - DJay - Hard Out Here For A Pimp.mp3
2008-05-01 13:28 . 2008-05-01 13:42 2,948,756 --a------ C:\Hustle and Flow the soundtrack - DJay - It Ain't Over.MP3
2008-05-01 13:27 . 2008-05-01 13:39 5,812,869 --a------ C:\Hustle and Flow Soundtrack-Whoop That Trick.mp3
2008-04-28 21:29 . 2008-05-13 17:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-28 21:29 . 2008-04-28 21:29 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-27 17:05 . 2008-05-20 12:35 <DIR> d--h----- C:\$AVG8.VAULT$
2008-04-27 17:01 . 2008-05-25 22:28 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-27 17:01 . 2008-04-27 17:01 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-27 17:01 . 2008-04-27 17:01 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-27 17:00 . 2008-04-27 17:00 <DIR> d-------- C:\Program Files\AVG
2008-04-27 17:00 . 2008-04-27 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-26 19:23 . 2008-04-27 17:02 <DIR> d-------- C:\Documents and Settings\Administrator.LAP
2008-04-26 18:16 . 2008-04-26 18:16 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-26 18:15 . 2007-03-29 07:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-26 18:15 . 2007-03-29 07:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-04-26 17:58 . 2008-04-26 17:58 <DIR> d-------- C:\751f87b2e1aa8f71566681e9fc0b
2008-04-26 17:52 . 2008-04-26 17:52 <DIR> d-------- C:\Documents and Settings\Ray II\Application Data\HouseCall 6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 05:01 --------- d-----w C:\Program Files\PeerGuardian2
2008-05-21 05:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-21 02:53 --------- d-----w C:\Documents and Settings\Ray II\Application Data\Def
2008-05-21 01:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-21 01:53 --------- d-----w C:\Program Files\Java
2008-05-20 18:35 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-15 22:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-11 05:00 --------- d-----w C:\Program Files\Defender Pro
2008-05-11 04:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Defender Pro
2008-05-04 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-04 01:58 --------- d-----w C:\Program Files\Symantec
2008-05-04 01:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-26 21:49 --------- d-----w C:\Program Files\Common Files\zmir
2008-04-25 23:09 10 ----a-w C:\Program Files\.autoreg
2008-04-24 22:23 --------- d-----w C:\Program Files\Docudesk
2008-04-22 18:13 --------- d-----w C:\Program Files\DivX
2008-04-19 03:10 96,645 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-04-19 03:10 87,941 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-04-12 19:25 --------- d-----w C:\Documents and Settings\Ray II\Application Data\uTorrent
2008-04-11 02:38 --------- d-----w C:\Documents and Settings\Ray II\Application Data\AdobeUM
2008-04-08 17:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-08 17:10 --------- d-----w C:\Program Files\Activision
2008-04-08 16:57 --------- d-----w C:\Program Files\Hp
2008-04-08 02:26 --------- d-----w C:\Documents and Settings\Ray II\Application Data\Bin
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 18:51 18,790 ----a-w C:\WINDOWS\system32\ddmon.dll
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-20_22.01.03.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 02:54:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-25 00:54:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 05:07:54 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
- 2008-05-16 06:12:49 294,072 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-05-23 03:07:18 293,272 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Valve\\Condition Zero\\czero.exe"=
"C:\\Program Files\\Red Storm Entertainment\\Ghost Recon\\GhostRecon.exe"=
"C:\\Program Files\\Defender Pro\\Defender Pro Internet Security 6.0\\avp.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-27 17:01]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-27 17:00]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 16:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 00:11:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-26 0:12:44
ComboFix-quarantined-files.txt 2008-05-26 05:12:38
ComboFix2.txt 2008-05-23 03:58:50
ComboFix3.txt 2008-05-23 03:15:59
ComboFix4.txt 2008-05-21 03:01:24

Pre-Run: 11,674,222,592 bytes free
Post-Run: 11,663,847,424 bytes free

204 --- E O F --- 2008-05-20 18:35:56

    Advertisements

Register to Remove

#11 RatHat

RatHat

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPip
  • 816 posts

Posted 27 May 2008 - 11:16 PM

Looks like you could be clear! But lets run an F-Secure online scan to make sure:
  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take a while, so please be patient

Regards,
RatHat

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Want to join the fight against Malware? Click here to find out how.

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

Posted Image

If you feel I have helped you and would like to make a small donation, please click here

#12 Rjp20

Rjp20

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 29 May 2008 - 02:01 PM

I think the viruses are completely gone :notworthy: :notworthy: :thumbup: Thank you sooo much! Also, what about the hijack this log and the things that need to be recovered? Scanning Report Thursday, May 29, 2008 12:31:56 - 15:01:17 Computer name: LAP Scanning type: Scan system for malware, rootkits Target: C:\ Result: 1 malware found Tracking Cookie (spyware) * System Statistics Scanned: * Files: 55070 * System: 4728 * Not scanned: 8 Actions: * Disinfected: 0 * Renamed: 0 * Deleted: 0 * None: 1 * Submitted: 0 Files not scanned: * C:\HIBERFIL.SYS * C:\PAGEFILE.SYS * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\SAM * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM * C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{137D7433-F5AC-4893-9E1E-DBFAFC3A3B5B}.BIN Options Scanning engines: * F-Secure USS: 2.30.0 * F-Secure Hydra: 2.8.8110, 2008-05-29 * F-Secure AVP: 7.0.171, 2008-05-29 * F-Secure Pegasus: 1.20.0, 2008-04-14 * F-Secure Blacklight: 1.0.68 Scanning options: * Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR * Use Advanced heuristics Copyright © 1998-2007 Product support |Send virus sample to F-Secure F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#13 RatHat

RatHat

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPip
  • 816 posts

Posted 30 May 2008 - 03:34 AM

Could you post me a final HijackThis log, then I can compare it against the backups and see what needs to be restored. Regards, RatHat

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Want to join the fight against Malware? Click here to find out how.

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

Posted Image

If you feel I have helped you and would like to make a small donation, please click here

#14 Rjp20

Rjp20

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 30 May 2008 - 09:29 PM

Here it is... Thanks! I know for sure that AVG needs to be restored....

thanks again!

Logfile of HijackThis v1.99.1
Scan saved at 10:29:16 PM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ufdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ray II\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Defender Pro Internet Security (AVP) - Unknown owner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\avz.exe" -r (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

#15 RatHat

RatHat

    Retired Staff-Malware Expert

  • Authentic Member
  • PipPipPipPip
  • 816 posts

Posted 31 May 2008 - 08:36 PM

Open HiJackThis
  • Click on the "Open the Misc Tools section" button
  • Click on the "Backups"
  • Check the following


    • backup-20080515-171030-193 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
      backup-20080515-171030-937 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
      backup-20080515-171031-203 O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
      backup-20080515-171031-363 O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
      backup-20080515-171031-402 O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
      backup-20080515-171031-471 O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
      backup-20080515-171031-507 O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
      backup-20080515-171031-521 O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
      backup-20080515-171031-649 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
      backup-20080515-171031-651 O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
      backup-20080515-171031-687 O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
      backup-20080515-171031-706 O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
      backup-20080515-171031-802 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
      backup-20080515-171031-912 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
      backup-20080515-171031-929 O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
      backup-20080515-171031-978 O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
      backup-20080515-171032-156 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
      backup-20080515-171032-492 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
      backup-20080515-171032-930 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
      backup-20080515-171033-507 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
      backup-20080515-171037-224 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
      backup-20080515-171037-242 O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
      backup-20080515-171037-575 O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

  • Click Restore
  • Answer Yes at the prompt
  • Exit HijackThis
Now reboot your computer, and post me a fresh HijackThis log.

Note that you may have to re-install AVG as I am not sure if any of the files are missing.

Regards,
RatHat

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Want to join the fight against Malware? Click here to find out how.

Please do not PM me asking for support. Post on the forums instead :)
Please post the final results, good or bad. We like to know!

Posted Image

If you feel I have helped you and would like to make a small donation, please click here

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·