Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Vundo problem - Help needed please! [RESOLVED]

Started by battison10 , Mar 22 2008 05:18 AM

  • This topic is locked This topic is locked

#1
battison10
Posted 22 March 2008 - 05:18 AM

battison10

    Member

  • Member
  • PipPip
  • 81 posts
Here goes:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/22/2008 at 10:59 AM

Application Version : 4.0.1154

Core Rules Database Version : 3422
Trace Rules Database Version: 1414

Scan type : Complete Scan
Total Scan Time : 00:34:54

Memory items scanned : 688
Memory threats detected : 1
Registry items scanned : 7772
Registry threats detected : 6
File items scanned : 29350
File threats detected : 1

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\SSQNK.DLL
C:\WINDOWS\SYSTEM32\SSQNK.DLL
HKLM\Software\Classes\CLSID\{E9383002-FC55-4330-B9C9-67E03BC5C840}
HKCR\CLSID\{E9383002-FC55-4330-B9C9-67E03BC5C840}
HKCR\CLSID\{E9383002-FC55-4330-B9C9-67E03BC5C840}\InprocServer32
HKCR\CLSID\{E9383002-FC55-4330-B9C9-67E03BC5C840}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{E9383002-FC55-4330-B9C9-67E03BC5C840}
HKCR\CLSID\{E9383002-FC55-4330-B9C9-67E03BC5C840}
Please note that when windows starts it comes up with an error loading the ssqnk.dll file


Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:28, on 22/03/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
K:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - K:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - K:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "K:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ssqnk.dll,#1
O4 - HKCU\..\Run: [IE Privacy Keeper] "C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -startup
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Append to existing PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us...an/pestscan.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypix.com...geUploader4.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://sandwell.ectr...activex/AMC.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\Windows\system32\drivers\pclepci.sys
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: stllssvr - Unknown owner - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 14798 bytes


Have tried using the vundofix problem but it does not find anything!!

Have also tried using virtumundobegone and still nothing.

Thanks in advance.
  • 0

Advertisements

#2
andrewuk
Posted 26 March 2008 - 09:03 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi battison10

welcome to geekstogo :)

sorry to keep you waiting. lets do a deeper scan of your machine for me to analyse.

(if your problem has already been resolved, could you just let me know so that i can move onto other logs to help others, thanks)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

you may need to post the logs over 2 replies to ensure all the information is posted.

andrewuk
  • 0

#3
battison10
Posted 27 March 2008 - 12:46 AM

battison10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts
Ran the scan but only one notepad file open (main) so her are the results:

Deckard's System Scanner v20071014.68
Run by Scott on 2008-03-27 06:42:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Scott.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:42:32, on 27/03/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
K:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\Explorer.exe
C:\Users\Scott\Documents\Downloads\Programs\dss.exe
C:\Windows\system32\DllHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Scott.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - K:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - K:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "K:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ssqnk.dll,#1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [IE Privacy Keeper] "C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -startup
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Append to existing PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us...an/pestscan.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\Windows\system32\drivers\pclepci.sys
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: stllssvr - Unknown owner - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 14510 bytes

-- Files created between 2008-02-27 and 2008-03-27 -----------------------------

2008-03-24 10:59:20 0 d-------- C:\Users\All Users\Google Updater
2008-03-23 22:28:29 0 d-------- C:\Program Files\iPod
2008-03-23 22:28:11 0 d-------- C:\Program Files\iTunes
2008-03-23 22:14:12 0 d-------- C:\Program Files\QuickTime
2008-03-23 22:14:10 0 d-------- C:\Users\All Users\Apple Computer
2008-03-23 22:13:37 0 d-------- C:\Program Files\Apple Software Update
2008-03-23 22:08:46 0 d-------- C:\Program Files\Common Files\Apple
2008-03-23 22:08:45 0 d-------- C:\Users\All Users\Apple
2008-03-22 19:45:08 0 d-------- C:\Users\Scott\{6a9bee41-a652-41da-8090-b8c18593a4be}
2008-03-22 11:49:17 4440 --a------ C:\Windows\system32\tmp.reg
2008-03-21 09:41:58 0 d-------- C:\VundoFix Backups
2008-03-20 22:46:49 37376 --a------ C:\Windows\system32\cbxxxxw.dll
2008-03-20 22:45:20 0 d-------- C:\Program Files\Common Files\GeoVid
2008-03-20 22:45:19 60416 --a------ C:\Windows\system32\dsetup.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Windows®>
2008-03-20 19:59:07 1732 --a------ C:\Windows\system32\drivers\nvphy.bin
2008-03-18 17:54:29 0 d-------- C:\Program Files\Poker Superstars II
2008-03-18 17:46:05 0 d-------- C:\Program Files\ReflexiveArcade
2008-03-18 07:10:36 0 d-------- C:\Program Files\DAP Premium
2008-03-16 09:43:23 0 d-------- C:\Windows\system32\directx
2008-03-09 10:07:09 0 d-------- C:\divx
2008-03-09 09:26:32 0 d-------- C:\Program Files\Xilisoft
2008-03-08 15:51:42 0 d-------- C:\Program Files\Internet Download Manager
2008-03-07 19:39:18 0 d-------- C:\Program Files\Xara
2008-03-07 19:39:18 0 d-------- C:\Program Files\Common Files\Xara
2008-03-07 18:41:42 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-06 19:36:27 0 d-------- C:\Windows\Noslip
2008-03-06 19:36:17 306688 --a------ C:\Windows\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-03-06 19:01:34 0 d-------- C:\Program Files\Magic Swf2Gif
2008-03-06 07:04:26 65602 --a------ C:\Windows\system32\cook3260.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2008-03-06 07:04:25 626688 --a------ C:\Windows\system32\vp7vfw.dll <Not Verified; On2.com; On2_VP70>
2008-03-05 18:15:40 0 d-------- C:\Users\All Users\IM
2008-03-05 18:15:38 0 d-------- C:\Users\All Users\IncrediMail
2008-03-05 06:54:33 0 d-------- C:\Program Files\ESI
2008-03-04 18:04:56 2314332 --a------ C:\Windows\system32\LIBMMD.DLL <Not Verified; Intel Corporation; Intel® C Compiler, Intel® C++ Compiler, Intel® Fortran Compiler>
2008-03-03 19:21:36 0 d-------- C:\Program Files\DJ Music Mixer
2008-03-03 19:11:42 0 d-------- C:\Users\All Users\Nokia
2008-03-03 19:08:00 0 d-------- C:\Users\All Users\Installations
2008-03-03 18:49:02 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-03 18:48:09 0 d-------- C:\Users\All Users\WLInstaller


-- Find3M Report ---------------------------------------------------------------

2008-03-27 06:33:21 0 d-------- C:\Users\Scott\AppData\Roaming\DMCache
2008-03-24 11:01:57 0 d-------- C:\Users\Scott\AppData\Roaming\uTorrent
2008-03-24 10:59:30 0 d-------- C:\Program Files\SpywareGuard
2008-03-24 10:59:19 0 d-------- C:\Program Files\Google
2008-03-23 23:55:54 0 d-------- C:\Program Files\IncrediMail
2008-03-23 22:27:30 0 d-------- C:\Program Files\Bonjour
2008-03-23 22:08:46 0 d-------- C:\Program Files\Common Files
2008-03-23 21:43:23 255 --a------ C:\Users\Scott\AppData\Roaming\iPod Access v4 Prefs
2008-03-23 21:30:00 0 d-------- C:\Program Files\Wide Angle Software
2008-03-23 21:29:56 0 d-------- C:\Program Files\iPod Access for Windows
2008-03-22 19:45:03 0 d-------- C:\Program Files\Realtek
2008-03-22 11:48:51 0 d-------- C:\Users\Scott\AppData\Roaming\IDM
2008-03-21 22:42:40 668 --a------ C:\Users\Scott\AppData\Roaming\vso_ts_preview.xml
2008-03-21 19:27:50 0 d-------- C:\Users\Scott\AppData\Roaming\Vso
2008-03-20 19:02:54 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-20 18:57:12 0 d-------- C:\Users\Scott\AppData\Roaming\SUPERAntiSpyware.com
2008-03-20 18:56:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 18:43:40 174 --ahs---- C:\Program Files\desktop.ini
2008-03-19 22:24:49 0 d-------- C:\Program Files\Windows Mail
2008-03-19 22:24:49 0 d-------- C:\Program Files\Windows Calendar
2008-03-19 22:24:45 0 d-------- C:\Program Files\Windows Sidebar
2008-03-19 22:24:45 0 d-------- C:\Program Files\Movie Maker
2008-03-19 22:24:39 0 d-------- C:\Program Files\Windows Photo Gallery
2008-03-19 22:24:18 0 d-------- C:\Program Files\Windows Defender
2008-03-18 18:04:53 0 d-------- C:\Users\Scott\AppData\Roaming\funkitron
2008-03-18 17:37:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-14 18:35:52 0 d-------- C:\Program Files\Ulead Systems
2008-03-14 18:26:02 0 d-------- C:\Program Files\DVDPean Pro 5.6.0
2008-03-14 18:21:51 0 d-------- C:\Program Files\MagicISO
2008-03-14 18:21:39 0 d-------- C:\Program Files\MixVibesDVS
2008-03-14 17:59:34 0 d-------- C:\Program Files\Java
2008-03-11 19:24:17 0 d-------- C:\Program Files\Windows Live
2008-03-11 06:54:19 0 d-------- C:\Program Files\Norton Internet Security
2008-03-11 06:54:18 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-09 10:02:28 0 d-------- C:\Program Files\DivX
2008-03-09 08:44:45 0 d-------- C:\Users\Scott\AppData\Roaming\Adobe
2008-03-09 07:44:24 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-03-06 07:05:46 0 d-------- C:\Program Files\vso
2008-03-06 07:05:41 55 --a------ C:\Users\Scott\AppData\Roaming\pcouffin.log
2008-03-06 07:05:40 47360 --a------ C:\Users\Scott\AppData\Roaming\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-03-06 07:05:40 1144 --a------ C:\Users\Scott\AppData\Roaming\pcouffin.inf
2008-03-06 07:05:40 7887 --a------ C:\Users\Scott\AppData\Roaming\pcouffin.cat
2008-03-04 17:33:33 0 d-------- C:\Program Files\Common Files\Nokia
2008-03-04 17:33:32 0 d-------- C:\Program Files\Nokia
2008-03-03 19:19:32 666833 --a------ C:\Users\Scott\AppData\Roaming\NMM-MetaData.db
2008-03-03 19:04:53 0 d-------- C:\Users\Scott\AppData\Roaming\LimeWire
2008-03-02 10:20:45 0 d-------- C:\Program Files\SoundSpectrum
2008-03-02 10:20:14 0 d-------- C:\Users\Scott\AppData\Roaming\SoundSpectrum
2008-02-21 17:44:28 0 d-------- C:\Users\Scott\AppData\Roaming\Thinstall
2008-02-17 19:10:30 0 d-------- C:\Users\Scott\AppData\Roaming\DVDPeanSoftware
2008-02-14 18:14:02 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-14 18:13:11 0 d-------- C:\Program Files\Common Files\Control Panels
2008-02-12 18:24:11 0 --a------ C:\Windows\nsreg.dat
2008-02-12 18:24:05 0 d-------- C:\Users\Scott\AppData\Roaming\Mozilla
2008-02-12 18:11:11 0 d-------- C:\Program Files\Common Files\Java
2008-02-10 09:51:53 0 d-------- C:\Program Files\Trend Micro
2008-02-09 10:50:56 0 d-------- C:\Program Files\Common Files\Real
2008-02-09 10:50:47 0 d-------- C:\Users\Scott\AppData\Roaming\Real
2008-02-08 19:15:46 2560 --a------ C:\Windows\_MSRSTRT.EXE
2008-02-08 19:15:46 0 d-------- C:\Program Files\DAP
2008-02-07 20:58:23 0 d-------- C:\Program Files\Common Files\Nero
2008-02-07 20:55:07 0 d-------- C:\Program Files\Nero
2008-02-03 09:35:21 0 d-------- C:\Program Files\PC Drivers HeadQuarters
2008-01-04 21:41:49 3532 --a------ C:\drmHeader.bin
2007-12-30 17:06:50 41 --ah----- C:\Users\Scott\AppData\Roaming\iPodAccessv4_OwnerName
2007-12-30 17:06:06 11 --ah----- C:\Users\Scott\AppData\Roaming\iPodAccess_Time


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 07:38]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [28/09/2006 13:42]
"RtHDVCpl"="RtHDVCpl.exe" [25/10/2007 05:52 C:\Windows\RtHDVCpl.exe]
"@"="" []
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [21/11/2006 16:08]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [05/02/2007 14:52]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/01/2007 07:59]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [28/11/2007 19:51]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [03/12/2007 14:21]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [01/03/2007 14:57]
"Acrobat Assistant 8.0"="K:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [11/01/2008 19:54]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [20/03/2007 16:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [11/12/2007 17:06]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [11/12/2007 17:06]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [11/12/2007 17:06]
"MSServer"="C:\Windows\system32\ssqnk.dll" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [31/01/2008 23:13]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 13:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IE Privacy Keeper"="C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [03/12/2005 13:52]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [22/03/2006 23:13]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [17/02/2005 01:15]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [08/03/2008 15:52]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [19/01/2008 07:33]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [20/03/2008 19:02]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [3/24/2008 10:59:20 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Scott^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^U46DJ Control Panel.lnk]
path=C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\U46DJ Control Panel.lnk
backup=C:\Windows\pss\U46DJ Control Panel.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DPService]
"C:\Program Files\HP\DVDPlay\DPService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R800]
C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATI9YE.EXE /FU "C:\Windows\TEMP\E_SFCB5.tmp" /EF "HKCU"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
C:\Program Files\Internet Download Manager\IDMan.exe /onboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Program Files\IncrediMail\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72c82f0f-2589-11dc-9689-001a926a8d4c}]
AutoRun\command- K:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3f1cf13-84b6-11dc-876b-001a926a8d4c}]
AutoRun\command- F:\Launcher.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-03-27 06:45:04 ------------
  • 0

#4
andrewuk
Posted 27 March 2008 - 03:43 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

Ran the scan but only one notepad file open (main) so her are the results:

no problem.

in this post we will start the fix though i suspect we will be running this tool again in the next post.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

andrewuk
  • 0

#5
battison10
Posted 29 March 2008 - 10:37 AM

battison10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts
ComboFix 08-03-27.5 - Scott 2008-03-29 16:07:15.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1758 [GMT 0:00]
Running from: C:\Users\Scott\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Users\Scott\AppData\Roaming\inst.exe
C:\Windows\Downloaded Program Files\Quarantine
C:\Windows\system32\cbxxxxw.dll

----- BITS: Possible infected sites -----

hxxp://theinstalls.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_npf


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-29 )))))))))))))))))))))))))))))))
.

2008-03-27 19:25 . 2008-03-27 19:25 <DIR> d-------- C:\Program Files\EDraw1.6.4
2008-03-27 06:38 . 2008-03-27 06:38 <DIR> d-------- C:\Deckard
2008-03-24 10:59 . 2008-03-29 15:18 <DIR> d-------- C:\Users\All Users\Google Updater
2008-03-24 10:59 . 2008-03-29 15:18 <DIR> d-------- C:\ProgramData\Google Updater
2008-03-23 22:50 . 2008-03-23 22:50 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-03-23 22:29 . 2008-03-29 16:03 54,156 --ah----- C:\Windows\QTFont.qfn
2008-03-23 22:29 . 2008-03-23 22:29 1,409 --a------ C:\Windows\QTFont.for
2008-03-23 22:28 . 2008-03-23 22:28 <DIR> d-------- C:\Program Files\iTunes
2008-03-23 22:28 . 2008-03-23 22:28 <DIR> d-------- C:\Program Files\iPod
2008-03-23 22:14 . 2008-03-23 22:28 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-03-23 22:14 . 2008-03-23 22:28 <DIR> d-------- C:\ProgramData\Apple Computer
2008-03-23 22:14 . 2008-03-23 22:15 <DIR> d-------- C:\Program Files\QuickTime
2008-03-23 22:13 . 2008-03-23 22:13 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-23 22:08 . 2008-03-23 22:08 <DIR> d-------- C:\Users\All Users\Apple
2008-03-23 22:08 . 2008-03-23 22:08 <DIR> d-------- C:\ProgramData\Apple
2008-03-23 22:08 . 2008-03-23 22:08 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-22 19:45 . 2008-03-23 21:30 <DIR> d-------- C:\Users\Scott\{6a9bee41-a652-41da-8090-b8c18593a4be}
2008-03-22 11:49 . 2008-03-22 11:49 4,440 --a------ C:\Windows\System32\tmp.reg
2008-03-21 09:41 . 2008-03-21 09:41 <DIR> d-------- C:\VundoFix Backups
2008-03-20 22:45 . 2008-03-20 22:45 <DIR> d-------- C:\Program Files\Common Files\GeoVid
2008-03-20 22:45 . 2007-06-28 18:55 77,824 --a------ C:\Windows\System32\xvid.ax
2008-03-20 22:45 . 2005-06-07 15:11 60,416 --a------ C:\Windows\System32\dsetup.dll
2008-03-20 19:59 . 2007-01-03 19:20 1,732 --a------ C:\Windows\System32\drivers\nvphy.bin
2008-03-20 18:57 . 2008-03-20 18:57 <DIR> d-------- C:\Users\Scott\AppData\Roaming\SUPERAntiSpyware.com
2008-03-19 21:05 . 2008-01-19 05:46 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-03-19 21:04 . 2008-01-19 07:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-03-19 21:03 . 2008-01-19 07:35 3,072,000 --a------ C:\Windows\System32\networkmap.dll
2008-03-19 21:02 . 2008-01-19 07:34 6,103,040 --a------ C:\Windows\System32\chtbrkr.dll
2008-03-19 21:01 . 2008-01-19 06:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-03-19 21:00 . 2008-01-19 07:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-03-19 21:00 . 2008-01-19 07:36 357,888 --a------ C:\Windows\System32\wbemcomn.dll
2008-03-19 21:00 . 2008-01-19 07:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-03-19 21:00 . 2008-01-19 07:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-03-19 21:00 . 2008-01-19 07:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-03-19 20:59 . 2008-01-19 07:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-03-19 20:59 . 2008-01-19 07:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-03-19 20:59 . 2008-01-19 07:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-03-19 20:59 . 2008-01-19 07:35 35,328 --a------ C:\Windows\System32\mspatcha.dll
2008-03-19 19:52 . 2006-11-08 09:48 356,352 --a------ C:\Windows\System32\nvusmb.exe
2008-03-19 19:52 . 2006-10-19 10:36 1,864 --a------ C:\Windows\System32\nvsmb.nvu
2008-03-19 19:46 . 2007-05-01 08:11 356,352 --a------ C:\Windows\System32\nvunrm.exe
2008-03-18 18:04 . 2008-03-18 18:04 <DIR> d-------- C:\Users\Scott\AppData\Roaming\funkitron
2008-03-18 17:54 . 2008-03-18 17:54 <DIR> d-------- C:\Program Files\Poker Superstars II
2008-03-18 17:46 . 2008-03-18 17:46 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-03-18 07:10 . 2008-03-18 07:10 <DIR> d-------- C:\Program Files\DAP Premium
2008-03-16 09:58 . 2005-05-26 15:34 2,297,552 --a------ C:\Windows\System32\d3dx9_26.dll
2008-03-09 10:07 . 2008-03-09 10:07 <DIR> d-------- C:\divx
2008-03-09 09:26 . 2008-03-09 09:26 <DIR> d-------- C:\Program Files\Xilisoft
2008-03-09 07:43 . 2008-03-09 07:43 307,968 --a------ C:\Windows\System32\TuneUpDefragService.exe
2008-03-09 07:43 . 2008-02-27 13:15 28,416 --a------ C:\Windows\System32\uxtuneup.dll
2008-03-09 07:43 . 2008-02-27 13:15 16,640 --a------ C:\Windows\System32\authuitu.dll
2008-03-08 15:51 . 2008-03-22 11:48 <DIR> d-------- C:\Users\Scott\AppData\Roaming\IDM
2008-03-08 15:51 . 2008-03-29 16:00 <DIR> d-------- C:\Users\Scott\AppData\Roaming\DMCache
2008-03-08 15:51 . 2008-03-09 09:33 <DIR> d-------- C:\Program Files\Internet Download Manager
2008-03-07 19:39 . 2008-03-14 19:13 <DIR> d-------- C:\Program Files\Xara
2008-03-07 19:39 . 2008-03-14 19:13 <DIR> d-------- C:\Program Files\Common Files\Xara
2008-03-07 18:41 . 2008-03-07 18:41 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-07 13:40 . 2008-03-07 13:40 13,035 --a------ C:\Windows\System32\drivers\SymRedir.cat
2008-03-07 13:40 . 2008-03-07 13:40 1,358 --a------ C:\Windows\System32\drivers\SymRedir.inf
2008-03-07 13:39 . 2008-03-07 13:39 191,536 --a------ C:\Windows\System32\drivers\symtdi.sys
2008-03-07 13:39 . 2008-03-07 13:39 145,968 --a------ C:\Windows\System32\drivers\symfw.sys
2008-03-07 13:39 . 2008-03-07 13:39 39,984 --a------ C:\Windows\System32\drivers\symids.sys
2008-03-07 13:39 . 2008-03-07 13:39 37,936 --a------ C:\Windows\System32\drivers\symndisv.sys
2008-03-07 13:39 . 2008-03-07 13:39 27,696 --a------ C:\Windows\System32\drivers\symredrv.sys
2008-03-07 13:39 . 2008-03-07 13:39 12,848 --a------ C:\Windows\System32\drivers\symdns.sys
2008-03-06 19:42 . 2008-03-06 19:42 10,208 --a------ C:\Windows\System32\gaeffect.sti
2008-03-06 19:42 . 2008-03-06 19:42 6,344 --a------ C:\Windows\System32\gafilter.sti
2008-03-06 19:36 . 2008-03-06 19:36 <DIR> d-------- C:\Windows\Noslip
2008-03-06 19:36 . 1998-10-29 16:45 306,688 --a------ C:\Windows\IsUninst.exe
2008-03-06 19:36 . 2008-03-06 19:36 16 --a------ C:\Windows\Wininit.ini
2008-03-06 19:01 . 2008-03-08 15:34 <DIR> d-------- C:\Program Files\Magic Swf2Gif
2008-03-06 07:04 . 2004-05-04 11:53 1,645,320 --a------ C:\Windows\gdiplus.dll
2008-03-06 07:04 . 2006-05-20 16:16 1,184,984 --a------ C:\Windows\System32\wvc1dmod.dll
2008-03-06 07:04 . 2006-05-11 19:21 626,688 --a------ C:\Windows\System32\vp7vfw.dll
2008-03-06 07:04 . 2007-03-18 20:37 65,602 --a------ C:\Windows\System32\cook3260.dll
2008-03-05 18:15 . 2008-03-05 18:15 <DIR> d-------- C:\Users\All Users\IncrediMail
2008-03-05 18:15 . 2008-03-05 18:16 <DIR> d-------- C:\Users\All Users\IM
2008-03-05 18:15 . 2008-03-05 18:15 <DIR> d-------- C:\ProgramData\IncrediMail
2008-03-05 18:15 . 2008-03-05 18:16 <DIR> d-------- C:\ProgramData\IM
2008-03-05 06:54 . 2008-03-05 06:54 <DIR> d-------- C:\Program Files\ESI
2008-03-04 19:47 . 2008-03-04 19:47 0 --ah----- C:\Windows\SwSys2.bmp
2008-03-04 19:47 . 2008-03-04 19:47 0 --ah----- C:\Windows\SwSys1.bmp
2008-03-04 18:04 . 2005-11-30 21:20 2,314,332 --a------ C:\Windows\System32\LIBMMD.DLL
2008-03-03 19:21 . 2008-03-04 07:09 <DIR> d-------- C:\Program Files\DJ Music Mixer
2008-03-03 19:11 . 2008-03-03 19:11 <DIR> d-------- C:\Users\All Users\Nokia
2008-03-03 19:11 . 2008-03-03 19:11 <DIR> d-------- C:\ProgramData\Nokia
2008-03-03 19:08 . 2008-03-03 19:08 <DIR> d-------- C:\Users\All Users\Installations
2008-03-03 19:08 . 2008-03-03 19:08 <DIR> d-------- C:\ProgramData\Installations
2008-03-03 18:49 . 2008-03-11 19:38 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-03 18:48 . 2008-03-11 19:25 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-03-03 18:48 . 2008-03-11 19:25 <DIR> d-------- C:\ProgramData\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 16:04 --------- d-----w C:\ProgramData\Symantec
2008-03-27 19:54 --------- d-----w C:\Users\Scott\AppData\Roaming\uTorrent
2008-03-24 10:59 --------- d-----w C:\Program Files\SpywareGuard
2008-03-24 10:59 --------- d-----w C:\Program Files\Google
2008-03-23 23:55 --------- d-----w C:\Program Files\IncrediMail
2008-03-23 22:27 --------- d-----w C:\Program Files\Bonjour
2008-03-23 21:30 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-03-23 21:30 --------- d-----w C:\ProgramData\FLEXnet
2008-03-23 21:30 --------- d-----w C:\Program Files\Wide Angle Software
2008-03-23 21:29 --------- d-----w C:\Program Files\iPod Access for Windows
2008-03-22 19:45 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-03-22 19:45 --------- d-----w C:\Program Files\Realtek
2008-03-21 19:27 --------- d-----w C:\Users\Scott\AppData\Roaming\Vso
2008-03-20 19:02 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-20 18:56 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 18:43 174 --sha-w C:\Program Files\desktop.ini
2008-03-20 02:27 --------- d-----w C:\ProgramData\NVIDIA
2008-03-19 22:24 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-19 22:24 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-19 22:24 --------- d-----w C:\Program Files\Windows Mail
2008-03-19 22:24 --------- d-----w C:\Program Files\Windows Defender
2008-03-19 22:24 --------- d-----w C:\Program Files\Windows Calendar
2008-03-18 17:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-14 18:35 --------- d-----w C:\ProgramData\Ulead Systems
2008-03-14 18:35 --------- d-----w C:\Program Files\Ulead Systems
2008-03-14 18:26 --------- d-----w C:\Program Files\DVDPean Pro 5.6.0
2008-03-14 18:21 --------- d-----w C:\Program Files\MixVibesDVS
2008-03-14 18:21 --------- d-----w C:\Program Files\MagicISO
2008-03-14 17:59 --------- d-----w C:\Program Files\Java
2008-03-11 19:24 --------- d-----w C:\Program Files\Windows Live
2008-03-11 06:54 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-11 06:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-09 10:02 --------- d-----w C:\Program Files\DivX
2008-03-09 07:44 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-03-06 21:32 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-03-06 21:32 23,904 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-03-06 21:32 10,537 ----a-w C:\Windows\system32\drivers\COH_Mon.cat
2008-03-06 07:05 47,360 ----a-w C:\Users\Scott\AppData\Roaming\pcouffin.sys
2008-03-06 07:05 --------- d-----w C:\Program Files\vso
2008-03-04 17:33 --------- d-----w C:\Program Files\Nokia
2008-03-04 17:33 --------- d-----w C:\Program Files\Common Files\Nokia
2008-03-03 19:04 --------- d-----w C:\Users\Scott\AppData\Roaming\LimeWire
2008-03-03 18:33 --------- d---a-w C:\ProgramData\TEMP
2008-03-02 10:20 --------- d-----w C:\Users\Scott\AppData\Roaming\SoundSpectrum
2008-03-02 10:20 --------- d-----w C:\Program Files\SoundSpectrum
2008-02-21 17:44 --------- d-----w C:\Users\Scott\AppData\Roaming\Thinstall
2008-02-18 11:16 30,464 ----a-w C:\Windows\system32\drivers\usbaapl.sys
2008-02-17 19:10 --------- d-----w C:\Users\Scott\AppData\Roaming\DVDPeanSoftware
2008-02-14 18:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-14 18:13 --------- d-----w C:\Program Files\Common Files\Control Panels
2008-02-14 18:10 --------- d-----w C:\ProgramData\ALM
2008-02-12 18:11 --------- d-----w C:\Program Files\Common Files\Java
2008-02-10 20:47 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-02-10 10:48 --------- d-----w C:\ProgramData\Grisoft
2008-02-10 09:51 --------- d-----w C:\Program Files\Trend Micro
2008-02-09 10:50 --------- d-----w C:\Program Files\Common Files\Real
2008-02-08 19:15 --------- d-----w C:\Program Files\DAP
2008-02-07 20:58 --------- d-----w C:\Program Files\Common Files\Nero
2008-02-07 20:55 --------- d-----w C:\ProgramData\Nero
2008-02-07 20:55 --------- d-----w C:\Program Files\Nero
2008-02-03 09:39 --------- d-----w C:\ProgramData\PC Drivers Headquarters
2008-02-03 09:35 --------- d-----w C:\Program Files\PC Drivers HeadQuarters
2008-01-19 07:34 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-01-19 07:33 58,880 ----a-w C:\Windows\bfsvc.exe
2008-01-19 07:33 540,672 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-19 07:33 498,176 ----a-w C:\Windows\HelpPane.exe
2008-01-19 07:33 459,264 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-19 07:33 40,960 ----a-w C:\Windows\AppPatch\apihex86.dll
2008-01-19 07:33 237,568 ----a-w C:\Windows\AppPatch\AcRedir.dll
2008-01-19 07:33 2,927,104 ----a-w C:\Windows\explorer.exe
2008-01-19 07:33 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-19 07:33 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-19 07:33 151,040 ----a-w C:\Windows\notepad.exe
2008-01-19 07:33 134,656 ----a-w C:\Windows\regedit.exe
2008-01-19 07:33 13,312 ----a-w C:\Windows\fveupdate.exe
2008-01-04 21:41 3,532 ----a-w C:\drmHeader.bin
2007-11-11 16:27 94,080 ----a-w C:\Users\Scott\AppData\Roaming\ezplay.sys
2007-11-11 16:27 81,920 ----a-w C:\Users\Scott\AppData\Roaming\ezpinst.exe
2007-09-01 11:21 22 --sha-w C:\Windows\SMINST\HPCD.sys
2007-07-15 19:23 88 --sha-r C:\Windows\System32\71CE9D815B.sys
2007-07-16 07:35 88 --sha-r C:\Windows\System32\DC2E12B9C6.sys
2007-05-17 20:03 88 --sha-r C:\Windows\System32\DEA2665800.sys
2007-07-16 07:36 3,764 --sha-w C:\Windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IE Privacy Keeper"="C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 13:52 1015808]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-22 23:13 1591808]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 01:15 221184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 07:33 202240]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-20 19:02 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 07:38 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 13:42 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 05:52 4702208 C:\Windows\RtHDVCpl.exe]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 16:08 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 14:52 849280]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 07:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"Acrobat Assistant 8.0"="K:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 17:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 17:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 17:06 81920]
"MSServer"="C:\Windows\system32\ssqnk.dll" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM 360448]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [3/24/2008 10:59:20 AM 125624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Scott^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^U46DJ Control Panel.lnk]
path=C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\U46DJ Control Panel.lnk
backup=C:\Windows\pss\U46DJ Control Panel.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DPService]
C:\Program Files\HP\DVDPlay\DPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R800]
--a------ 2007-01-16 04:00 177664 C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATI9YE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 07:11 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2008-03-08 15:52 2594224 C:\Program Files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
--a------ 2008-03-11 17:30 243072 C:\Program Files\IncrediMail\bin\IncMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-17 01:15 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-17 01:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-11-28 14:12 222720 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{38B1A04E-A897-4B53-BB14-7418D2D2AC5C}C:\\users\\scott\\program files\\utorrent\\utorrent.exe"= UDP:C:\users\scott\program files\utorrent\utorrent.exe:utorrent.exe
"UDP Query User{6BD45AE4-C9A8-4F2C-B506-1502AD5C975F}C:\\users\\scott\\program files\\utorrent\\utorrent.exe"= TCP:C:\users\scott\program files\utorrent\utorrent.exe:utorrent.exe
"{ED13F298-6B08-4201-8674-A50834ACC569}"= UDP:14444:utorrent
"{AAC41441-F976-4BAB-BB2E-982E22A5B047}"= TCP:14444:utorrent
"{21D0C3F0-7550-4BD6-BAAB-22E5E9AA55E5}"= UDP:C:\Users\Scott\Program Files\uTorrent\uTorrent.exe:µTorrent
"{C80CD74D-AB31-4F25-BD20-B1410FCDC0F3}"= TCP:C:\Users\Scott\Program Files\uTorrent\uTorrent.exe:µTorrent
"{F3863C16-564A-4F6D-A82D-546CD1382D57}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{49B292F1-C9FB-4449-B264-E503BD8D52BA}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{F63335E0-9DA2-4D32-9290-0DBF7ACDD0CB}"= UDP:C:\Program Files\Orb Networks\Orb\bin\Orb.exe:Orb
"{6B30BB90-EF92-4908-B661-9E64DDC8C215}"= TCP:C:\Program Files\Orb Networks\Orb\bin\Orb.exe:Orb
"{A1932CAC-3AD3-43B0-927D-830FC9C325D7}"= UDP:C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe:OrbTray
"{0EEAA0A3-F14A-4F0E-AF23-699A568CCE36}"= TCP:C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe:OrbTray
"{6DF4984C-19D2-4E07-95AC-57D6418FAA2D}"= UDP:C:\Program Files\Orb Networks\Orb\bin\OrbStreamerClient.exe:Orb Stream Client
"{CCBC6E24-AD93-4197-89AC-C72DE6E552AB}"= TCP:C:\Program Files\Orb Networks\Orb\bin\OrbStreamerClient.exe:Orb Stream Client
"{B15F8E10-48A4-4B9B-9C3F-91206175718F}"= UDP:C:\Program Files\Orb Networks\Orb\bin\xmltv.exe:OrbTVGuide
"{F9540578-331C-4FF0-9286-16096B8E6BD1}"= TCP:C:\Program Files\Orb Networks\Orb\bin\xmltv.exe:OrbTVGuide
"{CF0F4A96-D828-4827-94CF-9A7EB1B2670C}"= UDP:C:\Program Files\Orb Networks\Orb\bin\OrbChannelScan.exe:OrbChannelScan
"{497CE2CF-5499-49E0-89A7-DEB2FD6EC571}"= TCP:C:\Program Files\Orb Networks\Orb\bin\OrbChannelScan.exe:OrbChannelScan
"{9B425107-8617-4C77-B6D1-BB92E8CAC247}"= C:\Program Files\Windows Live\Messenger\wlcsdk.exe:Windows Live Messenger (Phone)
"{5B5635A6-F8E8-4308-9373-180161E0EFCA}"= UDP:C:\Program Files\Pinnacle\Studio 11\programs\RM.exe:Render Manager
"{C55FF4CD-77E3-41CD-B3DF-65D271972880}"= TCP:C:\Program Files\Pinnacle\Studio 11\programs\RM.exe:Render Manager
"{6D2C8490-05C1-4CBC-B56A-CE139D2F28ED}"= UDP:C:\Program Files\Pinnacle\Studio 11\programs\Studio.exe:Studio
"{A96AFFBC-762B-44EC-B523-362FCB86162D}"= TCP:C:\Program Files\Pinnacle\Studio 11\programs\Studio.exe:Studio
"{A2017AB2-2A7C-474A-B24A-B045EC744D08}"= UDP:C:\Program Files\Pinnacle\Studio 11\programs\PMSRegisterFile.exe:PMSRegisterFile
"{440943C1-4C29-4128-9699-692FF2BB8EEC}"= TCP:C:\Program Files\Pinnacle\Studio 11\programs\PMSRegisterFile.exe:PMSRegisterFile
"{ED3457AA-404F-48A7-8DBD-456D28376B9B}"= UDP:C:\Program Files\Pinnacle\Studio 11\programs\umi.exe:umi
"{B6EEEC4A-D095-47E5-AD66-B0154346980E}"= TCP:C:\Program Files\Pinnacle\Studio 11\programs\umi.exe:umi
"{AC7828F7-D563-4709-9922-4BC812E691C0}"= UDP:3703:Adobe Version Cue CS3 Server
"{96CDAD8B-8E52-4C6B-8F79-36E014DF87D2}"= UDP:3704:Adobe Version Cue CS3 Server
"{5B9B8B44-2CF3-4A9A-8362-7BAAEAE07685}"= UDP:50900:Adobe Version Cue CS3 Server
"{7D64EFF9-8736-4396-9A28-CCC790186551}"= UDP:50901:Adobe Version Cue CS3 Server
"{A6AB4499-62B3-4F3E-83DC-0675C69E8FBC}"= UDP:C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"{46D468CC-1552-40E3-B354-59FB53563E06}"= TCP:C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"{3910CA99-20CD-49F1-95DF-31A0DFEF40E3}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{0C5B8293-F35C-453E-B98E-FE04A9BD1BC8}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{F1F1105A-7479-459C-8E1A-0A2700CB64B9}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{8D1C8EB0-E20A-42DC-B244-8AE5948EF888}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{FFB94416-2769-477B-B6F6-FA06D95920C8}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{BF6B9468-4CD6-4453-B0FD-B763300ED4EF}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{1CE52F1D-6813-44EA-B6C4-40F38104A02F}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail
"{CB17BCE3-D45A-4907-9E07-19B667949671}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail
"{88AD49B3-448D-40C0-8A40-B53AFF48D178}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{406201F1-124F-4FFB-A695-788A76AD620A}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{47DB9E4A-7887-409D-80A6-E4EB47502913}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{5A61FD86-EFC7-467A-86BD-1039F58D54CD}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{01BF2DF4-2CD4-4A36-BCB4-6CFB20553707}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{92E5C759-E3E5-48EC-9558-E1A6726BAD8D}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{F7761338-7B4E-4A40-BD57-14A8BC40BAC3}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{2B67B61B-BA41-4DE0-8D06-D28C58243DC5}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{6F0C9EA6-A117-48B3-80E3-0333DF5B3745}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail
"{3817B4CD-9590-47A4-B764-121F3E58854C}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 AmdAcpi;AmdAcpi Bus Filter Driver;C:\Windows\system32\DRIVERS\AmdAcpi.sys [2006-09-05 16:04]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080325.002\IDSvix86.sys [2008-02-13 16:18]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 00:45]
R2 UxTuneUp;TuneUp Theme Extension;C:\Windows\System32\svchost.exe [2008-01-19 07:33]
R3 AmdTools;AMD Special Tools Driver;C:\Windows\system32\DRIVERS\AmdTools.sys [2006-08-24 15:37]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-03-07 13:39]
S3 Navcar;Navman In-car Navigator USB Driver Service;C:\Windows\system32\DRIVERS\Navcar.sys [2006-09-18 12:48]
S3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver;C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms [2006-11-18 00:24]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\Windows\System32\TuneUpDefragService.exe [2008-03-09 07:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72c82f0f-2589-11dc-9689-001a926a8d4c}]
\shell\AutoRun\command - K:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3f1cf13-84b6-11dc-876b-001a926a8d4c}]
\shell\AutoRun\command - F:\Launcher.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 16:16:13 C:\Windows\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2008-03-24 20:51:38 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Scott.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 16:16:46
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PSIService.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe
.
**************************************************************************
.
Completion time: 2008-03-29 16:20:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-29 16:20:07
Pre-Run: 74,887,622,656 bytes free
Post-Run: 74,138,771,456 bytes free
.
2008-03-21 19:18:24 --- E O F ---



Hijack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:35:19, on 29/03/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
K:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\Explorer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - K:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - K:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "K:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ssqnk.dll,#1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [IE Privacy Keeper] "C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -startup
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Append to existing PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us...an/pestscan.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\Windows\system32\drivers\pclepci.sys
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: stllssvr - Unknown owner - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 13655 bytes
  • 0

#6
andrewuk
Posted 29 March 2008 - 02:13 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will remove the rest of the malware i can see in your logs, and all going well we will do some scans in the following post.

firstly, i notice that the UAC (User Account Control) is disabled on your machine. did you do this?


====STEP 1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ssqnk.dll,#1

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.



====STEP 2====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72c82f0f-2589-11dc-9689-001a926a8d4c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3f1cf13-84b6-11dc-876b-001a926a8d4c}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

andrewuk
  • 0

#7
battison10
Posted 29 March 2008 - 02:39 PM

battison10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts
Hi, can't remeber if I disabled UAC - shall I turn it back on? Here are the logs you requested.

ComboFix 08-03-27.5 - Scott 2008-03-29 20:26:12.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1396 [GMT 0:00]
Running from: C:\Users\Scott\Desktop\ComboFix.exe
Command switches used :: C:\Users\Scott\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_npf


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-29 )))))))))))))))))))))))))))))))
.

2008-03-27 19:25 . 2008-03-27 19:25 <DIR> d-------- C:\Program Files\EDraw1.6.4
2008-03-27 06:38 . 2008-03-27 06:38 <DIR> d-------- C:\Deckard
2008-03-24 10:59 . 2008-03-29 15:18 <DIR> d-------- C:\Users\All Users\Google Updater
2008-03-24 10:59 . 2008-03-29 15:18 <DIR> d-------- C:\ProgramData\Google Updater
2008-03-23 22:50 . 2008-03-23 22:50 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-03-23 22:29 . 2008-03-29 17:05 54,156 --ah----- C:\Windows\QTFont.qfn
2008-03-23 22:29 . 2008-03-23 22:29 1,409 --a------ C:\Windows\QTFont.for
2008-03-23 22:28 . 2008-03-23 22:28 <DIR> d-------- C:\Program Files\iTunes
2008-03-23 22:28 . 2008-03-23 22:28 <DIR> d-------- C:\Program Files\iPod
2008-03-23 22:14 . 2008-03-23 22:28 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-03-23 22:14 . 2008-03-23 22:28 <DIR> d-------- C:\ProgramData\Apple Computer
2008-03-23 22:14 . 2008-03-23 22:15 <DIR> d-------- C:\Program Files\QuickTime
2008-03-23 22:13 . 2008-03-23 22:13 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-23 22:08 . 2008-03-23 22:08 <DIR> d-------- C:\Users\All Users\Apple
2008-03-23 22:08 . 2008-03-23 22:08 <DIR> d-------- C:\ProgramData\Apple
2008-03-23 22:08 . 2008-03-23 22:08 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-22 19:45 . 2008-03-23 21:30 <DIR> d-------- C:\Users\Scott\{6a9bee41-a652-41da-8090-b8c18593a4be}
2008-03-22 11:49 . 2008-03-22 11:49 4,440 --a------ C:\Windows\System32\tmp.reg
2008-03-21 09:41 . 2008-03-21 09:41 <DIR> d-------- C:\VundoFix Backups
2008-03-20 22:45 . 2008-03-20 22:45 <DIR> d-------- C:\Program Files\Common Files\GeoVid
2008-03-20 22:45 . 2007-06-28 18:55 77,824 --a------ C:\Windows\System32\xvid.ax
2008-03-20 22:45 . 2005-06-07 15:11 60,416 --a------ C:\Windows\System32\dsetup.dll
2008-03-20 19:59 . 2007-01-03 19:20 1,732 --a------ C:\Windows\System32\drivers\nvphy.bin
2008-03-20 18:57 . 2008-03-20 18:57 <DIR> d-------- C:\Users\Scott\AppData\Roaming\SUPERAntiSpyware.com
2008-03-19 21:05 . 2008-01-19 05:46 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-03-19 21:04 . 2008-01-19 07:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-03-19 21:03 . 2008-01-19 07:35 3,072,000 --a------ C:\Windows\System32\networkmap.dll
2008-03-19 21:02 . 2008-01-19 07:34 6,103,040 --a------ C:\Windows\System32\chtbrkr.dll
2008-03-19 21:01 . 2008-01-19 06:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-03-19 21:00 . 2008-01-19 07:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-03-19 21:00 . 2008-01-19 07:36 357,888 --a------ C:\Windows\System32\wbemcomn.dll
2008-03-19 21:00 . 2008-01-19 07:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-03-19 21:00 . 2008-01-19 07:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-03-19 21:00 . 2008-01-19 07:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-03-19 20:59 . 2008-01-19 07:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-03-19 20:59 . 2008-01-19 07:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-03-19 20:59 . 2008-01-19 07:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-03-19 20:59 . 2008-01-19 07:35 35,328 --a------ C:\Windows\System32\mspatcha.dll
2008-03-19 19:52 . 2006-11-08 09:48 356,352 --a------ C:\Windows\System32\nvusmb.exe
2008-03-19 19:52 . 2006-10-19 10:36 1,864 --a------ C:\Windows\System32\nvsmb.nvu
2008-03-19 19:46 . 2007-05-01 08:11 356,352 --a------ C:\Windows\System32\nvunrm.exe
2008-03-18 18:04 . 2008-03-18 18:04 <DIR> d-------- C:\Users\Scott\AppData\Roaming\funkitron
2008-03-18 17:54 . 2008-03-18 17:54 <DIR> d-------- C:\Program Files\Poker Superstars II
2008-03-18 17:46 . 2008-03-18 17:46 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-03-18 07:10 . 2008-03-18 07:10 <DIR> d-------- C:\Program Files\DAP Premium
2008-03-16 09:58 . 2005-05-26 15:34 2,297,552 --a------ C:\Windows\System32\d3dx9_26.dll
2008-03-09 10:07 . 2008-03-09 10:07 <DIR> d-------- C:\divx
2008-03-09 09:26 . 2008-03-09 09:26 <DIR> d-------- C:\Program Files\Xilisoft
2008-03-09 07:43 . 2008-03-09 07:43 307,968 --a------ C:\Windows\System32\TuneUpDefragService.exe
2008-03-09 07:43 . 2008-02-27 13:15 28,416 --a------ C:\Windows\System32\uxtuneup.dll
2008-03-09 07:43 . 2008-02-27 13:15 16,640 --a------ C:\Windows\System32\authuitu.dll
2008-03-08 15:51 . 2008-03-22 11:48 <DIR> d-------- C:\Users\Scott\AppData\Roaming\IDM
2008-03-08 15:51 . 2008-03-29 16:00 <DIR> d-------- C:\Users\Scott\AppData\Roaming\DMCache
2008-03-08 15:51 . 2008-03-09 09:33 <DIR> d-------- C:\Program Files\Internet Download Manager
2008-03-07 19:39 . 2008-03-14 19:13 <DIR> d-------- C:\Program Files\Xara
2008-03-07 19:39 . 2008-03-14 19:13 <DIR> d-------- C:\Program Files\Common Files\Xara
2008-03-07 18:41 . 2008-03-07 18:41 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-07 13:40 . 2008-03-07 13:40 13,035 --a------ C:\Windows\System32\drivers\SymRedir.cat
2008-03-07 13:40 . 2008-03-07 13:40 1,358 --a------ C:\Windows\System32\drivers\SymRedir.inf
2008-03-07 13:39 . 2008-03-07 13:39 191,536 --a------ C:\Windows\System32\drivers\symtdi.sys
2008-03-07 13:39 . 2008-03-07 13:39 145,968 --a------ C:\Windows\System32\drivers\symfw.sys
2008-03-07 13:39 . 2008-03-07 13:39 39,984 --a------ C:\Windows\System32\drivers\symids.sys
2008-03-07 13:39 . 2008-03-07 13:39 37,936 --a------ C:\Windows\System32\drivers\symndisv.sys
2008-03-07 13:39 . 2008-03-07 13:39 27,696 --a------ C:\Windows\System32\drivers\symredrv.sys
2008-03-07 13:39 . 2008-03-07 13:39 12,848 --a------ C:\Windows\System32\drivers\symdns.sys
2008-03-06 19:42 . 2008-03-06 19:42 10,208 --a------ C:\Windows\System32\gaeffect.sti
2008-03-06 19:42 . 2008-03-06 19:42 6,344 --a------ C:\Windows\System32\gafilter.sti
2008-03-06 19:36 . 2008-03-06 19:36 <DIR> d-------- C:\Windows\Noslip
2008-03-06 19:36 . 1998-10-29 16:45 306,688 --a------ C:\Windows\IsUninst.exe
2008-03-06 19:36 . 2008-03-06 19:36 16 --a------ C:\Windows\Wininit.ini
2008-03-06 19:01 . 2008-03-08 15:34 <DIR> d-------- C:\Program Files\Magic Swf2Gif
2008-03-06 07:04 . 2004-05-04 11:53 1,645,320 --a------ C:\Windows\gdiplus.dll
2008-03-06 07:04 . 2006-05-20 16:16 1,184,984 --a------ C:\Windows\System32\wvc1dmod.dll
2008-03-06 07:04 . 2006-05-11 19:21 626,688 --a------ C:\Windows\System32\vp7vfw.dll
2008-03-06 07:04 . 2007-03-18 20:37 65,602 --a------ C:\Windows\System32\cook3260.dll
2008-03-05 18:15 . 2008-03-05 18:15 <DIR> d-------- C:\Users\All Users\IncrediMail
2008-03-05 18:15 . 2008-03-05 18:16 <DIR> d-------- C:\Users\All Users\IM
2008-03-05 18:15 . 2008-03-05 18:15 <DIR> d-------- C:\ProgramData\IncrediMail
2008-03-05 18:15 . 2008-03-05 18:16 <DIR> d-------- C:\ProgramData\IM
2008-03-05 06:54 . 2008-03-05 06:54 <DIR> d-------- C:\Program Files\ESI
2008-03-04 19:47 . 2008-03-04 19:47 0 --ah----- C:\Windows\SwSys2.bmp
2008-03-04 19:47 . 2008-03-04 19:47 0 --ah----- C:\Windows\SwSys1.bmp
2008-03-04 18:04 . 2005-11-30 21:20 2,314,332 --a------ C:\Windows\System32\LIBMMD.DLL
2008-03-03 19:21 . 2008-03-04 07:09 <DIR> d-------- C:\Program Files\DJ Music Mixer
2008-03-03 19:11 . 2008-03-03 19:11 <DIR> d-------- C:\Users\All Users\Nokia
2008-03-03 19:11 . 2008-03-03 19:11 <DIR> d-------- C:\ProgramData\Nokia
2008-03-03 19:08 . 2008-03-03 19:08 <DIR> d-------- C:\Users\All Users\Installations
2008-03-03 19:08 . 2008-03-03 19:08 <DIR> d-------- C:\ProgramData\Installations
2008-03-03 18:49 . 2008-03-11 19:38 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-03 18:48 . 2008-03-11 19:25 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-03-03 18:48 . 2008-03-11 19:25 <DIR> d-------- C:\ProgramData\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 20:20 --------- d-----w C:\ProgramData\Symantec
2008-03-27 19:54 --------- d-----w C:\Users\Scott\AppData\Roaming\uTorrent
2008-03-24 10:59 --------- d-----w C:\Program Files\SpywareGuard
2008-03-24 10:59 --------- d-----w C:\Program Files\Google
2008-03-23 23:55 --------- d-----w C:\Program Files\IncrediMail
2008-03-23 22:27 --------- d-----w C:\Program Files\Bonjour
2008-03-23 21:30 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-03-23 21:30 --------- d-----w C:\ProgramData\FLEXnet
2008-03-23 21:30 --------- d-----w C:\Program Files\Wide Angle Software
2008-03-23 21:29 --------- d-----w C:\Program Files\iPod Access for Windows
2008-03-22 19:45 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-03-22 19:45 --------- d-----w C:\Program Files\Realtek
2008-03-21 19:27 --------- d-----w C:\Users\Scott\AppData\Roaming\Vso
2008-03-20 19:02 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-20 18:56 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 18:43 174 --sha-w C:\Program Files\desktop.ini
2008-03-20 02:27 --------- d-----w C:\ProgramData\NVIDIA
2008-03-19 22:24 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-19 22:24 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-19 22:24 --------- d-----w C:\Program Files\Windows Mail
2008-03-19 22:24 --------- d-----w C:\Program Files\Windows Defender
2008-03-19 22:24 --------- d-----w C:\Program Files\Windows Calendar
2008-03-18 17:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-14 18:35 --------- d-----w C:\ProgramData\Ulead Systems
2008-03-14 18:35 --------- d-----w C:\Program Files\Ulead Systems
2008-03-14 18:26 --------- d-----w C:\Program Files\DVDPean Pro 5.6.0
2008-03-14 18:21 --------- d-----w C:\Program Files\MixVibesDVS
2008-03-14 18:21 --------- d-----w C:\Program Files\MagicISO
2008-03-14 17:59 --------- d-----w C:\Program Files\Java
2008-03-11 19:24 --------- d-----w C:\Program Files\Windows Live
2008-03-11 06:54 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-11 06:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-09 10:02 --------- d-----w C:\Program Files\DivX
2008-03-09 07:44 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-03-06 21:32 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-03-06 21:32 23,904 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-03-06 21:32 10,537 ----a-w C:\Windows\system32\drivers\COH_Mon.cat
2008-03-06 07:05 47,360 ----a-w C:\Users\Scott\AppData\Roaming\pcouffin.sys
2008-03-06 07:05 --------- d-----w C:\Program Files\vso
2008-03-04 17:33 --------- d-----w C:\Program Files\Nokia
2008-03-04 17:33 --------- d-----w C:\Program Files\Common Files\Nokia
2008-03-03 19:04 --------- d-----w C:\Users\Scott\AppData\Roaming\LimeWire
2008-03-03 18:33 --------- d---a-w C:\ProgramData\TEMP
2008-03-02 10:20 --------- d-----w C:\Users\Scott\AppData\Roaming\SoundSpectrum
2008-03-02 10:20 --------- d-----w C:\Program Files\SoundSpectrum
2008-02-21 17:44 --------- d-----w C:\Users\Scott\AppData\Roaming\Thinstall
2008-02-18 11:16 30,464 ----a-w C:\Windows\system32\drivers\usbaapl.sys
2008-02-17 19:10 --------- d-----w C:\Users\Scott\AppData\Roaming\DVDPeanSoftware
2008-02-14 18:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-14 18:13 --------- d-----w C:\Program Files\Common Files\Control Panels
2008-02-14 18:10 --------- d-----w C:\ProgramData\ALM
2008-02-12 18:11 --------- d-----w C:\Program Files\Common Files\Java
2008-02-10 20:47 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-02-10 10:48 --------- d-----w C:\ProgramData\Grisoft
2008-02-10 09:51 --------- d-----w C:\Program Files\Trend Micro
2008-02-09 10:50 --------- d-----w C:\Program Files\Common Files\Real
2008-02-08 19:15 --------- d-----w C:\Program Files\DAP
2008-02-07 20:58 --------- d-----w C:\Program Files\Common Files\Nero
2008-02-07 20:55 --------- d-----w C:\ProgramData\Nero
2008-02-07 20:55 --------- d-----w C:\Program Files\Nero
2008-02-03 09:39 --------- d-----w C:\ProgramData\PC Drivers Headquarters
2008-02-03 09:35 --------- d-----w C:\Program Files\PC Drivers HeadQuarters
2008-01-19 07:34 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-01-19 07:33 58,880 ----a-w C:\Windows\bfsvc.exe
2008-01-19 07:33 540,672 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-19 07:33 498,176 ----a-w C:\Windows\HelpPane.exe
2008-01-19 07:33 459,264 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-19 07:33 40,960 ----a-w C:\Windows\AppPatch\apihex86.dll
2008-01-19 07:33 237,568 ----a-w C:\Windows\AppPatch\AcRedir.dll
2008-01-19 07:33 2,927,104 ----a-w C:\Windows\explorer.exe
2008-01-19 07:33 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-19 07:33 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-19 07:33 151,040 ----a-w C:\Windows\notepad.exe
2008-01-19 07:33 134,656 ----a-w C:\Windows\regedit.exe
2008-01-19 07:33 13,312 ----a-w C:\Windows\fveupdate.exe
2008-01-04 21:41 3,532 ----a-w C:\drmHeader.bin
2007-11-11 16:27 94,080 ----a-w C:\Users\Scott\AppData\Roaming\ezplay.sys
2007-11-11 16:27 81,920 ----a-w C:\Users\Scott\AppData\Roaming\ezpinst.exe
2007-09-01 11:21 22 --sha-w C:\Windows\SMINST\HPCD.sys
2007-07-15 19:23 88 --sha-r C:\Windows\System32\71CE9D815B.sys
2007-07-16 07:35 88 --sha-r C:\Windows\System32\DC2E12B9C6.sys
2007-05-17 20:03 88 --sha-r C:\Windows\System32\DEA2665800.sys
2007-07-16 07:36 3,764 --sha-w C:\Windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-29_16.19.40.72 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-29 16:16:02 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-03-29 20:31:52 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-03-29 16:16:19 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-03-29 20:32:10 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-03-29 20:32:10 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-03-29 16:16:19 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-03-29 20:32:10 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-03-29 20:32:10 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-03-29 16:07:53 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-03-29 20:13:35 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-03-29 16:07:53 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-29 20:13:35 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-29 16:07:53 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-03-29 20:13:35 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-03-29 16:09:24 113,442 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-03-29 17:11:34 113,442 ----a-w C:\Windows\System32\perfc009.dat
- 2008-03-29 16:09:24 612,766 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-03-29 17:11:34 612,766 ----a-w C:\Windows\System32\perfh009.dat
- 2008-03-29 16:04:33 15,324 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1466205036-3104418628-1934201306-1000_UserData.bin
+ 2008-03-29 17:07:09 15,604 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1466205036-3104418628-1934201306-1000_UserData.bin
- 2008-03-29 16:04:33 89,630 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-03-29 17:07:08 89,808 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-03-29 17:03:05 3,076 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-03-29 16:04:29 68,860 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-03-29 17:07:06 68,876 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IE Privacy Keeper"="C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 13:52 1015808]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-22 23:13 1591808]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 01:15 221184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 07:33 202240]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-20 19:02 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 07:38 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 13:42 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 05:52 4702208 C:\Windows\RtHDVCpl.exe]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 16:08 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 14:52 849280]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 07:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"Acrobat Assistant 8.0"="K:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 17:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 17:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 17:06 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM 360448]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [3/24/2008 10:59:20 AM 125624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Scott^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^U46DJ Control Panel.lnk]
path=C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\U46DJ Control Panel.lnk
backup=C:\Windows\pss\U46DJ Control Panel.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DPService]
C:\Program Files\HP\DVDPlay\DPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R800]
--a------ 2007-01-16 04:00 177664 C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATI9YE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 07:11 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2008-03-08 15:52 2594224 C:\Program Files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
--a------ 2008-03-11 17:30 243072 C:\Program Files\IncrediMail\bin\IncMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-17 01:15 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-17 01:15 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-11-28 14:12 222720 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{38B1A04E-A897-4B53-BB14-7418D2D2AC5C}C:\\users\\scott\\program files\\utorrent\\utorrent.exe"= UDP:C:\users\scott\program files\utorrent\utorrent.exe:utorrent.exe
"UDP Query User{6BD45AE4-C9A8-4F2C-B506-1502AD5C975F}C:\\users\\scott\\program files\\utorrent\\utorrent.exe"= TCP:C:\users\scott\program files\utorrent\utorrent.exe:utorrent.exe
"{ED13F298-6B08-4201-8674-A50834ACC569}"= UDP:14444:utorrent
"{AAC41441-F976-4BAB-BB2E-982E22A5B047}"= TCP:14444:utorrent
"{21D0C3F0-7550-4BD6-BAAB-22E5E9AA55E5}"= UDP:C:\Users\Scott\Program Files\uTorrent\uTorrent.exe:µTorrent
"{C80CD74D-AB31-4F25-BD20-B1410FCDC0F3}"= TCP:C:\Users\Scott\Program Files\uTorrent\uTorrent.exe:µTorrent
"{F3863C16-564A-4F6D-A82D-546CD1382D57}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{49B292F1-C9FB-4449-B264-E503BD8D52BA}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{F63335E0-9DA2-4D32-9290-0DBF7ACDD0CB}"= UDP:C:\Program Files\Orb Networks\Orb\bin\Orb.exe:Orb
"{6B30BB90-EF92-4908-B661-9E64DDC8C215}"= TCP:C:\Program Files\Orb Networks\Orb\bin\Orb.exe:Orb
"{A1932CAC-3AD3-43B0-927D-830FC9C325D7}"= UDP:C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe:OrbTray
"{0EEAA0A3-F14A-4F0E-AF23-699A568CCE36}"= TCP:C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe:OrbTray
"{6DF4984C-19D2-4E07-95AC-57D6418FAA2D}"= UDP:C:\Program Files\Orb Networks\Orb\bin\OrbStreamerClient.exe:Orb Stream Client
"{CCBC6E24-AD93-4197-89AC-C72DE6E552AB}"= TCP:C:\Program Files\Orb Networks\Orb\bin\OrbStreamerClient.exe:Orb Stream Client
"{B15F8E10-48A4-4B9B-9C3F-91206175718F}"= UDP:C:\Program Files\Orb Networks\Orb\bin\xmltv.exe:OrbTVGuide
"{F9540578-331C-4FF0-9286-16096B8E6BD1}"= TCP:C:\Program Files\Orb Networks\Orb\bin\xmltv.exe:OrbTVGuide
"{CF0F4A96-D828-4827-94CF-9A7EB1B2670C}"= UDP:C:\Program Files\Orb Networks\Orb\bin\OrbChannelScan.exe:OrbChannelScan
"{497CE2CF-5499-49E0-89A7-DEB2FD6EC571}"= TCP:C:\Program Files\Orb Networks\Orb\bin\OrbChannelScan.exe:OrbChannelScan
"{9B425107-8617-4C77-B6D1-BB92E8CAC247}"= C:\Program Files\Windows Live\Messenger\wlcsdk.exe:Windows Live Messenger (Phone)
"{5B5635A6-F8E8-4308-9373-180161E0EFCA}"= UDP:C:\Program Files\Pinnacle\Studio 11\programs\RM.exe:Render Manager
"{C55FF4CD-77E3-41CD-B3DF-65D271972880}"= TCP:C:\Program Files\Pinnacle\Studio 11\programs\RM.exe:Render Manager
"{6D2C8490-05C1-4CBC-B56A-CE139D2F28ED}"= UDP:C:\Program Files\Pinnacle\Studio 11\programs\Studio.exe:Studio
"{A96AFFBC-762B-44EC-B523-362FCB86162D}"= TCP:C:\Program Files\Pinnacle\Studio 11\programs\Studio.exe:Studio
"{A2017AB2-2A7C-474A-B24A-B045EC744D08}"= UDP:C:\Program Files\Pinnacle\Studio 11\programs\PMSRegisterFile.exe:PMSRegisterFile
"{440943C1-4C29-4128-9699-692FF2BB8EEC}"= TCP:C:\Program Files\Pinnacle\Studio 11\programs\PMSRegisterFile.exe:PMSRegisterFile
"{ED3457AA-404F-48A7-8DBD-456D28376B9B}"= UDP:C:\Program Files\Pinnacle\Studio 11\programs\umi.exe:umi
"{B6EEEC4A-D095-47E5-AD66-B0154346980E}"= TCP:C:\Program Files\Pinnacle\Studio 11\programs\umi.exe:umi
"{AC7828F7-D563-4709-9922-4BC812E691C0}"= UDP:3703:Adobe Version Cue CS3 Server
"{96CDAD8B-8E52-4C6B-8F79-36E014DF87D2}"= UDP:3704:Adobe Version Cue CS3 Server
"{5B9B8B44-2CF3-4A9A-8362-7BAAEAE07685}"= UDP:50900:Adobe Version Cue CS3 Server
"{7D64EFF9-8736-4396-9A28-CCC790186551}"= UDP:50901:Adobe Version Cue CS3 Server
"{A6AB4499-62B3-4F3E-83DC-0675C69E8FBC}"= UDP:C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"{46D468CC-1552-40E3-B354-59FB53563E06}"= TCP:C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"{3910CA99-20CD-49F1-95DF-31A0DFEF40E3}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{0C5B8293-F35C-453E-B98E-FE04A9BD1BC8}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{F1F1105A-7479-459C-8E1A-0A2700CB64B9}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{8D1C8EB0-E20A-42DC-B244-8AE5948EF888}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{FFB94416-2769-477B-B6F6-FA06D95920C8}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{BF6B9468-4CD6-4453-B0FD-B763300ED4EF}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{1CE52F1D-6813-44EA-B6C4-40F38104A02F}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail
"{CB17BCE3-D45A-4907-9E07-19B667949671}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail
"{88AD49B3-448D-40C0-8A40-B53AFF48D178}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{406201F1-124F-4FFB-A695-788A76AD620A}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{47DB9E4A-7887-409D-80A6-E4EB47502913}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{5A61FD86-EFC7-467A-86BD-1039F58D54CD}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{01BF2DF4-2CD4-4A36-BCB4-6CFB20553707}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{92E5C759-E3E5-48EC-9558-E1A6726BAD8D}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{3ED4A772-AFFF-4D0F-98FA-467FB54D4521}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail
"{DC08BD25-35EC-4FEF-B071-485A3B9332EA}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\ImApp.exe:IncrediMail
"{DA740D35-178C-417B-AD63-3177891CCD73}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{29823646-C8FC-4FCC-914E-D067493F9176}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{9BFD69B5-C6C2-4711-9865-BF08BA36A3C7}"= Disabled:UDP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail
"{13B66C1C-3640-432C-9F82-76C27901E8DF}"= Disabled:TCP:C:\Program Files\IncrediMail\bin\IncMail.exe:IncrediMail

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 AmdAcpi;AmdAcpi Bus Filter Driver;C:\Windows\system32\DRIVERS\AmdAcpi.sys [2006-09-05 16:04]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080325.002\IDSvix86.sys [2008-02-13 16:18]
R3 AmdTools;AMD Special Tools Driver;C:\Windows\system32\DRIVERS\AmdTools.sys [2006-08-24 15:37]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-03-07 13:39]
S3 Navcar;Navman In-car Navigator USB Driver Service;C:\Windows\system32\DRIVERS\Navcar.sys [2006-09-18 12:48]
S3 PCD5SRVC{8A863ACB-F5F6CC6A-05010004};PCD5SRVC{8A863ACB-F5F6CC6A-05010004} - PCDR Kernel Mode Service Helper Driver;C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms [2006-11-18 00:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 20:32:03 C:\Windows\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2008-03-24 20:51:38 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Scott.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 20:32:20
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PSIService.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe
.
**************************************************************************
.
Completion time: 2008-03-29 20:36:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-29 20:36:09
ComboFix2.txt 2008-03-29 16:20:13
Pre-Run: 73,829,945,344 bytes free
Post-Run: 73,599,942,656 bytes free
.
2008-03-21 19:18:24 --- E O F ---









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:37:00, on 29/03/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
K:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\Explorer.exe
K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe
C:\Windows\system32\notepad.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - K:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - K:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "K:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [IE Privacy Keeper] "C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -startup
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Append to existing PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://K:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us...an/pestscan.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us...nfo/webscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\Windows\system32\drivers\pclepci.sys
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: stllssvr - Unknown owner - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 13389 bytes
  • 0

#8
andrewuk
Posted 29 March 2008 - 04:04 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will do some scans to ensure we have got everything.

the scans will likely take 2 hours, quite possibly much longer. so just let them run.

Hi, can't remeber if I disabled UAC - shall I turn it back on?

it certainly improves security if you do - your call.


====STEP 1====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


====STEP 2====
i can see you already have SUPERantispyware, so we will update it and run another scan.

Double-click the SUPERantispyware icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

====STEP 3====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


In your next reply could i see:
1. the malwarebytes log
2. the SUPERantispyware log
3. the kaspersky log

there will be a lot of information to post in the next reply, therefore you may need to post the information over more than one reply to ensure it is all posted.

andrewuk
  • 0

#9
battison10
Posted 30 March 2008 - 02:04 AM

battison10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts
On it now!! Will post all the logs back asap, one thing I need to point out is when scanning with superantispyware and with only the items which you say to check, the scan takes for ever and seems to keep scanning the same files over and over again. Is this normal?
  • 0

#10
battison10
Posted 30 March 2008 - 04:17 AM

battison10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts
1st log

Malwarebytes' Anti-Malware 1.09
Database version: 568

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 238691
Time elapsed: 1 hour(s), 37 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

Advertisements

#11
battison10
Posted 30 March 2008 - 05:08 AM

battison10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts
Stopped the superantispyware scan as it was scanning the same files over and over again, but here is the log anyway.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/30/2008 at 12:05 PM

Application Version : 4.0.1154

Core Rules Database Version : 3427
Trace Rules Database Version: 1419

Scan type : Complete Scan
Total Scan Time : 00:47:44

Memory items scanned : 679
Memory threats detected : 0
Registry items scanned : 7796
Registry threats detected : 0
File items scanned : 75210
File threats detected : 0


now going to do the final one!!
  • 0

#12
battison10
Posted 30 March 2008 - 08:13 AM

battison10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts
Final scan now done!!

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 30, 2008 3:10:45 PM
Operating System: Microsoft Windows Vista Home Edition, Service Pack 1 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/03/2008
Kaspersky Anti-Virus database records: 673066
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 234803
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 02:40:23

Infected Object Name / Virus Name / Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.310.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.310.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010019.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001A.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001B.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001D.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001F.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010022.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010023.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010024.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010026.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010027.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010028.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010029.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001002A.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010031.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010033.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy2066.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\NtfBE7D.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\NtfBE7E.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\drmstore.hds Object is locked skipped
C:\ProgramData\Symantec\Common Client\settings.dat Object is locked skipped
C:\ProgramData\Symantec\LiveUpdate\2008-03-30_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\ProgramData\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\DFF29217.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtETmp\F720FC9C.TMP Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\ProgramData\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\ProgramData\Symantec\SubEng\submissions.idx Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDALRT.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDCON.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDDBG.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDFW.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDIDS.log Object is locked skipped
C:\ProgramData\Symantec\SymNetDrv\SNDSYS.log Object is locked skipped
C:\QooBox\Quarantine\C\Windows\System32\cbxxxxw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Users\Scott\AppData\Local\Google\GoogleEarth\dbCache.dat Object is locked skipped
C:\Users\Scott\AppData\Local\Google\GoogleEarth\dbCache.dat.index Object is locked skipped
C:\Users\Scott\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Scott\AppData\Local\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Users\Scott\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Scott\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008033020080331\index.dat Object is locked skipped
C:\Users\Scott\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Scott\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Scott\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Scott\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Scott\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Scott\AppData\Local\Microsoft\Windows\UsrClass.dat{1f4dc336-0246-11dc-88d4-001a926a8d4c}.TM.blf Object is locked skipped
C:\Users\Scott\AppData\Local\Microsoft\Windows\UsrClass.dat{1f4dc336-0246-11dc-88d4-001a926a8d4c}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Scott\AppData\Local\Microsoft\Windows\UsrClass.dat{1f4dc336-0246-11dc-88d4-001a926a8d4c}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Scott\AppData\Local\Temp\~DF1A04.tmp Object is locked skipped
C:\Users\Scott\AppData\Local\Temp\~DFAF43.tmp Object is locked skipped
C:\Users\Scott\AppData\Roaming\IDM\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Users\Scott\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Scott\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-3-30-2008( 9-29-15 ).LOG Object is locked skipped
C:\Users\Scott\ntuser.dat Object is locked skipped
C:\Users\Scott\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Scott\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Scott\ntuser.dat{92b2e274-f91e-11dc-92dc-001a926a8d4c}.TM.blf Object is locked skipped
C:\Users\Scott\ntuser.dat{92b2e274-f91e-11dc-92dc-001a926a8d4c}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Scott\ntuser.dat{92b2e274-f91e-11dc-92dc-001a926a8d4c}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\SC261ED4E.tmp Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{d8932e65-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat{92b2e270-f91e-11dc-92dc-001a926a8d4c}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat{92b2e270-f91e-11dc-92dc-001a926a8d4c}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat{92b2e270-f91e-11dc-92dc-001a926a8d4c}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\EventCache\{B08C5927-1F2D-4E16-8E83-84DCD0694CAE}.bin Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\components Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\default Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\sam Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\security Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\software Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\system Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{92b2e258-f91e-11dc-92dc-001a926a8d4c}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{92b2e258-f91e-11dc-92dc-001a926a8d4c}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{92b2e258-f91e-11dc-92dc-001a926a8d4c}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{92b2e258-f91e-11dc-92dc-001a926a8d4c}.TxR.blf Object is locked skipped
C:\Windows\System32\drivers\sptd.sys Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.001 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#13
andrewuk
Posted 30 March 2008 - 10:47 AM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

one thing I need to point out is when scanning with superantispyware and with only the items which you say to check, the scan takes for ever and seems to keep scanning the same files over and over again. Is this normal?

not normal, but i have known the scan to take over 3 hours.

the malwarebytes scan cleared out remnants infections, the SUPERantispyware scan (as far as it got) was clean and the kaspersky scan only found an item safely quarantined and one of the fix tools we used.

so, looking pretty good :)

how is your machine running now?

andrewuk
  • 0

#14
battison10
Posted 30 March 2008 - 10:57 AM

battison10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 81 posts
computer running fine and everything seems to be ok now, thanks very much for your help without guys like you there would be a lot of formatting drive c to get rid of these problems!! Just out of interest I am thinking of changing my antivirus/firewall software from norton internet security, is there one which you would recommend as a replacement?

Once again, thank you.

Edited by battison10, 30 March 2008 - 11:08 AM.

  • 0

#15
andrewuk
Posted 30 March 2008 - 03:55 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi battison10

congratulations, your logs are clean :)

in this post we will clear away the fix tools, reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.


====STEP 1====
clearing the fix tools and resetting the restore points:

Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
If you have trouble with this, let me know and we will clear away the fix tools and reset your restore points another way

you can clear away the other fixt tools we used


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein


andrewuk
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP