WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93085 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Recent bad juju - please help...

Started by Mig , Jun 09 2008 06:51 PM

Please log in to reply

36 replies to this topic

#1 Mig

New Member

Authentic Member
18 posts

Posted 09 June 2008 - 06:51 PM

Dear All-Knowing Techs :notworthy:

,

I'll try to keep this short and sweet as I know that you techs juggle thru many help wanted posts throughout this forum.
Here are my symptoms:

- desktop blocked by all encompasing .gif warning of my "privacy is in danger - download privacy protection" with red background (Address: file:///C:/WINDOWS/privacy_danger/images/spacer.gif).

- missing regular entries on right side of start menu like: My Computer, Control Panel, Run..., etc. The right side with recent items looks fine.

- C: drive is hidden when I open My Computer and is also hidden in folder tree along with control panel but can be accesed when I type them in address bar.

- cannot bring up Task Manager when using ctrl+alt+del or ctrl+shift+esc (side note: I read a tip on how to fix the reg entry on this but I figured I should wait for guidance before I even try to do anything).

- Avast 4.8 detects: csrssc.exe\[FSG] is infected by Win32:Agent-BSU [Trj], Moved to chest, also these entries:
File C:\Program Files\Common Files\s?mbols\w?nword.exe\[PECompact] is infected by Win32:PurityScan-BD [Trj], Moved to chest
File C:\System Volume Information\_restore{84FA38BA-8AB0-4E19-B35F-1E9C9A609C2C}\RP1263\A0231933.exe\[PECompact] is infected by Win32:PurityScan-BD [Trj], Moved to chest
File C:\System Volume Information\_restore{84FA38BA-8AB0-4E19-B35F-1E9C9A609C2C}\RP1263\A0231934.exe is infected by Win32:GaoBot-2458 [Trj], Moved to chest.
Even more trojans and viruses are in the Avast virus chest now.

- every now and then I would get a pop-up with Internet Explorer (without it even running) about a system-defender site.

- clock on taskbar has a new side entry that reads VIRUS ALERT! also found on System Properties under Registered to: entry (please see attached pic).

It would be greatly appreciated if someone would be so kind to offer help. By the way, I do have this report from HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:11: VIRUS ALERT!, on 6/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Documents and Settings\f4ucorsair\cftmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avast4\ashDisp.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\utilman.exe
C:\Program Files\Sony Ericsson\W600i\File Manager\fmgrsrv.exe
C:\Program Files\Sony Ericsson\W600i\Mobile Phone Monitor\epmworker.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - _{87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: nmwegbsf - {CF9BAB30-8E3C-4D10-B8C1-428B16A38D69} - C:\WINDOWS\nmwegbsf.dll
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\f4ucorsair\cftmon.exe
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\f4ucorsair\cftmon.exe
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Lweu] "C:\PROGRA~1\DOBE~1\wucrtupd.exe" -vt ygw (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Mekznx] "C:\Program Files\Common Files\s?mbols\w?nword.exe" (User 'Default user')
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....030/CTSUEng.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - http://downloadcente...trolLite_EN.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.1...m::/on-line.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c356.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec....ta/nprdtinf.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay12...es/MsnPUpld.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1162651316640
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...24/QDow_AS2.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {D662A14E-6017-11D5-B92C-0080AD7A7022} (Open3DPlayer Class) - http://www.kaiyodo.c...pen3DPlayer.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup152.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O21 - SSODL: adgpfoxs - {D38104CB-DD53-48DD-81CF-7BC76ACFE143} - C:\WINDOWS\adgpfoxs.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: FCI (fci) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe

--
End of file - 8882 bytes

Attached Thumbnails

Advertisements

Register to Remove

#2 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 10 June 2008 - 03:38 PM

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Please do not delete anything unless instructed to.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#3 Mig

New Member

Authentic Member
18 posts

Posted 10 June 2008 - 04:15 PM

Hey LDTate,

Thanks for taking notice and personal time to look into my problem. I have downloaded both programs but haven't run them because "View Tab" is hidden from me. Is there another way to get to changing those options? At the moment my pc is kinda sluggish, tries to send out email that Avast catches and every time-stamp (when I look at details of a certain file) has "VIRUS ALERT!" added to it. Also, Avast's virus chest is filling up with both trojans and viruses. One time Avast's alerted me that even the HJT .txt file that I first posted is also now infected with a trojan - is this true? Again, thank you for your time and help. I will be standing by for further instructions before taking any steps. Here is a new HJT log:

----------
I meant to say - Under tools menu I am only shown: Map Network Drive..., Disconnect Networt Drive..., Synchronize... but no Folder Options.
----------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:14: VIRUS ALERT!, on 6/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Documents and Settings\f4ucorsair\cftmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avast4\ashDisp.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\utilman.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MICROS~3\OFFICE11\WINWORD.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - _{87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: nmwegbsf - {CF9BAB30-8E3C-4D10-B8C1-428B16A38D69} - C:\WINDOWS\nmwegbsf.dll
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\f4ucorsair\cftmon.exe
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\f4ucorsair\cftmon.exe
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Lweu] "C:\PROGRA~1\DOBE~1\wucrtupd.exe" -vt ygw (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Mekznx] "C:\Program Files\Common Files\s?mbols\w?nword.exe" (User 'Default user')
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....030/CTSUEng.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - http://downloadcente...trolLite_EN.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.1...m::/on-line.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c356.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec....ta/nprdtinf.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay12...es/MsnPUpld.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1162651316640
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...24/QDow_AS2.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {D662A14E-6017-11D5-B92C-0080AD7A7022} (Open3DPlayer Class) - http://www.kaiyodo.c...pen3DPlayer.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup152.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: Alerter - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Bluetooth Support Service (BthServ) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Wired AutoConfig (Dot3svc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Extensible Authentication Protocol Service (EapHost) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: HID Input Service (HidServ) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Health Key and Certificate Management Service (hkmsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Access Protection Agent (napagent) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: System Restore Service (srservice) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: SSDP Discovery Service (SSDPSRV) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Services (TermService) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Themes - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: WebClient - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Wireless Zero Configuration (WZCSVC) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\WINDOWS\System32\svchost.exe

--
End of file - 13715 bytes

Edited by Mig, 10 June 2008 - 04:42 PM.

#4 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 10 June 2008 - 04:31 PM

Lets try a different scan.

Download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
Please do not re-connect your machine back to the Internet until Combofix has completely finished.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Give it atleast 20-30 minutes to finish

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#5 Mig

New Member

Authentic Member
18 posts

Posted 10 June 2008 - 07:47 PM

Finished running ComboFix. Weird thing was as ComboFix was shutting down my pc the Utility Manager kicked on and stayed on while the "saving settings..." screen was running. So, I let it be - an hour and a half later it was still at this state. Looked at the LED on the front and not much action was going on so I decided to hit the restart button (sorry :blush:

) Everything looks and feels back to normal. :woot:

Again, I really do appreciate your time and guidance - I feel like I should be paying for your service. Here is the ComboFix report and a new HJT log:

********************
Update: I do get a warning from Avast everytime I preview this post and it gives me the option to abort connection.
This is what it found: Win32:Mhtplo-30 [Trj].
********************

ComboFix 08-06-10.1 - f4ucorsair 2008-06-10 15:56:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.524 [GMT -7:00]
Running from: C:\Documents and Settings\f4ucorsair\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\f4ucorsair\Application Data\.#
C:\Documents and Settings\f4ucorsair\Application Data\.#\MBX@768@14439D0.###
C:\Documents and Settings\f4ucorsair\Application Data\.#\MBX@768@14439E0.###
C:\Documents and Settings\f4ucorsair\cftmon.exe
C:\Documents and Settings\f4ucorsair\Favorites\Error Cleaner.url
C:\Documents and Settings\f4ucorsair\Favorites\Privacy Protector.url
C:\Documents and Settings\f4ucorsair\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\LocalService\cftmon.exe
C:\Program Files\dobe~1
C:\Program Files\dobe~1\?dobe\
C:\WINDOWS\adgpfoxs.dll
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\eobp.exe
C:\WINDOWS\nmwegbsf.dll
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\bzsqlpa.sys
C:\WINDOWS\system32\config\systemprofile\cftmon.exe
C:\WINDOWS\system32\cssrss.exe
C:\WINDOWS\system32\drivers\PhiBtn.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\drivers\Tray900.exe
C:\WINDOWS\system32\gljfrfu.dll
C:\WINDOWS\system32\instsrv.exe
C:\WINDOWS\system32\ntpl.bin
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\xbqmfsed.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRIVER
-------\Legacy_fci
-------\Service_bzsqlpa
-------\Service_clbdriver
-------\Legacy_Schedule
-------\Service_Schedule

((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-09 16:05 . 2008-06-10 15:13 <DIR> d-------- C:\HijackThis
2008-06-09 15:36 . 2008-06-09 15:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-09 08:43 . 2008-06-09 08:43 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-09 08:32 . 2003-03-31 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-09 08:32 . 2008-06-09 09:51 2 --a------ C:\483240137
2008-06-08 10:12 . 2008-02-22 04:30 334,792 --a------ C:\WINDOWS\system32\_AxShlEx.dll
2008-06-08 10:10 . 2008-06-08 10:10 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-06-08 02:52 . 2008-06-08 02:52 <DIR> d-------- C:\Program Files\SlySoft
2008-06-08 01:56 . 2008-06-09 01:02 201 --a------ C:\WINDOWS\ClonyDrives.ini
2008-06-08 01:28 . 2002-07-17 09:20 45,056 --a------ C:\WINDOWS\system32\Wnaspi32.dll
2008-06-08 01:28 . 2002-07-17 08:53 16,877 --a------ C:\WINDOWS\system32\drivers\Aspi32.sys
2008-06-08 01:28 . 2002-07-17 16:22 4,455 --a------ C:\WINDOWS\system\Winaspi.dll
2008-06-08 01:28 . 2002-07-17 16:22 3,535 --a------ C:\WINDOWS\system\Wowpost.exe
2008-06-07 19:46 . 2008-06-08 00:47 <DIR> d-------- C:\Program Files\SAMSUNG
2008-06-07 13:00 . 2008-06-09 03:12 481 --a------ C:\WINDOWS\Clony2.ini
2008-06-07 12:39 . 2008-06-08 09:12 <DIR> d-------- C:\Program Files\A-Ray Scanner
2008-06-07 12:29 . 2008-06-07 12:29 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-06 21:30 . 2003-01-27 14:27 94,208 --a------ C:\WINDOWS\system32\wmpuice.dll
2008-06-06 18:14 . 2008-06-06 18:14 <DIR> d-------- C:\Documents and Settings\f4ucorsair\Application Data\COWON
2008-06-06 18:12 . 2008-06-06 18:12 <DIR> d-------- C:\Program Files\JetAudio
2008-06-06 18:12 . 2008-06-06 18:12 <DIR> d-------- C:\Program Files\Common Files\COWON
2008-06-06 15:39 . 2008-06-06 16:13 <DIR> d-------- C:\Program Files\Rainlendar2
2008-06-06 15:32 . 2008-06-06 15:31 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2008-06-06 15:32 . 2008-06-06 15:32 12,896 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-06-06 14:25 . 2008-06-08 18:26 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-06-06 13:17 . 2008-06-06 13:17 <DIR> d-------- C:\Documents and Settings\f4ucorsair\Application Data\Games
2008-06-06 13:04 . 2008-06-06 13:04 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-06-06 13:04 . 2008-06-06 13:04 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-06-06 13:04 . 2008-06-06 13:04 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-06-06 13:04 . 2008-06-06 13:04 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-06-01 20:30 . 2008-06-01 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SRS Labs
2008-06-01 20:22 . 2007-07-26 09:25 47,360 -ra------ C:\WINDOWS\system32\drivers\Surroundhp_kern_i386.sys
2008-06-01 20:22 . 2007-07-26 09:25 47,104 -ra------ C:\WINDOWS\system32\drivers\tshd4_kern_i386.sys
2008-06-01 20:22 . 2007-07-26 09:25 42,112 -ra------ C:\WINDOWS\system32\drivers\csiidecoder_kern_i386.sys
2008-06-01 20:22 . 2007-07-26 09:25 39,808 -ra------ C:\WINDOWS\system32\drivers\SRS_SSCFilter_i386.sys
2008-06-01 20:22 . 2007-07-26 09:25 32,000 -ra------ C:\WINDOWS\system32\drivers\wowhd_kern_i386.sys
2008-06-01 20:21 . 2008-06-01 20:21 <DIR> d-------- C:\Program Files\SRS Labs
2008-05-26 06:25 . 2008-05-26 07:51 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-05-26 06:25 . 2007-08-21 01:13 21,760 --a------ C:\WINDOWS\system32\drivers\point32.sys
2008-05-24 01:17 . 2008-05-26 07:50 <DIR> d-------- C:\Program Files\UltimateDefrag
2008-05-22 21:52 . 2008-05-22 21:52 <DIR> d-------- C:\Documents and Settings\f4ucorsair\Application Data\TomTom
2008-05-19 01:00 . 2008-05-19 01:34 <DIR> d-------- C:\Program Files\Blaze Media Pro
2008-05-19 00:13 . 2008-05-19 00:13 <DIR> d-------- C:\Program Files\Common Files\Xuisoft
2008-05-19 00:11 . 2008-05-19 00:33 <DIR> d-------- C:\Program Files\Blaze Gif Creator
2008-05-17 22:33 . 2008-03-21 13:57 14,640 --------- C:\WINDOWS\system32\spmsgXP_2k3.dll
2008-05-17 22:33 . 2008-05-17 22:33 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-05-17 22:33 . 2008-05-17 22:33 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-05-16 01:24 . 2008-05-16 01:37 <DIR> d-------- C:\Program Files\Adobe Audition V3
2008-05-14 23:57 . 2008-05-14 23:57 <DIR> d-------- C:\Program Files\GetDiz
2008-05-14 23:57 . 2008-05-14 23:57 <DIR> d-------- C:\Documents and Settings\f4ucorsair\Application Data\Outertech
2008-05-13 16:52 . 2008-05-13 16:52 <DIR> d-------- C:\Program Files\pepakuraviewer2
2008-05-13 03:33 . 2008-05-13 19:24 966 --a------ C:\WINDOWS\ARPR.INI
2008-05-13 00:48 . 2008-05-13 00:48 <DIR> d-------- C:\Program Files\LimeWire
2008-05-13 00:48 . 2008-06-08 21:39 <DIR> d-------- C:\Documents and Settings\f4ucorsair\Application Data\LimeWire
2008-05-12 03:40 . 2008-05-12 03:40 <DIR> d-------- C:\Program Files\FileMenu Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-10 06:01 --------- d-----w C:\Program Files\WinTV
2008-06-10 03:45 --------- d-----w C:\Program Files\Avast4
2008-06-09 16:36 --------- d-----w C:\Program Files\AVG Anti-Rootkit Free
2008-06-09 05:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-08 07:55 --------- d-----w C:\Program Files\SamsungODD
2008-06-07 17:46 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-07 07:28 --------- d-----w C:\Program Files\CD Art Display
2008-06-06 20:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 21:36 --------- d-----w C:\Program Files\QuickTime
2008-05-26 14:51 --------- d-----w C:\Program Files\Folder Lock
2008-05-25 15:46 --------- d-----w C:\Program Files\SUPER
2008-05-19 08:48 --------- d-----w C:\Documents and Settings\f4ucorsair\Application Data\AdobeUM
2008-05-19 08:15 --------- d-----w C:\Program Files\DivX
2008-05-19 07:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-19 07:47 --------- d-----w C:\Documents and Settings\f4ucorsair\Application Data\DVD Flick
2008-05-18 05:37 --------- d-----w C:\Program Files\Zune
2008-05-16 08:32 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-16 06:20 --------- d-----w C:\Program Files\FL Studio 8
2008-05-14 02:31 --------- d-----w C:\Documents and Settings\f4ucorsair\Application Data\Media Player Classic
2008-05-11 00:07 --------- d-----w C:\Program Files\Vista Drive Icon
2008-05-10 09:51 --------- d-----w C:\Program Files\Common Files\Stardock
2008-05-09 23:52 --------- d-----w C:\Program Files\KeePass Password Safe
2008-05-08 01:57 --------- d-----w C:\Documents and Settings\Isis\Application Data\Logitech
2008-05-07 10:57 163,712 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2008-05-06 08:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ashampoo
2008-04-30 02:39 40,704 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2008-04-28 04:24 --------- d-----w C:\Documents and Settings\f4ucorsair\Application Data\InfraRecorder
2008-04-28 04:22 --------- d-----w C:\Program Files\InfraRecorder
2008-04-22 21:22 --------- d-----w C:\Program Files\Vstplugins
2008-04-22 21:22 --------- d-----w C:\Program Files\Image-Line
2008-04-22 21:21 --------- d-----w C:\Program Files\Outsim
2008-04-22 06:27 --------- d-----w C:\Program Files\Illustrate
2008-04-22 05:07 --------- d-----w C:\Program Files\Audacity
2008-04-18 22:00 --------- d-----w C:\Program Files\FreePOPs
2008-04-18 06:51 --------- d-----w C:\Program Files\Bonjour
2008-04-18 06:14 --------- d-----w C:\Program Files\Rar Player
2008-04-18 05:46 --------- d-----w C:\Program Files\iTunes
2008-04-18 05:46 --------- d-----w C:\Program Files\iPod
2008-04-18 05:41 --------- d-----w C:\Program Files\Apple Software Update
2008-04-18 05:40 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-18 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-14 03:20 --------- d-----w C:\Documents and Settings\f4ucorsair\Application Data\dBpoweramp
2008-04-14 02:58 --------- d-----w C:\Documents and Settings\f4ucorsair\Application Data\AccurateRip
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2006-02-23 15:16 34,048 ----a-w C:\Program Files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 15:16 45,056 ----a-w C:\Program Files\mozilla firefox\plugins\upd62int.dll
2005-05-14 00:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2007-01-07 09:29 8 --sh--r C:\WINDOWS\system32\4095B84B92.sys
2005-07-14 19:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-12-17 13:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
2005-02-28 20:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CF9BAB30-8E3C-4D10-B8C1-428B16A38D69}"= "C:\WINDOWS\nmwegbsf.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{cf9bab30-8e3c-4d10-b8c1-428b16a38d69}]
[HKEY_CLASSES_ROOT\nmwegbsf.1]
[HKEY_CLASSES_ROOT\TypeLib\{C5DA9CE1-22DB-4F02-B4CD-C476A454847E}]
[HKEY_CLASSES_ROOT\nmwegbsf]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTZDetec.exe"="C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe" [2007-05-15 21:25 98304]
"SRS Audio Sandbox"="C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2008-04-29 16:32 3215360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Lweu"="C:\PROGRA~1\DOBE~1\wucrtupd.exe" [ ]
"Mekznx"="C:\Program Files\Common Files\s?mbols\w?nword.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [2008-01-05 22:27:47 106551]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-05-26 06:12:54 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2008-05-02 02:42 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 16:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-01-24 16:09 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm
"vidc.dvsd"= pdvcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launchy.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Launchy.lnk
backup=C:\WINDOWS\pss\Launchy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^f4ucorsair^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=C:\Documents and Settings\f4ucorsair\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\f4ucorsair\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoaderAproposClient]
C:\temp\CXTPLS~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-05-15 16:19 79224 C:\PROGRA~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootSkin Startup Jobs]
--a------ 2004-04-26 16:21 270336 C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CursorXP]
--a------ 2005-01-19 17:44 140288 C:\Program Files\CursorXP\CursorXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2006-06-13 05:20 127036 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDXGhost]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 17:49 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-08-31 12:01 1037736 C:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-08-09 06:03 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
-r------- 2005-06-09 19:44 81920 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kernelfaultcheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
--a------ 2002-09-03 18:38 987187 C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lweu]
C:\Documents and Settings\f4ucorsair\Application Data\rlal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MISAggregator]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFTray]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhiBtn]
C:\WINDOWS\System32\drivers\PhiBtn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerMate]
--a------ 2004-03-22 23:17 73728 C:\Program Files\Griffin Technology\PowerMate\\PowerMate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-06-13 22:58 167936 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
--a------ 2007-10-22 13:52 75584 C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\W600i\Application Launcher\Application Launcher /Minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-12-06 21:31 36975 C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
C:\PROGRA~1\Toolbar\TBPS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-02-18 14:03 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIWatcher]
C:\Program Files\Ashampoo\Ashampoo UnInstaller 3\UIWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Quick-Drop]
--a------ 2006-07-20 03:04 118784 C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 5 Plus\Ulead DVD MovieFactory 5\Quick-Drop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2008-04-29 19:56 158624 C:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UStorage Server Service"=2 (0x2)
"RoxWatch"=2 (0x2)
"RoxUpnpServer"=2 (0x2)
"RoxUPnPRenderer"=3 (0x3)
"RoxMediaDB"=3 (0x3)
"PhotoshopElementsDeviceConnect"=2 (0x2)
"InCDsrv"=2 (0x2)
"AdobeActiveFileMonitor"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"ZESOFT"=2 (0x2)
"RoxLiveShare"=2 (0x2)
"gearsec"=2 (0x2)
"iPod Service"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"avast! Mail Scanner"=3 (0x3)
"avast! Web Scanner"=3 (0x3)
"aswUpdSv"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"SageTV"=3 (0x3)
"LightScribeService"=2 (0x2)
"CTDevice_Srv"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"ZuneNetworkSvc"=3 (0x3)
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"ose"=3 (0x3)
"comHost"=3 (0x3)
"WmcCdsLs"=3 (0x3)
"WmcCds"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"LBTServ"=3 (0x3)
"IDriverT"=3 (0x3)
"HauppaugeTVServer"=3 (0x3)
"Diskeeper"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"ATI Smart"=2 (0x2)
"AvgCoreSvc"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Symantec Core LC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\Roxio Shared\\SharedCom\\RoxUpnpRenderer.exe"=
"C:\\Program Files\\Roxio\\Digital Home 8\\RoxUpnpServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\ElectricSheep.scr"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\TSReaderLite\\TSReaderLite.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 16:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 16:16]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 19:39]
R3 camvid40;Philips SPC 900NC PC Camera;C:\WINDOWS\system32\DRIVERS\camdrv41.sys [2005-08-25 18:28]
S0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2004-08-27 17:18]
S3 SPC610NC;SPC 610NC Laptop Camera;C:\WINDOWS\system32\DRIVERS\SPC610NC.SYS [2007-01-19 18:14]
S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys [2005-08-15 16:04]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys [2005-08-15 16:04]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys [2005-08-15 16:04]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys [2005-08-15 16:04]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w600obex.sys [2005-08-15 16:04]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 05:47]
S4 gearsec;gearsec;C:\WINDOWS\system32\gearsec.exe [2005-11-30 11:43]
S4 HauppaugeTVServer;HauppaugeTVServer;C:\PROGRA~1\WinTV\HCWTVS~1.EXE [2007-02-20 16:11]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 04:40]
S4 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 19:56]
S4 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 19:56]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{331CD936-E57F-CA33-0800-030208070802}]
C:\WINDOWS\system32\shelldir.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FEBA229B-E85A-D529-2F6E-88E0B0D2681C}]
C:\WINDOWS\system32:shelldir.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-29 12:29:47 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 17:00:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Stardock\Object Desktop\WindowBlinds\tray.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-06-10 17:05:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-11 00:05:18

Pre-Run: 4,340,486,144 bytes free
Post-Run: 4,237,721,600 bytes free

482 --- E O F --- 2008-05-17 22:55:41

-------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:57, on 6/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Avast4\ashDisp.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - _{87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: nmwegbsf - {CF9BAB30-8E3C-4D10-B8C1-428B16A38D69} - C:\WINDOWS\nmwegbsf.dll (file missing)
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKUS\S-1-5-18\..\Run: [Lweu] "C:\PROGRA~1\DOBE~1\wucrtupd.exe" -vt ygw (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Mekznx] "C:\Program Files\Common Files\s?mbols\w?nword.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Lweu] "C:\PROGRA~1\DOBE~1\wucrtupd.exe" -vt ygw (User 'Default user')
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....030/CTSUEng.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - http://downloadcente...trolLite_EN.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.1...m::/on-line.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c356.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec....ta/nprdtinf.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay12...es/MsnPUpld.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1162651316640
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...24/QDow_AS2.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {D662A14E-6017-11D5-B92C-0080AD7A7022} (Open3DPlayer Class) - http://www.kaiyodo.c...pen3DPlayer.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup152.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7579 bytes

#6 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 June 2008 - 06:01 AM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\483240137
C:\WINDOWS\system\Wowpost.exe
C:\WINDOWS\nmwegbsf.dll
C:\Program Files\Common Files\s?mbols\w?nword.exe
C:\PROGRA~1\DOBE~1\wucrtupd.exe
C:\temp\CXTPLS~1.exe
C:\Documents and Settings\f4ucorsair\cftmon.exe
C:\Documents and Settings\f4ucorsair\Application Data\rlal.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\WINDOWS\system32\shelldir.exe
C:\WINDOWS\system32:shelldir.exe

Folder::
C:\Program Files\Common Files\s?mbols
C:\PROGRA~1\DOBE~1
C:\Documents and Settings\f4ucorsai
C:\PROGRA~1\COMMON~1\WinTools
C:\Program Files\Bonjour

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CF9BAB30-8E3C-4D10-B8C1-428B16A38D69}"=-
[-HKEY_CLASSES_ROOT\clsid\{cf9bab30-8e3c-4d10-b8c1-428b16a38d69}]
[-HKEY_CLASSES_ROOT\nmwegbsf.1]
[-HKEY_CLASSES_ROOT\TypeLib\{C5DA9CE1-22DB-4F02-B4CD-C476A454847E}]
[-HKEY_CLASSES_ROOT\nmwegbsf]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Lweu"="-
"Mekznx"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{331CD936-E57F-CA33-0800-030208070802}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FEBA229B-E85A-D529-2F6E-88E0B0D2681C}]

Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#7 Mig

New Member

Authentic Member
18 posts

Posted 11 June 2008 - 02:05 PM

LDTate :notworthy:

Everything seems to be back to normal except for a desktop setting I need to ask you about next time. Thank you for all your time and help so far!
Thank you for doing what you do!

Here are my new HJT log and CF report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24, on 6/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - _{87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKUS\S-1-5-18\..\Run: [Lweu] "C:\PROGRA~1\DOBE~1\wucrtupd.exe" -vt ygw (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Lweu] "C:\PROGRA~1\DOBE~1\wucrtupd.exe" -vt ygw (User 'Default user')
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....030/CTSUEng.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - http://downloadcente...trolLite_EN.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.1...m::/on-line.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c356.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec....ta/nprdtinf.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay12...es/MsnPUpld.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1162651316640
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...24/QDow_AS2.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {D662A14E-6017-11D5-B92C-0080AD7A7022} (Open3DPlayer Class) - http://www.kaiyodo.c...pen3DPlayer.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup152.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7182 bytes

*******************************************************************

ComboFix 08-06-10.1 - f4ucorsair 2008-06-11 12:08:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512 [GMT -7:00]
Running from: C:\Documents and Settings\f4ucorsair\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\f4ucorsair\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\483240137
C:\Documents and Settings\f4ucorsair\Application Data\rlal.exe
C:\Documents and Settings\f4ucorsair\cftmon.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\PROGRA~1\DOBE~1\wucrtupd.exe
C:\temp\CXTPLS~1.exe
C:\WINDOWS\nmwegbsf.dll
C:\WINDOWS\system\Wowpost.exe
C:\WINDOWS\system32:shelldir.exe
C:\WINDOWS\system32\shelldir.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\483240137
C:\PROGRA~1\COMMON~1\WinTools
C:\PROGRA~1\COMMON~1\WinTools\WToolsC.cfg
C:\PROGRA~1\COMMON~1\WinTools\WToolsD.cfg
C:\PROGRA~1\COMMON~1\WinTools\WToolsP.cfg
C:\Program Files\Bonjour
C:\Program Files\Bonjour\About Bonjour.rtf
C:\Program Files\Bonjour\mdnsNSP.dll
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system\Wowpost.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-09 16:05 . 2008-06-11 11:59 <DIR> d-------- C:\HijackThis
2008-06-09 15:36 . 2008-06-09 15:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-09 08:43 . 2008-06-09 08:43 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-09 08:32 . 2003-03-31 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-08 10:12 . 2008-02-22 04:30 334,792 --a------ C:\WINDOWS\system32\_AxShlEx.dll
2008-06-08 10:10 . 2008-06-08 10:10 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-06-08 02:52 . 2008-06-08 02:52 <DIR> d-------- C:\Program Files\SlySoft
2008-06-08 01:56 . 2008-06-09 01:02 201 --a------ C:\WINDOWS\ClonyDrives.ini
2008-06-08 01:28 . 2002-07-17 09:20 45,056 --a------ C:\WINDOWS\system32\Wnaspi32.dll
2008-06-08 01:28 . 2002-07-17 08:53 16,877 --a------ C:\WINDOWS\system32\drivers\Aspi32.sys
2008-06-08 01:28 . 2002-07-17 16:22 4,455 --a------ C:\WINDOWS\system\Winaspi.dll
2008-06-07 19:46 . 2008-06-08 00:47 <DIR> d-------- C:\Program Files\SAMSUNG
2008-06-07 13:00 . 2008-06-09 03:12 481 --a------ C:\WINDOWS\Clony2.ini
2008-06-07 12:39 . 2008-06-08 09:12 <DIR> d-------- C:\Program Files\A-Ray Scanner
2008-06-07 12:29 . 2008-06-07 12:29 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-06 21:30 . 2003-01-27 14:27 94,208 --a------ C:\WINDOWS\system32\wmpuice.dll
2008-06-06 18:14 . 2008-06-06 18:14 <DIR> d-------- C:\Documents and Settings\f4ucorsair\Application Data\COWON
2008-06-06 18:12 . 2008-06-06 18:12 <DIR> d-------- C:\Program Files\JetAudio
2008-06-06 18:12 . 2008-06-06 18:12 <DIR> d-------- C:\Program Files\Common Files\COWON
2008-06-06 15:39 . 2008-06-06 16:13 <DIR> d-------- C:\Program Files\Rainlendar2
2008-06-06 15:32 . 2008-06-06 15:31 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2008-06-06 15:32 . 2008-06-06 15:32 12,896 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-06-06 14:25 . 2008-06-08 18:26 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-06-06 13:17 . 2008-06-06 13:17 <DIR> d-------- C:\Documents and Settings\f4ucorsair\Application Data\Games
2008-06-06 13:04 . 2008-06-06 13:04 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-06-06 13:04 . 2008-06-06 13:04 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-06-06 13:04 . 2008-06-06 13:04 278,984 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-06-06 13:04 . 2008-06-06 13:04 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-06-01 20:30 . 2008-06-01 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SRS Labs
2008-06-01 20:22 . 2007-07-26 09:25 47,360 -ra------ C:\WINDOWS\system32\drivers\Surroundhp_kern_i386.sys
2008-06-01 20:22 . 2007-07-26 09:25 47,104 -ra------ C:\WINDOWS\system32\drivers\tshd4_kern_i386.sys
2008-06-01 20:22 . 2007-07-26 09:25 42,112 -ra------ C:\WINDOWS\system32\drivers\csiidecoder_kern_i386.sys
2008-06-01 20:22 . 2007-07-26 09:25 39,808 -ra------ C:\WINDOWS\system32\drivers\SRS_SSCFilter_i386.sys
2008-06-01 20:22 . 2007-07-26 09:25 32,000 -ra------ C:\WINDOWS\system32\drivers\wowhd_kern_i386.sys
2008-06-01 20:21 . 2008-06-01 20:21 <DIR> d-------- C:\Program Files\SRS Labs
2008-05-26 06:25 . 2008-06-11 04:41 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-05-26 06:25 . 2007-08-21 01:13 21,760 --a------ C:\WINDOWS\system32\drivers\point32.sys
2008-05-24 01:17 . 2008-05-26 07:50 <DIR> d-------- C:\Program Files\UltimateDefrag
2008-05-22 21:52 . 2008-05-22 21:52 <DIR> d-------- C:\Documents and Settings\f4ucorsair\Application Data\TomTom
2008-05-19 01:00 . 2008-05-19 01:34 <DIR> d-------- C:\Program Files\Blaze Media Pro
2008-05-19 00:13 . 2008-05-19 00:13 <DIR> d-------- C:\Program Files\Common Files\Xuisoft
2008-05-19 00:11 . 2008-05-19 00:33 <DIR> d-------- C:\Program Files\Blaze Gif Creator
2008-05-17 22:33 . 2008-03-21 13:57 14,640 --------- C:\WINDOWS\system32\spmsgXP_2k3.dll
2008-05-17 22:33 . 2008-05-17 22:33 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-05-17 22:33 . 2008-05-17 22:33 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-05-16 01:24 . 2008-05-16 01:37 <DIR> d-------- C:\Program Files\Adobe Audition V3
2008-05-14 23:57 . 2008-05-14 23:57 <DIR> d-------- C:\Program Files\GetDiz
2008-05-14 23:57 . 2008-05-14 23:57 <DIR> d-------- C:\Documents and Settings\f4ucorsair\Application Data\Outertech
2008-05-13 16:52 . 2008-05-13 16:52 <DIR> d-------- C:\Program Files\pepakuraviewer2
2008-05-13 03:33 . 2008-05-13 19:24 966 --a------ C:\WINDOWS\ARPR.INI
2008-05-13 00:48 . 2008-05-13 00:48 <DIR> d-------- C:\Program Files\LimeWire
2008-05-13 00:48 . 2008-06-08 21:39 <DIR> d-------- C:\Documents and Settings\f4ucorsair\Application Data\LimeWire
2008-05-12 03:40 . 2008-05-12 03:40 <DIR> d-------- C:\Program Files\FileMenu Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 12:40 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-10 06:01 --------- d-----w C:\Program Files\WinTV
2008-06-10 03:45 --------- d-----w C:\Program Files\Avast4
2008-06-09 16:36 --------- d-----w C:\Program Files\AVG Anti-Rootkit Free
2008-06-09 05:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-08 07:55 --------- d-----w C:\Program Files\SamsungODD
2008-06-07 07:28 --------- d-----w C:\Program Files\CD Art Display
2008-06-06 20:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 21:36 --------- d-----w C:\Program Files\QuickTime
2008-05-26 14:51 --------- d-----w C:\Program Files\Folder Lock
2008-05-25 15:46 --------- d-----w C:\Program Files\SUPER
2008-05-19 08:48 --------- d-----w C:\Documents and Settings\f4ucorsair\Application Data\AdobeUM
2008-05-19 08:15 --------- d-----w C:\Program Files\DivX
2008-05-19 07:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-19 07:47 --------- d-----w C:\Documents and Settings\f4ucorsair\Application Data\DVD Flick
2008-05-18 05:37 --------- d-----w C:\Program Files\Zune
2008-05-16 08:32 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-16 06:20 --------- d-----w C:\Program Files\FL Studio 8
2008-05-14 02:31 --------- d-----w C:\Documents and Settings\f4ucorsair\Application Data\Media Player Classic
2008-05-11 00:07 --------- d-----w C:\Program Files\Vista Drive Icon
2008-05-10 09:51 --------- d-----w C:\Program Files\Common Files\Stardock
2008-05-09 23:52 --------- d-----w C:\Program Files\KeePass Password Safe
2008-05-08 01:57 --------- d-----w C:\Documents and Settings\Isis\Application Data\Logitech
2008-05-07 10:57 163,712 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2008-05-06 08:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ashampoo
2008-04-30 02:39 40,704 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2008-04-28 04:24 --------- d-----w C:\Documents and Settings\f4ucorsair\Application Data\InfraRecorder
2008-04-28 04:22 --------- d-----w C:\Program Files\InfraRecorder
2008-04-22 21:22 --------- d-----w C:\Program Files\Vstplugins
2008-04-22 21:22 --------- d-----w C:\Program Files\Image-Line
2008-04-22 21:21 --------- d-----w C:\Program Files\Outsim
2008-04-22 06:27 --------- d-----w C:\Program Files\Illustrate
2008-04-22 05:07 --------- d-----w C:\Program Files\Audacity
2008-04-18 22:00 --------- d-----w C:\Program Files\FreePOPs
2008-04-18 06:14 --------- d-----w C:\Program Files\Rar Player
2008-04-18 05:46 --------- d-----w C:\Program Files\iTunes
2008-04-18 05:46 --------- d-----w C:\Program Files\iPod
2008-04-18 05:41 --------- d-----w C:\Program Files\Apple Software Update
2008-04-18 05:40 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-18 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-14 03:20 --------- d-----w C:\Documents and Settings\f4ucorsair\Application Data\dBpoweramp
2008-04-14 02:58 --------- d-----w C:\Documents and Settings\f4ucorsair\Application Data\AccurateRip
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2006-02-23 15:16 34,048 ----a-w C:\Program Files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 15:16 45,056 ----a-w C:\Program Files\mozilla firefox\plugins\upd62int.dll
2005-05-14 00:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2007-01-07 09:29 8 --sh--r C:\WINDOWS\system32\4095B84B92.sys
2005-07-14 19:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-12-17 13:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
2005-02-28 20:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-10_17.04.53.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-10 23:59:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-11 19:13:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-11 19:14:01 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTZDetec.exe"="C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe" [2007-05-15 21:25 98304]
"SRS Audio Sandbox"="C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2008-04-29 16:32 3215360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Lweu"="C:\PROGRA~1\DOBE~1\wucrtupd.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [2008-01-05 22:27:47 106551]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-05-26 06:12:54 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 2008-05-02 02:42 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 16:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-01-24 16:09 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm
"vidc.dvsd"= pdvcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launchy.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Launchy.lnk
backup=C:\WINDOWS\pss\Launchy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^f4ucorsair^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=C:\Documents and Settings\f4ucorsair\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\f4ucorsair\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoaderAproposClient]
C:\temp\CXTPLS~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-05-15 16:19 79224 C:\PROGRA~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootSkin Startup Jobs]
--a------ 2004-04-26 16:21 270336 C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CursorXP]
--a------ 2005-01-19 17:44 140288 C:\Program Files\CursorXP\CursorXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2006-06-13 05:20 127036 C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDXGhost]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 17:49 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-08-31 12:01 1037736 C:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-08-09 06:03 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
-r------- 2005-06-09 19:44 81920 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kernelfaultcheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
--a------ 2002-09-03 18:38 987187 C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lweu]
C:\Documents and Settings\f4ucorsair\Application Data\rlal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MISAggregator]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFTray]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhiBtn]
C:\WINDOWS\System32\drivers\PhiBtn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerMate]
--a------ 2004-03-22 23:17 73728 C:\Program Files\Griffin Technology\PowerMate\\PowerMate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-06-13 22:58 167936 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
--a------ 2007-10-22 13:52 75584 C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\W600i\Application Launcher\Application Launcher /Minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-12-06 21:31 36975 C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
C:\PROGRA~1\Toolbar\TBPS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-02-18 14:03 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIWatcher]
C:\Program Files\Ashampoo\Ashampoo UnInstaller 3\UIWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Quick-Drop]
--a------ 2006-07-20 03:04 118784 C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 5 Plus\Ulead DVD MovieFactory 5\Quick-Drop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2008-04-29 19:56 158624 C:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UStorage Server Service"=2 (0x2)
"RoxWatch"=2 (0x2)
"RoxUpnpServer"=2 (0x2)
"RoxUPnPRenderer"=3 (0x3)
"RoxMediaDB"=3 (0x3)
"PhotoshopElementsDeviceConnect"=2 (0x2)
"InCDsrv"=2 (0x2)
"AdobeActiveFileMonitor"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"ZESOFT"=2 (0x2)
"RoxLiveShare"=2 (0x2)
"gearsec"=2 (0x2)
"iPod Service"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"avast! Mail Scanner"=3 (0x3)
"avast! Web Scanner"=3 (0x3)
"aswUpdSv"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"SageTV"=3 (0x3)
"LightScribeService"=2 (0x2)
"CTDevice_Srv"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"ZuneNetworkSvc"=3 (0x3)
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"ose"=3 (0x3)
"comHost"=3 (0x3)
"WmcCdsLs"=3 (0x3)
"WmcCds"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"LBTServ"=3 (0x3)
"IDriverT"=3 (0x3)
"HauppaugeTVServer"=3 (0x3)
"Diskeeper"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"ATI Smart"=2 (0x2)
"AvgCoreSvc"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Symantec Core LC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\Roxio Shared\\SharedCom\\RoxUpnpRenderer.exe"=
"C:\\Program Files\\Roxio\\Digital Home 8\\RoxUpnpServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\ElectricSheep.scr"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\TSReaderLite\\TSReaderLite.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 16:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 16:16]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 19:39]
R3 camvid40;Philips SPC 900NC PC Camera;C:\WINDOWS\system32\DRIVERS\camdrv41.sys [2005-08-25 18:28]
S0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2004-08-27 17:18]
S3 SPC610NC;SPC 610NC Laptop Camera;C:\WINDOWS\system32\DRIVERS\SPC610NC.SYS [2007-01-19 18:14]
S3 w600bus;Sony Ericsson W600 driver (WDM);C:\WINDOWS\system32\DRIVERS\w600bus.sys [2005-08-15 16:04]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys [2005-08-15 16:04]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\w600mdm.sys [2005-08-15 16:04]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys [2005-08-15 16:04]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\w600obex.sys [2005-08-15 16:04]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 05:47]
S4 gearsec;gearsec;C:\WINDOWS\system32\gearsec.exe [2005-11-30 11:43]
S4 HauppaugeTVServer;HauppaugeTVServer;C:\PROGRA~1\WinTV\HCWTVS~1.EXE [2007-02-20 16:11]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 04:40]
S4 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 19:56]
S4 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 19:56]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-29 12:29:47 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job"
- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 12:14:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme]
"ImagePath"="\??\C:\DOCUME~1\F4UCOR~1\LOCALS~1\Temp\catchme.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Stardock\Object Desktop\WindowBlinds\tray.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-06-11 12:19:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-11 19:19:21
ComboFix2.txt 2008-06-11 00:05:26

Pre-Run: 4,355,338,240 bytes free
Post-Run: 4,338,204,672 bytes free

462 --- E O F --- 2008-05-17 22:55:41

#8 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 June 2008 - 03:39 PM

Are you using a Proxy Server?

Please do not delete anything unless instructed to.

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a checkmark/tick in the box on the left side on these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R3 - URLSearchHook: (no name) - _{87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKUS\S-1-5-18\..\Run: [Lweu] "C:\PROGRA~1\DOBE~1\wucrtupd.exe" -vt ygw (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Lweu] "C:\PROGRA~1\DOBE~1\wucrtupd.exe" -vt ygw (User 'Default user')
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - http://downloadcente...trolLite_EN.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.1...m::/on-line.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...24/QDow_AS2.cab
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)

Close ALL windows and browsers except HijackThis and click "Fix checked"

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#9 Mig

New Member

Authentic Member
18 posts

Posted 11 June 2008 - 04:34 PM

I don't think I'm using a proxy server - how do I check? My PC acts normal now - thanks to you! :woot:

About that desktop setting: I used to able to hide the desktop icons (I lkie my desktop clutter free and use docks instead) and still have the desktop background image still showing. Now when I hide the icons the desktop background turns into a blank blue screen. How do I fix this?
Please see before hiding icons and after hiding icons attachment.
Here is my new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:09, on 6/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....030/CTSUEng.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c356.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec....ta/nprdtinf.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay12...es/MsnPUpld.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1162651316640
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {D662A14E-6017-11D5-B92C-0080AD7A7022} (Open3DPlayer Class) - http://www.kaiyodo.c...pen3DPlayer.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup152.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5995 bytes

Attached Thumbnails

#10 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 June 2008 - 04:37 PM

Try these. 1. Click Start, and then click Control Panel. 2. Double-click Display, click the Desktop tab, and then click Customize Desktop. 3. Select Restore Defaults 1. Click Start, and then click Control Panel. 2. Double-click Display, click the Desktop tab, and then click Customize Desktop. then click the web tab, then under the web pages to display on your desktop if it has "security" you uncheck this and delete

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Advertisements

Register to Remove

#11 Mig

New Member

Authentic Member
18 posts

Posted 11 June 2008 - 04:53 PM

Tried those and rebooted to see if anything took - it didn't. I'm thinking the registry entry for this setting was re-written by the virus because that was one of the symptoms I noticed. That it had change my desktop to show a waring: infected sign\screen. Otherwise everything else is back to normal - again, thank you very much!

#12 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 June 2008 - 05:10 PM

We're not finished yet

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#13 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 June 2008 - 05:14 PM

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

[list]

Next:
Post a new HijackThis log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#14 Mig

New Member

Authentic Member
18 posts

Posted 11 June 2008 - 05:18 PM

Uninstallation done and here's the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:21, on 6/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\FL Studio 8\FL.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....030/CTSUEng.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c356.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec....ta/nprdtinf.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122fd.bay12...es/MsnPUpld.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1162651316640
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {D662A14E-6017-11D5-B92C-0080AD7A7022} (Open3DPlayer Class) - http://www.kaiyodo.c...pen3DPlayer.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup152.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6000 bytes

#15 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 11 June 2008 - 05:27 PM

Log looks great. So right now your desktop is a blank blue? That screenshot you posted shows something in the very top left corner. What is that?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme