Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Red circle with white X

Started by mully215 , Feb 20 2008 03:35 AM

Please log in to reply

#1
mully215

Posted 20 February 2008 - 03:35 AM

Member

Member
18 posts

I have been researching the problem with this malware and have tried a few different approaches. The problem I am stuck with now is that I am trying to install hijackthis and it wont let me open or execute the file. I am just guessing that is because of the malware. I am just not sure on where to go from here.

It is just the red circle with white X in my toolbar and says that my computer is infected.

I have Windows Xp sp2

I am pretty well rounded when it comes to computers but this one has just stumped me.

Thanks,
Justin M.

#2
kahdah

Posted 20 February 2008 - 08:17 AM

GeekU Teacher

Retired Staff
15,822 posts

Hello mully215

Welcome to G2Go.

================
Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

Save it to the desktop.
Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
You will receive a prompt:
- Do you want to skip supplementary searches?
  click NO
If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Edited by kahdah, 20 February 2008 - 08:18 AM.
spelling

#3
mully215

Posted 20 February 2008 - 12:02 PM

Member

Topic Starter
Member
18 posts

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Aim6" = "*i" (unwritable string) [file not found]
"Creative Detector" = "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R" ["Creative Technology Ltd"]
"LDM" = "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" ["Logitech"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Rainlendar2" = "C:\Program Files\Rainlendar2\Rainlendar2.exe" [null data]
"braviax" = "C:\WINDOWS\system32\braviax.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"MimBoot" = "C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" ["Musicmatch, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"McAfeeUpdaterUI" = ""C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey" ["McAfee, Inc."]
"DLCCCATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16" [MS]
"dlccmon.exe" = ""C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"" ["Dell"]
"PWRISOVM.EXE" = "C:\Program Files\PowerISO\PWRISOVM.EXE" ["PowerISO Computing, Inc."]
"GrooveMonitor" = ""C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"MWLExe" = "C:\Program Files\Mcafee\MWL\MWLGui.exe /Start" ["McAfee, Inc."]
"McENUI" = "C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide" ["McAfee, Inc."]
"mcagent_exe" = "C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey" ["McAfee, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"psyspy-2.1.4 Client Server" = "C:\WINDOWS\system32\telecms.exe" [null data]
"braviax" = "braviax.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{BF05BB6E-442C-428B-8025-82280B7BC26C}" = "Zen Micro Media Explorer"
-> {HKLM...CLSID} = "Zen Micro Media Explorer"
\InProcServer32\(Default) = "C:\Program Files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll" ["Creative Technology Ltd"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider"
-> {HKLM...CLSID} = "Haali Column Provider"
\InProcServer32\(Default) = "C:\Program Files\Combined Community Codec Pack\Filters\Haali\mmfinfo.dll" [null data]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {HKLM...CLSID} = "ImageExtractorShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\VISSHE.DLL" [MS]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {HKLM...CLSID} = "CInfoTipShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\VISSHE.DLL" [MS]
"{E81FFB23-40E2-431C-A041-76AEA0E4B04C}" = "Nameext"
-> {HKLM...CLSID} = "Enterprise Projects"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\NAMEEXT.DLL" [MS]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"
-> {HKLM...CLSID} = "Windows Desktop Search"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\msnlExt.dll" [MS]
"{D426CFD0-87FC-4906-98D9-A23F5D515D61}" = "Windows Desktop Search Outlook Express ISearchFolder Class"
-> {HKLM...CLSID} = "Windows Desktop Search Outlook Express SearchProtocol Class"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\OEPH.dll" [MS]
"{3AFCEAFB-FFC5-403D-AD33-5914AB4B7ECC}" = "Sldworks Shell Extension"
-> {HKLM...CLSID} = "SldShellExtension Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\SolidWorks Shared\sldshellutilsu.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
<<!>> "{56F9679E-7826-4C84-81F3-532071A8BCC5}" = (no title provided)
-> {HKLM...CLSID} = "Windows Desktop Search Namespace Manager"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "cru629.dat" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> Antiwpa\DLLName = "antiwpa.dll" [null data]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider"
-> {HKLM...CLSID} = "Haali Column Provider"
\InProcServer32\(Default) = "C:\Program Files\Combined Community Codec Pack\Filters\Haali\mmfinfo.dll" [null data]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
-> {HKLM...CLSID} = "MShellExtMenu Class"
\InProcServer32\(Default) = "C:\Program Files\MagicISO\misosh.dll" ["MagicISO, Inc."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Desktop Background.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Desktop Background.bmp"

Startup items in "Justin" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\Justin\Start Menu\Programs\Startup
"MagicDisc" -> shortcut to: "C:\Program Files\MagicDisc\MagicDisc.exe" ["MagicISO, Inc."]
"OneNote 2007 Screen Clipper and Launcher" -> shortcut to: "C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE /tsr" [MS]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Logitech Desktop Messenger" -> shortcut to: "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" ["Logitech"]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\KEM.exe" ["Logitech Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"Ralink Wireless Utility" -> shortcut to: "C:\Program Files\RALINK\Common\RaUI.exe" ["Ralink Technology, Corp."]
"Windows Desktop Search" -> shortcut to: "C:\Program Files\Windows Desktop Search\WindowsSearch.exe /startup" [MS]

Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"McDefragTask" -> launches: "c:\program files\mcafee\mqc\QcConsol.exe "C:\WINDOWS\system32\defrag.exe" C: -f" ["McAfee, Inc."]
"McQcTask" -> launches: "c:\program files\mcafee\mqc\QcConsol.exe 14 0" ["McAfee, Inc."]
"RegCure Program Check" -> launches: "C:\Program Files\RegCure\RegCure.exe ShowReminders" [null data]
"RegCure" -> launches: "C:\Program Files\RegCure\RegCure.exe -t" [null data]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{0BF43445-2F28-4351-9252-17FE6E806AA0}" = "McAfee SiteAdvisor"
-> {HKLM...CLSID} = "McAfee SiteAdvisor"
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\4144\SiteAdv.dll" ["McAfee, Inc."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "Send to OneNote"
"MenuText" = "S&end to OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\
"ButtonText" = "PartyPoker.com"
"MenuText" = "PartyPoker.com"
"Exec" = "C:\Program Files\PartyGaming\PartyPoker\RunApp.exe" [empty string]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
dlcc_device, dlcc_device, "C:\WINDOWS\system32\dlcccoms.exe -service" [empty string]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
McAfee Framework Service, McAfeeFramework, ""C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart" ["McAfee, Inc."]
McAfee Network Agent, McNASvc, ""c:\program files\common files\mcafee\mna\mcnasvc.exe"" ["McAfee, Inc."]
McAfee Personal Firewall Service, MpfService, ""C:\Program Files\McAfee\MPF\MPFSrv.exe"" ["McAfee, Inc."]
McAfee Proxy Service, McProxy, "c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe" ["McAfee, Inc."]
McAfee Services, mcmscsvc, "C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe" ["McAfee, Inc."]
McAfee SpamKiller Service, MSK80Service, ""C:\Program Files\McAfee\MSK\MskSrver.exe"" ["McAfee, Inc."]
McAfee Wireless Network Security Service, MWLSvc, "C:\Program Files\Mcafee\MWL\MwlSvc.exe" ["McAfee, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
OneStep Search Service, OneStep Search Service, ""C:\Program Files\OneStepSearch\onestep.exe" "C:\Program Files\OneStepSearch\onestep.dll" Service" ["OneStepSearch.net, Inc."]
SQL Server (SQLEXPRESS), MSSQL$SQLEXPRESS, ""c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS" [MS]
SQL Server VSS Writer, SQLWriter, ""c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"" [MS]
StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Viewpoint Manager Service, Viewpoint Manager Service, ""C:\Program Files\Viewpoint\Common\ViewpointService.exe"" ["Viewpoint Corporation"]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Dell 924 Port\Driver = "dlcclmpm.DLL" [empty string]

---------- (launch time: 2008-02-20 11:54:49)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 207 seconds.
---------- (total run time: 268 seconds)

#4
kahdah

Posted 21 February 2008 - 07:05 PM

GeekU Teacher

Retired Staff
15,822 posts

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\telecms.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\system32\cru629.dat
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
============================
After that Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

(Note :If this program will not run try to rename it to Kahdah.exe then run it again)

#5
mully215

Posted 23 February 2008 - 04:19 PM

Member

Topic Starter
Member
18 posts

Alright here is the OTMoveIt log

C:\WINDOWS\system32\braviax.exe moved successfully.
C:\WINDOWS\system32\telecms.exe moved successfully.
C:\WINDOWS\cru629.dat moved successfully.
C:\WINDOWS\system32\cru629.dat moved successfully.

OTMoveIt2 v1.0.20 log created on 02232008_160447

Than here is main.txt

Deckard's System Scanner v20071014.68
Run by Justin on 2008-02-23 16:10:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
35: 2008-02-23 22:10:56 UTC - RP402 - Deckard's System Scanner Restore Point
34: 2008-02-23 01:56:01 UTC - RP401 - System Checkpoint
33: 2008-02-22 01:14:19 UTC - RP400 - System Checkpoint
32: 2008-02-20 05:52:11 UTC - RP399 - System Checkpoint
31: 2008-02-19 05:38:14 UTC - RP398 - System Checkpoint

-- First Restore Point --
1: 2007-11-25 12:17:32 UTC - RP368 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-23 16:14:23
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MWL\MwlGui.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\telecms.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINDOWS\system32\telecms.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\Program Files\McAfee\MWL\MwlSvc.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Justin\Desktop\Kahad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGui.exe /Start
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [psyspy-2.1.4 Client Server] C:\WINDOWS\system32\telecms.exe
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\RunServices: [psyspy-2.1.4 Client Server] C:\WINDOWS\system32\telecms.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O4 - Global Startup: Windows Desktop Search.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://online.musicmatch.com (HKLM)
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\system32\antiwpa.dll
O23 - Service: McAfee Application Installer Cleanup (0070921203804351) (0070921203804351mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\007092~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\McAfee\MWL\MwlSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11119 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Vax347b - c:\windows\system32\drivers\vax347b.sys
R0 Vax347s - c:\windows\system32\drivers\vax347s.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.10.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.10.0>
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>

S1 mferkdk (VSCore mferkdk) - c:\program files\mcafee\virusscan enterprise\mferkdk.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 OneStep Search Service - "c:\program files\onestepsearch\onestep.exe" "c:\program files\onestepsearch\onestep.dll" service <Not Verified; OneStepSearch.net, Inc.; OneStep Search>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 0070921203804351mcinstcleanup (McAfee Application Installer Cleanup (0070921203804351)) - c:\windows\temp\007092~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service (file missing)
S3 SolidWorks Licensing Service - "c:\program files\common files\solidworks shared\service\solidworkslicensing.exe" <Not Verified; SolidWorks; SolidWorks Licensing Service>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-02-23 16:00:21 440 --a------ C:\WINDOWS\Tasks\RegCure Program Check.job
2008-02-18 08:30:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-02-15 04:22:43 352 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-02-14 03:11:09 374 --a------ C:\WINDOWS\Tasks\RegCure.job
2008-02-12 14:56:01 354 --a------ C:\WINDOWS\Tasks\McQcTask.job

-- Files created between 2008-01-23 and 2008-02-23 -----------------------------

2008-02-23 16:05:50 0 d-------- C:\WINDOWS\LastGood
2008-02-20 03:37:22 0 d-------- C:\HJT
2008-02-20 03:04:17 0 d-------- C:\Program Files\Trend Micro
2008-02-20 02:20:02 0 d-------- C:\Program Files\Enigma Software Group
2008-02-20 01:48:46 6656 --a------ C:\WINDOWS\system32\users32.dat
2008-02-20 01:48:45 729 --a------ C:\WINDOWS\system32\winistr.exe
2008-02-20 01:46:54 13312 --a------ C:\WINDOWS\braviax.exe
2008-02-20 01:45:01 3638 --a------ C:\mpibdmy.exe
2008-02-20 01:44:40 50176 --a------ C:\iggc.exe
2008-02-20 01:44:16 57344 --a------ C:\hoxpa.exe
2008-02-13 21:29:55 0 d-------- C:\Program Files\Realtek Sound Manager
2008-02-13 21:29:54 0 d-------- C:\Program Files\AvRack
2008-02-13 21:29:49 40960 -----n--- C:\WINDOWS\system32\ChCfg.exe
2008-02-13 21:29:41 208896 -----n--- C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Update Application for Realtek AC'97>
2008-02-13 21:29:41 139264 -----n--- C:\WINDOWS\alcrmv.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Removing Tool>
2008-02-12 15:08:47 277616 --a------ C:\WINDOWS\system32\mcgdmgr.dll <Not Verified; McAfee, Inc; McAfee Security Download Control>
2008-02-12 14:50:35 0 d-------- C:\Program Files\SiteAdvisor
2008-02-12 14:50:35 0 d-------- C:\Documents and Settings\Justin\Application Data\SiteAdvisor
2008-02-12 14:50:35 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-12 14:48:52 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-02-12 14:47:43 0 d-------- C:\Program Files\McAfee.com
2008-02-06 19:08:00 0 d-------- C:\WINDOWS\RegCure
2008-02-06 19:08:00 0 d-------- C:\Program Files\RegCure

-- Find3M Report ---------------------------------------------------------------

2008-02-23 16:05:50 0 d-------- C:\Program Files\McAfee
2008-02-22 10:34:04 0 d-------- C:\Program Files\Dl_cats
2008-02-21 18:52:09 0 d-------- C:\Program Files\OneStepSearch
2008-02-20 02:03:14 0 d-------- C:\Documents and Settings\Justin\Application Data\uTorrent
2008-02-14 14:02:45 0 d-------- C:\Program Files\Common Files\McAfee
2008-02-14 13:58:13 0 d-------- C:\Program Files\BOINC
2008-02-13 21:29:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-21 15:26:49 0 d-------- C:\Program Files\iTunes
2008-01-21 15:26:42 0 d-------- C:\Program Files\iPod
2008-01-21 15:25:32 0 d-------- C:\Program Files\QuickTime
2008-01-12 11:55:40 0 d-------- C:\Documents and Settings\Justin\Application Data\QQ Games Plugin
2008-01-12 11:55:27 0 d-------- C:\Program Files\AIM6
2008-01-12 11:55:10 0 d-------- C:\Program Files\Tencent
2007-12-16 01:57:29 5694393 --a------ C:\WINDOWS\SGC.SCR

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/16/2006 03:17 PM]
"nwiz"="nwiz.exe" [10/16/2006 03:17 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/16/2006 03:17 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [11/07/2006 03:41 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [11/17/2006 01:39 PM]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [06/07/2005 02:38 PM]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [07/22/2005 03:03 PM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [01/20/2007 01:09 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/26/2006 11:47 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]
"MWLExe"="C:\Program Files\Mcafee\MWL\MWLGui.exe" [07/28/2007 09:32 AM]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [07/22/2007 08:29 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 10:33 PM]
"SoundMan"="SOUNDMAN.EXE" [01/21/2005 05:04 AM C:\WINDOWS\SOUNDMAN.EXE]
"psyspy-2.1.4 Client Server"="C:\WINDOWS\system32\telecms.exe" []
"braviax"="braviax.exe" [02/23/2008 04:00 PM C:\WINDOWS\braviax.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [10/05/2004 11:52 AM]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [08/18/2007 01:14 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [07/24/2007 01:12 AM]
"braviax"="C:\WINDOWS\system32\braviax.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"psyspy-2.1.4 Client Server"=C:\WINDOWS\system32\telecms.exe

C:\Documents and Settings\Justin\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [8/31/2007 1:49:46 AM]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 7:24:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [8/18/2007 1:14:03 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [8/18/2007 1:09:56 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 3:01:04 AM]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [8/9/2007 1:52:53 AM]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [3/26/2006 9:44:08 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [03/13/2006 12:11 PM 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
antiwpa.dll 07/23/2006 01:49 AM 5376 C:\WINDOWS\system32\antiwpa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=cru629.dat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bd5a4fe-5795-11dc-a9be-000461a8ff63}]
AutoRun\command- I:\setup.exe

-- End of Deckard's System Scanner: finished at 2008-02-23 16:15:18 ------------

Than Here's extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3500+
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 1023.47 MiB / 495.93 MiB
Pagefile Memory (total/avail): 2461.69 MiB / 1927.57 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.12 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 232.88 GiB total, 85.99 GiB free.
D: is CDROM (Unformatted)
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Fixed (NTFS) - 111.79 GiB total, 51.71 GiB free.
H: is CDROM (No Media)
I: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - WDC WD2500KS-00MJB0 - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:

\\.\PHYSICALDRIVE1 - WDC WD12 00JB-00REA0 USB Device - 111.79 GiB - 1 partition
\PARTITION0 - Installable File System - 111.79 GiB - G:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Disabled:Kazaa"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\SD EnterNET\\NavyFIELD\\NavyFIELD.exe"="C:\\Program Files\\SD EnterNET\\NavyFIELD\\NavyFIELD.exe:*:Disabled:NavyFIELD"
"C:\\Program Files\\SD EnterNET\\NavyFIELD\\NavyFIELD Launcher.exe"="C:\\Program Files\\SD EnterNET\\NavyFIELD\\NavyFIELD Launcher.exe:*:Disabled:NavyFIELD Launcher"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Ground Control II\\gcii.exe"="C:\\Program Files\\Ground Control II\\gcii.exe:*:Enabled:Ground Control II"
"C:\\Program Files\\BOINC\\boincmgr.exe"="C:\\Program Files\\BOINC\\boincmgr.exe:*:Enabled:BOINC Manager"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Documents and Settings\\Justin\\Local Settings\\Temp\\~os9.tmp\\ossproxy.exe"="C:\\Documents and Settings\\Justin\\Local Settings\\Temp\\~os9.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\McAfee\\MWL\\MwlSvc.exe"="C:\\Program Files\\McAfee\\MWL\\MwlSvc.exe:*:Enabled:McAfee Wireless Network Security"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\WINDOWS\\system32\\telecms.exe"="C:\\WINDOWS\\system32\\telecms.exe:*:Enabled:psyspy-2.1.4 Client Server"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Justin\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MULLY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Justin
LOGONSERVER=\\MULLY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Justin\LOCALS~1\Temp
TMP=C:\DOCUME~1\Justin\LOCALS~1\Temp
USERDOMAIN=MULLY
USERNAME=Justin
USERPROFILE=C:\Documents and Settings\Justin
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI

-- User Profiles ---------------------------------------------------------------

Justin (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9104A09A-EC83-11D8-8469-00D0B726B56E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9104A09A-EC83-11D8-8469-00D0B726B56E}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9744AE38-1CC6-414F-96CE-0643AEE30A9B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9744AE38-1CC6-414F-96CE-0643AEE30A9B}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
AC-3 ACM Codec --> C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\AC3ACM.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Age of Empires III --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Aim Plugin for QQ Games --> C:\Program Files\Tencent\QQ Games\Plugin\Uninstall.EXE
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Ares 1.9.6 --> "C:\Program Files\Ares\uninstall.exe"
Combined Community Codec Pack 2006-12-15 --> "C:\Program Files\Combined Community Codec Pack\unins000.exe"
Creative Jukebox Driver --> C:\Program Files\Creative\Jukebox 3 Drivers\DrvUnins.exe /s
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\setup.exe" -l0x9 /remove
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative Zen Micro --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D944236D-7992-41D6-8257-930B5832F1CC}\SETUP.EXE" -l0x9 /remove
Dell Photo AIO Printer 924 --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\dlccUNST.EXE -NOLICENSE
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Ground Control II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21C41BAF-6F62-469D-A43B-DDF01628346E}\setup.exe" -l0x9
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB910998) --> "C:\WINDOWS\$NtUninstallKB910998$\spuninst\spuninst.exe"
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\SETUP.EXE" -l0x9 UNINSTALL
Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9
Magic ISO Maker v5.4 (build 0247) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
MagicDisc 2.5.77 --> C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
MediaLife --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{362BFFCD-8274-11D8-97C8-000129760CBE}\setup.exe" -uninstall
Medieval II Total War --> C:\Program Files\InstallShield Installation Information\{C0698BDA-0D29-40EE-8570-A31106DF9AB1}\Setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft MSDN 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft MSDN 2005 Express Edition - ENU\install.exe
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Project MUI (English) 2007 --> MsiExec.exe /X{90120000-00B4-0409-0000-0000000FF1CE}
Microsoft Office Project Professional 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PRJPRO /dll OSETUP.DLL
Microsoft Office Project Professional 2007 --> MsiExec.exe /X{90120000-003B-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Visio MUI (English) 2007 --> MsiExec.exe /X{90120000-0054-0409-0000-0000000FF1CE}
Microsoft Office Visio Professional 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall VISPRO /dll OSETUP.DLL
Microsoft Office Visio Professional 2007 --> MsiExec.exe /X{90120000-0051-0000-0000-0000000FF1CE}
Microsoft Office Visual Web Developer 2007 --> MsiExec.exe /X{90120000-0021-0000-0000-0000000FF1CE}
Microsoft Office Visual Web Developer MUI (English) 2007 --> MsiExec.exe /X{90120000-0021-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Tools Express Edition --> MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server Database Publishing Wizard 1.2 --> MsiExec.exe /X{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual Basic 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Basic 2005 Express Edition - ENU\setup.exe
Microsoft Visual Basic 2005 Express Edition - ENU --> MsiExec.exe /X{577AD794-8B34-40B4-9E7A-BE4CFFE396E6}
Microsoft Visual Studio Web Authoring Component --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall VISUALWEBDEVELOPER /dll OSETUP.DLL
Microsoft Visual Web Developer 2008 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 9.0\Microsoft Visual Web Developer 2008 Express Edition - ENU\setup.exe
Microsoft Visual Web Developer 2008 Express Edition - ENU --> MsiExec.exe /X{19700927-105D-3812-8548-53EDA3F5A22D}
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Web --> MsiExec.exe /X{3C7EEEC3-464F-3FE9-8795-3CC8B4EAD82A}
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSDN Library for Microsoft Visual Studio 2008 Express Editions --> C:\Program Files\Microsoft Visual Studio 9.0\MSDN Library for Microsoft Visual Studio 2008 Express Editions\install.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
MySQL Connector/ODBC 3.51 --> MsiExec.exe /I{0CB3C535-1171-4A20-B549-E2CB5DEB9723}
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OneStep Search 1.0 build 164 --> C:\Program Files\OneStepSearch\uninstall.exe
PartyPoker --> "C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe" "C:\Program Files\PartyGaming\PartyPoker\install.log"
Peer Points Manager --> "C:\Program Files\Altnet\Download Manager\AltnetUninstall.exe" -m
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
QQ Games --> C:\Program Files\Tencent\QQ Games\Uninstall.EXE
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
Rainlendar2 (remove only) --> "C:\Program Files\Rainlendar2\uninst.exe"
Ralink Wireless LAN Card --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FAB1F336-1B7C-4057-A7BC-2922CD82A781}\setup.exe" -l0x9 -removeonly
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
RegCure --> "C:\WINDOWS\RegCure\uninstall.exe" "/U:C:\Program Files\RegCure\Uninstall\uninstall.xml"
SolidWorks 2007 SP0 --> MsiExec.exe /I{95FCA50A-CF7D-457E-AF69-F058F8BC2844}
Themexp.org File --> C:\PROGRA~1\themexp\THEMEX~1.ORG\UNWISE.EXE C:\PROGRA~1\themexp\THEMEX~1.ORG\INSTALL.LOG
VideoLAN VLC media player 0.8.6a --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Desktop Search --> "C:\WINDOWS\$NtUninstallKB911993-V2$\spuninst\spuninst.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->

-- Application Event Log -------------------------------------------------------

Event Record #/Type238 / Warning
Event Submitted/Written: 02/20/2008 04:06:36 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type13912 / Warning
Event Submitted/Written: 02/23/2008 04:00:20 PM
Event ID/Source: 1009 / Dhcp
Event Description:
A network error occurred when trying to send a message. The error code is: %%10004.

Event Record #/Type13911 / Error
Event Submitted/Written: 02/23/2008 04:00:20 PM
Event ID/Source: 1001 / Dhcp
Event Description:
Your computer was not assigned an address from the network (by the DHCP
Server) for the Network Card with network address 000E2ED803F1. The following error
occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type13907 / Error
Event Submitted/Written: 02/22/2008 07:53:53 PM
Event ID/Source: 8003 / MRxSmb
Event Description:
The master browser has received a server announcement from the computer SARAHANN-PC
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D0C1B0D8-BA44-4E.
The master browser is stopping or an election is being forced.

Event Record #/Type13906 / Error
Event Submitted/Written: 02/22/2008 06:52:28 PM
Event ID/Source: 8003 / MRxSmb
Event Description:
The master browser has received a server announcement from the computer JODIE-LYNN
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D0C1B0D8-BA44-4E5.
The master browser is stopping or an election is being forced.

Event Record #/Type13905 / Error
Event Submitted/Written: 02/22/2008 06:50:23 PM
Event ID/Source: 32003 / ipnathlp
Event Description:
The Network Address Translator (NAT) was unable to request an operation
of the kernel-mode translation module.
This may indicate misconfiguration, insufficient resources, or
an internal error.
The data is the error code.

-- End of Deckard's System Scanner: finished at 2008-02-23 16:15:18 ------------

THANKS AGAIN FOR ALL YOUR HELP!!!

#6
kahdah

Posted 23 February 2008 - 06:53 PM

GeekU Teacher

Retired Staff
15,822 posts

You are welcome

==============
It is important that you paste the filepaths below under the Yellow bar or it will not work correctly

Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\winistr.exe
C:\WINDOWS\braviax.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\system32\cru629.dat
C:\mpibdmy.exe
C:\iggc.exe
C:\hoxpa.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\psyspy-2.1.4 Client Server
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\braviax
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\braviax
HKLM\software\microsoft\windows\currentversion\runservices\\psyspy-2.1.4 Client Server
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\\WINDOWS\\system32\\telecms.exe

Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
======================================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a dss log or aka (Kahdah.exe log) log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#7
mully215

Posted 23 February 2008 - 08:46 PM

Member

Topic Starter
Member
18 posts

Alright, this is the new OTMoveIt2 log

[Custom Input]
< C:\WINDOWS\system32\users32.dat >
C:\WINDOWS\system32\users32.dat moved successfully.
< C:\WINDOWS\system32\winistr.exe >
C:\WINDOWS\system32\winistr.exe moved successfully.
< C:\WINDOWS\braviax.exe >
C:\WINDOWS\braviax.exe moved successfully.
< C:\WINDOWS\system32\braviax.exe >
C:\WINDOWS\system32\braviax.exe moved successfully.
< C:\WINDOWS\cru629.dat >
C:\WINDOWS\cru629.dat moved successfully.
< C:\WINDOWS\system32\cru629.dat >
C:\WINDOWS\system32\cru629.dat moved successfully.
< C:\mpibdmy.exe >
C:\mpibdmy.exe moved successfully.
< C:\iggc.exe >
C:\iggc.exe moved successfully.
< C:\hoxpa.exe >
C:\hoxpa.exe moved successfully.
< HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\psyspy-2.1.4 Client Server >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\psyspy-2.1.4 Client Server deleted successfully.
< HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\braviax >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\braviax deleted successfully.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\braviax >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\braviax deleted successfully.
< HKLM\software\microsoft\windows\currentversion\runservices\\psyspy-2.1.4 Client Server >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\\psyspy-2.1.4 Client Server deleted successfully.
< HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\\WINDOWS\\system32\\telecms.exe >
Registry value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\\WINDOWS\\system32\\telecms.exe not found.

OTMoveIt2 v1.0.20 log created on 02232008_202725

Than when I downloaded combofix.exe the computer wouldnt let me run the program, I am guessing I would need to rename it but I will wait for the ok from you.

But this is what i got from dss.exe aka kahdah.exe.......I had also only gotten a main.txt.

Deckard's System Scanner v20071014.68
Run by Justin on 2008-02-23 20:36:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-23 20:37:04
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MWL\MwlGui.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\McAfee\MWL\MwlSvc.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Justin\Desktop\OTMoveIt2.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Justin\Desktop\Kahdah.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGui.exe /Start
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [RegistryCleanFixMFC] C:\Program Files\RegistryCleanFix2008\RegistryCleaner2008.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O4 - Global Startup: SRVSPOOL.exe
O4 - Global Startup: Windows Desktop Search.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://online.musicmatch.com (HKLM)
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\system32\antiwpa.dll
O23 - Service: McAfee Application Installer Cleanup (0070921203804351) (0070921203804351mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\007092~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\McAfee\MWL\MwlSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10959 bytes

-- Files created between 2008-01-23 and 2008-02-23 -----------------------------

2008-02-23 20:32:12 3503 --a------ C:\Start_.cmd
2008-02-23 20:32:11 0 d-------- C:\327882R2FWJFW
2008-02-23 17:30:28 0 d-------- C:\Program Files\SpywareBlaster
2008-02-20 03:37:22 0 d-------- C:\HJT
2008-02-20 03:04:17 0 d-------- C:\Program Files\Trend Micro
2008-02-20 02:20:02 0 d-------- C:\Program Files\Enigma Software Group
2008-02-13 21:29:55 0 d-------- C:\Program Files\Realtek Sound Manager
2008-02-13 21:29:54 0 d-------- C:\Program Files\AvRack
2008-02-13 21:29:49 40960 -----n--- C:\WINDOWS\system32\ChCfg.exe
2008-02-13 21:29:41 208896 -----n--- C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Update Application for Realtek AC'97>
2008-02-13 21:29:41 139264 -----n--- C:\WINDOWS\alcrmv.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Removing Tool>
2008-02-12 15:08:47 277616 --a------ C:\WINDOWS\system32\mcgdmgr.dll <Not Verified; McAfee, Inc; McAfee Security Download Control>
2008-02-12 14:50:35 0 d-------- C:\Program Files\SiteAdvisor
2008-02-12 14:50:35 0 d-------- C:\Documents and Settings\Justin\Application Data\SiteAdvisor
2008-02-12 14:50:35 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-12 14:48:52 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-02-12 14:47:43 0 d-------- C:\Program Files\McAfee.com
2008-02-06 19:08:00 0 d-------- C:\WINDOWS\RegCure
2008-02-06 19:08:00 0 d-------- C:\Program Files\RegCure

-- Find3M Report ---------------------------------------------------------------

2008-02-23 20:17:16 0 d-------- C:\Documents and Settings\Justin\Application Data\uTorrent
2008-02-23 16:40:12 0 d-------- C:\Program Files\Microsoft Silverlight
2008-02-23 16:05:50 0 d-------- C:\Program Files\McAfee
2008-02-22 10:34:04 0 d-------- C:\Program Files\Dl_cats
2008-02-21 18:52:09 0 d-------- C:\Program Files\OneStepSearch
2008-02-14 14:02:45 0 d-------- C:\Program Files\Common Files\McAfee
2008-02-14 13:58:13 0 d-------- C:\Program Files\BOINC
2008-02-13 21:29:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-21 15:26:49 0 d-------- C:\Program Files\iTunes
2008-01-21 15:26:42 0 d-------- C:\Program Files\iPod
2008-01-21 15:25:32 0 d-------- C:\Program Files\QuickTime
2008-01-12 11:55:40 0 d-------- C:\Documents and Settings\Justin\Application Data\QQ Games Plugin
2008-01-12 11:55:27 0 d-------- C:\Program Files\AIM6
2008-01-12 11:55:10 0 d-------- C:\Program Files\Tencent
2007-12-16 01:57:29 5694393 --a------ C:\WINDOWS\SGC.SCR

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/16/2006 03:17 PM]
"nwiz"="nwiz.exe" [10/16/2006 03:17 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/16/2006 03:17 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [11/07/2006 03:41 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [11/17/2006 01:39 PM]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [06/07/2005 02:38 PM]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [07/22/2005 03:03 PM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [01/20/2007 01:09 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/26/2006 11:47 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]
"MWLExe"="C:\Program Files\Mcafee\MWL\MWLGui.exe" [07/28/2007 09:32 AM]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [07/22/2007 08:29 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 10:33 PM]
"SoundMan"="SOUNDMAN.EXE" [01/21/2005 05:04 AM C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [10/05/2004 11:52 AM]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [08/18/2007 01:14 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [07/24/2007 01:12 AM]
"RegistryCleanFixMFC"="C:\Program Files\RegistryCleanFix2008\RegistryCleaner2008.exe" []

C:\Documents and Settings\Justin\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [8/31/2007 1:49:46 AM]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 7:24:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [8/18/2007 1:14:03 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [8/18/2007 1:09:56 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 3:01:04 AM]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [8/9/2007 1:52:53 AM]
SRVSPOOL.exe [2/23/2008 1:44:28 AM]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [3/26/2006 9:44:08 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [03/13/2006 12:11 PM 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
antiwpa.dll 07/23/2006 01:49 AM 5376 C:\WINDOWS\system32\antiwpa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=cru629.dat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bd5a4fe-5795-11dc-a9be-000461a8ff63}]
AutoRun\command- I:\setup.exe

*Newly Created Service* - 0070921203804351MCINSTCLEANUP

-- End of Deckard's System Scanner: finished at 2008-02-23 20:37:38 ------------

#8
kahdah

Posted 23 February 2008 - 08:53 PM

GeekU Teacher

Retired Staff
15,822 posts

For now do the following.

After this scanner completes try to run Combofix again.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

#9
mully215

Posted 23 February 2008 - 11:03 PM

Member

Topic Starter
Member
18 posts

Alright, everything has worked so far to the letter.

mbam seemed to take away the red circle with white x and here is the report.

Malwarebytes' Anti-Malware 1.05
Database version: 400

Scan type: Full Scan (A:\|C:\|G:\|)
Objects scanned: 144645
Time elapsed: 1 hour(s), 11 minute(s), 22 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 60

Memory Processes Infected:
C:\Program Files\OneStepSearch\onestep.exe (Adware.OneStepSearch) -> Unloaded process successfully.
C:\Program Files\OneStepSearch\onestep.exe (Adware.OneStepSearch) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\OneStepSearch\onestep.dll (Adware.OneStepSearch) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a879ba0e-6caa-f5e9-1361-c5211361c521} (Worm.IRCBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\onestepsearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\OneStepSearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OneStep Search Service (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\OneStepSearch (Adware.OneStepSearch) -> Delete on reboot.

Files Infected:
C:\Deckard\System Scanner\20080223203646\backup\DOCUME~1\Justin\LOCALS~1\Temp\GLK93.tmp (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONEB7.tmp\upgrade.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\PT0I3VTD\vsskkopgtx[1].htm (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\ZUFHPXRV\vsskkopgtx[1].htm (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Ares\tcpip_patcher.sys (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0057531.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0057547.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0057548.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0057549.dll (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0057550.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0057565.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0057592.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0058666.dll (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0058667.exe (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0063374.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0063375.sys (BackDoor.Ntrootkit) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0064374.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0064375.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0064387.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0064388.sys (BackDoor.Ntrootkit) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0064389.sys (BackDoor.Ntrootkit) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0064392.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0064393.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0064394.sys (BackDoor.Ntrootkit) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0064413.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0064414.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0065413.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0065414.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0065460.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0065461.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0065476.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0065477.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0065481.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0065482.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0065528.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0065529.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0065547.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0065548.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP401\A0065589.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP401\A0065590.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP402\A0065623.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (BackDoor.Ntrootkit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (BackDoor.Ntrootkit) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02232008_160447\WINDOWS\cru629.dat (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02232008_160447\WINDOWS\system32\braviax.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02232008_160447\WINDOWS\system32\cru629.dat (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02232008_202725\iggc.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02232008_202725\WINDOWS\braviax.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02232008_202725\WINDOWS\cru629.dat (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02232008_202725\WINDOWS\system32\braviax.exe (Rogue.Installer) -> Delete on reboot.
C:\_OTMoveIt\MovedFiles\02232008_202725\WINDOWS\system32\cru629.dat (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\02232008_202725\WINDOWS\system32\users32.dat (Adware.Agent) -> Delete on reboot.
C:\Program Files\OneStepSearch\home.js (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch\onestep.dll (Adware.OneStepSearch) -> Delete on reboot.
C:\Program Files\OneStepSearch\onestep.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch\osopt.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch\readme.html (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\Program Files\OneStepSearch\uninstall.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.

The only problem i had after this was that it said that it had deleted some things crucial to xp and that i would need to insert the cd to repair those lose ends im guessing but i dont have the cd I just have the cd key so i opted to restart and i hoping that doesnt come back and bite me.

I was also able to run combofix and here is the log on that.

ComboFix 08-02-24.2 - Justin 2008-02-23 22:42:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.493 [GMT -6:00]
Running from: C:\Documents and Settings\Justin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys

.
((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-23 21:17 . 2008-02-23 21:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-23 21:17 . 2008-02-23 21:17 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\Malwarebytes
2008-02-23 21:17 . 2008-02-23 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-23 17:30 . 2008-02-23 17:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-23 16:10 . 2008-02-23 16:10 <DIR> d-------- C:\Deckard
2008-02-23 16:04 . 2008-02-23 16:04 <DIR> d-------- C:\_OTMoveIt
2008-02-20 03:37 . 2008-02-20 03:37 <DIR> d-------- C:\HJT
2008-02-20 03:04 . 2008-02-20 03:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-20 02:20 . 2008-02-20 03:05 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-13 21:29 . 2008-02-13 21:29 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-02-13 21:29 . 2008-02-13 21:29 <DIR> d-------- C:\Program Files\AvRack
2008-02-13 21:29 . 2005-01-25 05:32 17,592,320 --a------ C:\WINDOWS\system32\ALSNDMGR.CPL
2008-02-13 21:29 . 2005-01-25 05:22 9,294,336 --a------ C:\WINDOWS\system32\RTLCPL.EXE
2008-02-13 21:29 . 2005-01-29 02:48 2,310,272 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2008-02-13 21:29 . 2004-11-06 01:29 208,896 --------- C:\WINDOWS\alcupd.exe
2008-02-13 21:29 . 2004-09-07 23:23 156,672 --a------ C:\WINDOWS\system32\RTLCPAPI.dll
2008-02-13 21:29 . 2002-02-05 22:54 141,016 --a------ C:\WINDOWS\system32\ALSNDMGR.WAV
2008-02-13 21:29 . 2004-09-02 05:04 139,264 --------- C:\WINDOWS\alcrmv.exe
2008-02-13 21:29 . 2005-01-21 05:04 77,824 --a------ C:\WINDOWS\SOUNDMAN.EXE
2008-02-13 21:29 . 2004-10-28 00:47 40,960 --------- C:\WINDOWS\system32\ChCfg.exe
2008-02-13 21:29 . 2001-07-06 09:19 164 --------- C:\WINDOWS\avrack.ini
2008-02-12 15:08 . 2005-03-07 16:05 341,568 --a------ C:\WINDOWS\system32\mcinsctl.dll
2008-02-12 15:08 . 2005-02-15 12:34 277,616 --a------ C:\WINDOWS\system32\mcgdmgr.dll
2008-02-12 14:56 . 2008-02-23 22:49 8,316 --a------ C:\WINDOWS\system32\Config.MPF
2008-02-12 14:50 . 2008-02-12 14:50 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-02-12 14:50 . 2008-02-12 14:50 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\SiteAdvisor
2008-02-12 14:50 . 2008-02-12 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-12 14:49 . 2005-04-20 19:22 608,448 --a------ C:\WINDOWS\system32\comctl32.ocx
2008-02-12 14:49 . 2006-05-15 16:24 86,880 --a------ C:\WINDOWS\system32\drivers\WscNetDr.sys
2008-02-12 14:48 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-02-12 14:48 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-02-12 14:47 . 2008-02-12 14:47 <DIR> d-------- C:\Program Files\McAfee.com
2008-02-06 22:09 . 2008-02-06 22:09 <DIR> d-------- C:\Temp\EN Win_XP_Pro_w_SP2
2008-02-06 19:08 . 2008-02-06 19:08 <DIR> d-------- C:\WINDOWS\RegCure
2008-02-06 19:08 . 2008-02-06 19:15 <DIR> d-------- C:\Program Files\RegCure
2008-01-30 07:07 . 2008-01-30 07:07 <DIR> d-------- C:\Temp\(English) Windows Vista (x86) - DVD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 04:32 --------- d-----w C:\Documents and Settings\Justin\Application Data\uTorrent
2008-02-23 22:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-23 22:40 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-02-23 22:05 --------- d-----w C:\Program Files\McAfee
2008-02-22 16:34 --------- d-----w C:\Program Files\Dl_cats
2008-02-14 20:02 --------- d-----w C:\Program Files\Common Files\McAfee
2008-02-14 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-14 19:58 --------- d-----w C:\Program Files\BOINC
2008-02-14 03:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-12 22:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-21 21:26 --------- d-----w C:\Program Files\iTunes
2008-01-21 21:26 --------- d-----w C:\Program Files\iPod
2008-01-21 21:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-21 21:25 --------- d-----w C:\Program Files\QuickTime
2008-01-12 17:55 --------- d-----w C:\Program Files\Tencent
2008-01-12 17:55 --------- d-----w C:\Program Files\AIM6
2008-01-12 17:55 --------- d-----w C:\Documents and Settings\Justin\Application Data\QQ Games Plugin
2008-01-12 17:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-01-12 17:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-16 07:57 5,694,393 ----a-w C:\WINDOWS\SGC.SCR
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-10-05 11:52 98304]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2007-08-18 13:14 20480]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-07-24 01:12 1298432]
"RegistryCleanFixMFC"="C:\Program Files\RegistryCleanFix2008\RegistryCleaner2008.exe" [ ]
"Windows"="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SRVSPOOL.exe" [2008-02-23 01:44 2166784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-16 15:17 7770112]
"nwiz"="nwiz.exe" [2006-10-16 15:17 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-16 15:17 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-11-07 15:41 8192]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 14:38 69632]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 15:03 425984]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-01-20 01:09 200704]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"MWLExe"="C:\Program Files\Mcafee\MWL\MWLGui.exe" [2007-07-28 09:32 1279336]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29 1160480]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SoundMan"="SOUNDMAN.EXE" [2005-01-21 05:04 77824 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\Justin\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-08-31 01:49:46 557568]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 19:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-08-18 13:14:03 450560]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2007-08-18 13:09:56 581632]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04 83360]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2007-08-09 01:52:53 614400]
SRVSPOOL.exe [2008-02-23 01:44:28 2166784]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 21:44:08 257752]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
antiwpa.dll 2006-07-23 01:49 5376 C:\WINDOWS\system32\antiwpa.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Ground Control II\\gcii.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\McAfee\\MWL\\MwlSvc.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 04:29]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
S2 0070921203804351mcinstcleanup;McAfee Application Installer Cleanup (0070921203804351);C:\WINDOWS\TEMP\007092~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 14:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-15 10:22:43 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-12 20:56:01 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-02-24 04:48:04 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-14 09:11:09 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 22:49:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-02-23 22:56:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-24 04:56:10
.
2008-02-14 09:05:58 --- E O F ---

#10
kahdah

Posted 23 February 2008 - 11:28 PM

GeekU Teacher

Retired Staff
15,822 posts

The files that were removed were these two:
C:\WINDOWS\system32\dllcache\beep.sys (BackDoor.Ntrootkit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (BackDoor.Ntrootkit) -> Quarantined and deleted successfully.
(Beep.sys is used only to make simple "beep" sounds even if no sound card is installed.
Windows works absolutely correct without beep.sys driver.)
Nothing to worry about.
=======================================
1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SRVSPOOL.exe
Folder::
C:\Program Files\Viewpoint
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
Driver::
Viewpoint Manager Service

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new dss log.

#11
mully215

Posted 24 February 2008 - 12:25 AM

Member

Topic Starter
Member
18 posts

Alright here is the combofix log.

ComboFix 08-02-24.2 - Justin 2008-02-24 0:09:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.355 [GMT -6:00]
Running from: C:\Documents and Settings\Justin\Desktop\Mal-Ware\ComboFix.exe
Command switches used :: C:\Documents and Settings\Justin\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SRVSPOOL.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SRVSPOOL.exe
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Common\VistaBoot.sdll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentMgr_0305001C.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VETScriptInterpreter.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt
C:\Program Files\Viewpoint\Viewpoint Manager\CPtask.xml
C:\Program Files\Viewpoint\Viewpoint Manager\VETScriptInterpreter.dll
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCP.cpl
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\s.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_av.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_cp.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_up.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bg.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bottom.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab_bg.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_off.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_on.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_off.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_on.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vwpt_logo.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\options.ini
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\viewpoint.ico
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\vmctrl.html
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPexe.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrCore.dll
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0302021C.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_VIEWPOINT_MANAGER_SERVICE
-------\Viewpoint Manager Service

((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-23 21:17 . 2008-02-23 21:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-23 21:17 . 2008-02-23 21:17 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\Malwarebytes
2008-02-23 21:17 . 2008-02-23 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-23 17:30 . 2008-02-23 17:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-23 16:10 . 2008-02-23 16:10 <DIR> d-------- C:\Deckard
2008-02-23 16:04 . 2008-02-23 16:04 <DIR> d-------- C:\_OTMoveIt
2008-02-20 03:37 . 2008-02-20 03:37 <DIR> d-------- C:\HJT
2008-02-20 03:04 . 2008-02-20 03:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-20 02:20 . 2008-02-20 03:05 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-13 21:29 . 2008-02-13 21:29 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-02-13 21:29 . 2008-02-13 21:29 <DIR> d-------- C:\Program Files\AvRack
2008-02-13 21:29 . 2005-01-25 05:32 17,592,320 --a------ C:\WINDOWS\system32\ALSNDMGR.CPL
2008-02-13 21:29 . 2005-01-25 05:22 9,294,336 --a------ C:\WINDOWS\system32\RTLCPL.EXE
2008-02-13 21:29 . 2005-01-29 02:48 2,310,272 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2008-02-13 21:29 . 2004-11-06 01:29 208,896 --------- C:\WINDOWS\alcupd.exe
2008-02-13 21:29 . 2004-09-07 23:23 156,672 --a------ C:\WINDOWS\system32\RTLCPAPI.dll
2008-02-13 21:29 . 2002-02-05 22:54 141,016 --a------ C:\WINDOWS\system32\ALSNDMGR.WAV
2008-02-13 21:29 . 2004-09-02 05:04 139,264 --------- C:\WINDOWS\alcrmv.exe
2008-02-13 21:29 . 2005-01-21 05:04 77,824 --a------ C:\WINDOWS\SOUNDMAN.EXE
2008-02-13 21:29 . 2004-10-28 00:47 40,960 --------- C:\WINDOWS\system32\ChCfg.exe
2008-02-13 21:29 . 2001-07-06 09:19 164 --------- C:\WINDOWS\avrack.ini
2008-02-12 15:08 . 2005-03-07 16:05 341,568 --a------ C:\WINDOWS\system32\mcinsctl.dll
2008-02-12 15:08 . 2005-02-15 12:34 277,616 --a------ C:\WINDOWS\system32\mcgdmgr.dll
2008-02-12 14:56 . 2008-02-24 00:14 8,316 --a------ C:\WINDOWS\system32\Config.MPF
2008-02-12 14:50 . 2008-02-12 14:50 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-02-12 14:50 . 2008-02-12 14:50 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\SiteAdvisor
2008-02-12 14:50 . 2008-02-12 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-12 14:49 . 2005-04-20 19:22 608,448 --a------ C:\WINDOWS\system32\comctl32.ocx
2008-02-12 14:49 . 2006-05-15 16:24 86,880 --a------ C:\WINDOWS\system32\drivers\WscNetDr.sys
2008-02-12 14:48 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-02-12 14:48 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-02-12 14:47 . 2008-02-12 14:47 <DIR> d-------- C:\Program Files\McAfee.com
2008-02-06 22:09 . 2008-02-06 22:09 <DIR> d-------- C:\Temp\EN Win_XP_Pro_w_SP2
2008-02-06 19:08 . 2008-02-06 19:08 <DIR> d-------- C:\WINDOWS\RegCure
2008-02-06 19:08 . 2008-02-06 19:15 <DIR> d-------- C:\Program Files\RegCure
2008-01-30 07:07 . 2008-01-30 07:07 <DIR> d-------- C:\Temp\(English) Windows Vista (x86) - DVD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 06:11 --------- d-----w C:\Documents and Settings\Justin\Application Data\uTorrent
2008-02-23 22:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-23 22:40 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-02-23 22:05 --------- d-----w C:\Program Files\McAfee
2008-02-22 16:34 --------- d-----w C:\Program Files\Dl_cats
2008-02-14 20:02 --------- d-----w C:\Program Files\Common Files\McAfee
2008-02-14 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-14 19:58 --------- d-----w C:\Program Files\BOINC
2008-02-14 03:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-12 22:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-21 21:26 --------- d-----w C:\Program Files\iTunes
2008-01-21 21:26 --------- d-----w C:\Program Files\iPod
2008-01-21 21:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-21 21:25 --------- d-----w C:\Program Files\QuickTime
2008-01-12 17:55 --------- d-----w C:\Program Files\Tencent
2008-01-12 17:55 --------- d-----w C:\Program Files\AIM6
2008-01-12 17:55 --------- d-----w C:\Documents and Settings\Justin\Application Data\QQ Games Plugin
2008-01-12 17:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-01-12 17:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-16 07:57 5,694,393 ----a-w C:\WINDOWS\SGC.SCR
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-10-05 11:52 98304]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2007-08-18 13:14 20480]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-07-24 01:12 1298432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-16 15:17 7770112]
"nwiz"="nwiz.exe" [2006-10-16 15:17 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-16 15:17 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-11-07 15:41 8192]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 14:38 69632]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 15:03 425984]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-01-20 01:09 200704]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"MWLExe"="C:\Program Files\Mcafee\MWL\MWLGui.exe" [2007-07-28 09:32 1279336]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-07-22 20:29 1160480]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SoundMan"="SOUNDMAN.EXE" [2005-01-21 05:04 77824 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\Justin\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-08-31 01:49:46 557568]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 19:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-08-18 13:14:03 450560]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2007-08-18 13:09:56 581632]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04 83360]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2007-08-09 01:52:53 614400]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 21:44:08 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
antiwpa.dll 2006-07-23 01:49 5376 C:\WINDOWS\system32\antiwpa.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Ground Control II\\gcii.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\McAfee\\MWL\\MwlSvc.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 04:29]
S2 0070921203804351mcinstcleanup;McAfee Application Installer Cleanup (0070921203804351);C:\WINDOWS\TEMP\007092~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 14:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-15 10:22:43 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-12 20:56:01 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-02-24 06:13:00 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-14 09:11:09 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 00:13:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
.
**************************************************************************
.
Completion time: 2008-02-24 0:19:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-24 06:19:23
ComboFix2.txt 2008-02-24 04:56:14
.
2008-02-14 09:05:58 --- E O F ---

Than heres the dss log

Deckard's System Scanner v20071014.68
Run by Justin on 2008-02-24 00:21:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-24 00:21:34
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MWL\MwlGui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\McAfee\MWL\MwlSvc.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Justin\Desktop\Mal-Ware\Kahdah.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGui.exe /Start
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O4 - Global Startup: Windows Desktop Search.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://online.musicmatch.com (HKLM)
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\system32\antiwpa.dll
O23 - Service: McAfee Application Installer Cleanup (0070921203804351) (0070921203804351mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\007092~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\McAfee\MWL\MwlSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 9911 bytes

-- Files created between 2008-01-24 and 2008-02-24 -----------------------------

2008-02-23 22:42:05 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-23 22:42:05 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-23 22:42:05 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-23 22:42:05 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-23 21:17:47 0 d-------- C:\Documents and Settings\Justin\Application Data\Malwarebytes
2008-02-23 21:17:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-23 21:17:41 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-23 17:30:28 0 d-------- C:\Program Files\SpywareBlaster
2008-02-20 03:37:22 0 d-------- C:\HJT
2008-02-20 03:04:17 0 d-------- C:\Program Files\Trend Micro
2008-02-20 02:20:02 0 d-------- C:\Program Files\Enigma Software Group
2008-02-13 21:29:55 0 d-------- C:\Program Files\Realtek Sound Manager
2008-02-13 21:29:54 0 d-------- C:\Program Files\AvRack
2008-02-13 21:29:49 40960 -----n--- C:\WINDOWS\system32\ChCfg.exe
2008-02-13 21:29:41 208896 -----n--- C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Update Application for Realtek AC'97>
2008-02-13 21:29:41 139264 -----n--- C:\WINDOWS\alcrmv.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Removing Tool>
2008-02-12 15:08:47 277616 --a------ C:\WINDOWS\system32\mcgdmgr.dll <Not Verified; McAfee, Inc; McAfee Security Download Control>
2008-02-12 14:50:35 0 d-------- C:\Program Files\SiteAdvisor
2008-02-12 14:50:35 0 d-------- C:\Documents and Settings\Justin\Application Data\SiteAdvisor
2008-02-12 14:50:35 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-12 14:48:52 143360 --a------ C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-02-12 14:47:43 0 d-------- C:\Program Files\McAfee.com
2008-02-06 19:08:00 0 d-------- C:\WINDOWS\RegCure
2008-02-06 19:08:00 0 d-------- C:\Program Files\RegCure

-- Find3M Report ---------------------------------------------------------------

2008-02-24 00:11:32 0 d-------- C:\Documents and Settings\Justin\Application Data\uTorrent
2008-02-23 22:31:26 0 d-------- C:\Program Files\Common Files
2008-02-23 16:40:12 0 d-------- C:\Program Files\Microsoft Silverlight
2008-02-23 16:05:50 0 d-------- C:\Program Files\McAfee
2008-02-22 10:34:04 0 d-------- C:\Program Files\Dl_cats
2008-02-14 14:02:45 0 d-------- C:\Program Files\Common Files\McAfee
2008-02-14 13:58:13 0 d-------- C:\Program Files\BOINC
2008-02-13 21:29:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-21 15:26:49 0 d-------- C:\Program Files\iTunes
2008-01-21 15:26:42 0 d-------- C:\Program Files\iPod
2008-01-21 15:25:32 0 d-------- C:\Program Files\QuickTime
2008-01-12 11:55:40 0 d-------- C:\Documents and Settings\Justin\Application Data\QQ Games Plugin
2008-01-12 11:55:27 0 d-------- C:\Program Files\AIM6
2008-01-12 11:55:10 0 d-------- C:\Program Files\Tencent
2007-12-16 01:57:29 5694393 --a------ C:\WINDOWS\SGC.SCR

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/16/2006 03:17 PM]
"nwiz"="nwiz.exe" [10/16/2006 03:17 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/16/2006 03:17 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [11/07/2006 03:41 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [11/17/2006 01:39 PM]
"DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [06/07/2005 02:38 PM]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [07/22/2005 03:03 PM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [01/20/2007 01:09 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/26/2006 11:47 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]
"MWLExe"="C:\Program Files\Mcafee\MWL\MWLGui.exe" [07/28/2007 09:32 AM]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [07/22/2007 08:29 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 10:33 PM]
"SoundMan"="SOUNDMAN.EXE" [01/21/2005 05:04 AM C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [10/05/2004 11:52 AM]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [08/18/2007 01:14 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [07/24/2007 01:12 AM]

C:\Documents and Settings\Justin\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [8/31/2007 1:49:46 AM]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 7:24:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [8/18/2007 1:14:03 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [8/18/2007 1:09:56 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 3:01:04 AM]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [8/9/2007 1:52:53 AM]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [3/26/2006 9:44:08 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [03/13/2006 12:11 PM 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
antiwpa.dll 07/23/2006 01:49 AM 5376 C:\WINDOWS\system32\antiwpa.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

-- End of Deckard's System Scanner: finished at 2008-02-24 00:22:02 ------------

#12
kahdah

Posted 24 February 2008 - 08:58 AM

GeekU Teacher

Retired Staff
15,822 posts

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#13
mully215

Posted 24 February 2008 - 04:23 PM

Member

Topic Starter
Member
18 posts

Total number of scanned objects 106581
Number of viruses found 18
Number of infected objects 66
Number of suspicious objects 0
Duration of the scan process 02:36:14

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\20080223203646\backup\DOCUME~1\Justin\LOCALS~1\Temp\asmfiles.cab/asm.exe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\Deckard\System Scanner\20080223203646\backup\DOCUME~1\Justin\LOCALS~1\Temp\asmfiles.cab/asmps.dll Infected: not-a-virus:AdWare.Win32.Altnet.t skipped
C:\Deckard\System Scanner\20080223203646\backup\DOCUME~1\Justin\LOCALS~1\Temp\asmfiles.cab CAB: infected - 2 skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE169.tmp\upgrade.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.OneStep.d skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE169.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE169.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE169.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE169.tmp\upgrade.exe NSIS: infected - 4 skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE1A.tmp\upgrade.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.OneStep.d skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE1A.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE1A.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE1A.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE1A.tmp\upgrade.exe NSIS: infected - 4 skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE25.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE25.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE25.tmp\upgrade.exe NSIS: infected - 2 skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE3E.tmp\upgrade.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.OneStep.f skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE3E.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE3E.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE3E.tmp\upgrade.exe NSIS: infected - 3 skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE8.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE8.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE8.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080223203646\backup\WINDOWS\temp\ONE8.tmp\upgrade.exe NSIS: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_MULLY.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_MULLY.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\EasyNet\MHNData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{B970E396-863C-4A1E-8661-AF3047F608FC}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MWL\Justin-PrestoGui_2008-02-24.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MWL\SYSTEM-apconfig_2008-02-24.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MWL\SYSTEM-netlib_2008-02-24.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MWL\SYSTEM-PrestoSvc_2008-02-24.log Object is locked skipped
C:\Documents and Settings\Justin\.rainlendar2\rainlendar2.log Object is locked skipped
C:\Documents and Settings\Justin\Application Data\acccore\nss\cert8.db Object is locked skipped
C:\Documents and Settings\Justin\Application Data\acccore\nss\key3.db Object is locked skipped
C:\Documents and Settings\Justin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Justin\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Justin\Local Settings\Application Data\AOL OCP\AIM\Storage\data\mully215\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Justin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Justin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Justin\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Justin\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Justin\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Justin\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Justin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Justin\Local Settings\Temp\JET4200.tmp Object is locked skipped
C:\Documents and Settings\Justin\Local Settings\Temp\NAILogs\UpdaterUI_MULLY.log Object is locked skipped
C:\Documents and Settings\Justin\Local Settings\Temp\~ROMFN_00000D70 Object is locked skipped
C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Justin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Justin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_538.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-02-24.00-13-03.log Object is locked skipped
C:\Program Files\Altnet\Download Manager\adm25.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\Program Files\Altnet\Download Manager\adm4.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\Program Files\Altnet\Download Manager\adm4005.exe Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\Program Files\Altnet\Download Manager\admdloader.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3039 skipped
C:\Program Files\Altnet\Download Manager\admfdi.dll Infected: not-a-virus:AdWare.Win32.Altnet.j skipped
C:\Program Files\Altnet\Download Manager\admprog.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\Program Files\Altnet\Download Manager\altnetuninstall.exe Infected: not-a-virus:AdWare.Win32.Altnet.g skipped
C:\Program Files\Altnet\Download Manager\asm.exe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\Program Files\Altnet\Download Manager\asmps.dll Infected: not-a-virus:AdWare.Win32.Altnet.t skipped
C:\Program Files\INSTAFINK\instafink.dll Infected: not-a-virus:AdWare.Win32.404Search.l skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\L0000004.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Justin\Data\storydb.idx Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_67.trc Object is locked skipped
C:\Program Files\themexp\oswdvaz118.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Program Files\themexp\VVSNInst.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\QooBox\Quarantine\C\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0057538.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0057538.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0057538.exe/WISE0020.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0057538.exe WiseSFX: infected - 3 skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0057538.exe WiseSFXDropper: infected - 3 skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0058734.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0058734.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0058734.exe/WISE0020.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0058734.exe WiseSFX: infected - 3 skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0058734.exe WiseSFXDropper: infected - 3 skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0058741.dll Infected: not-a-virus:AdWare.Win32.RK.r skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP375\A0058742.exe Infected: not-a-virus:AdWare.Win32.RK.q skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP376\A0058879.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP376\A0058897.dll Infected: not-a-virus:AdWare.Win32.OneStep.d skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP376\A0058898.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP388\A0061038.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP388\A0061051.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP388\A0061064.dll Infected: not-a-virus:AdWare.Win32.OneStep.d skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP388\A0061065.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP390\A0061409.dll Infected: not-a-virus:AdWare.Win32.OneStep.f skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP390\A0061410.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0063392.exe Infected: Backdoor.Win32.SdBot.cxd skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0063393.exe Infected: Backdoor.Win32.SdBot.cxa skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0065538.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0065549.dll Infected: not-a-virus:AdWare.Win32.OneStep.d skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP399\A0065550.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP403\A0065728.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP404\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{BEEFA699-F1C9-4EDF-9F51-59F8958956F5}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_727PcTAjmoYvcl3 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_h3JepkO6EC8Xbo7 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_uSNUB3CfPIlRTHz Object is locked skipped
C:\WINDOWS\Temp\sqlite_EO1EINwtUC3msqn Object is locked skipped
C:\WINDOWS\Temp\sqlite_U2PjS8UGt1UuJl5 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\02232008_160447\WINDOWS\system32\telecms.exe Infected: Backdoor.Win32.SdBot.cxd skipped
C:\_OTMoveIt\MovedFiles\02232008_202725\mpibdmy.exe Infected: Trojan-Downloader.Win32.Tiny.ads skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{F52A93F6-5748-46F7-B4AB-6ED9F74C72BD}\RP404\change.log Object is locked skipped
Scan process completed.

#14
kahdah

Posted 24 February 2008 - 05:50 PM

GeekU Teacher

Retired Staff
15,822 posts

Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
C:\Program Files\Altnet
C:\Program Files\INSTAFINK
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
====================
AFter that post a new Hijackthis log and the otmoveit2 log and let me know if everything is running?

#15
mully215

Posted 24 February 2008 - 06:29 PM

Member

Topic Starter
Member
18 posts

Ok here is the Move it file

C:\Program Files\Altnet\My Altnet Shares moved successfully.
C:\Program Files\Altnet\Download Manager moved successfully.
C:\Program Files\Altnet\DBBackup moved successfully.
C:\Program Files\Altnet moved successfully.
C:\Program Files\INSTAFINK moved successfully.

OTMoveIt2 v1.0.20 log created on 02242008_182621