Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware Problem [RESOLVED]


  • This topic is locked This topic is locked

#1
greenshorts

greenshorts

    Member

  • Member
  • PipPip
  • 33 posts
Hi Guys,

My g/f recently downloaded some dodgy programs and now my computer keeps getting pop ups, has slowed right down and even opens up random programs every now and again.
I've used Ad aware, avg and spybot to try and get rid of this problem, but to no avail!
Any help would be grateful!

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:40:28, on 27/03/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\ProgramData\adwtkvwd\ctwjcxwr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\BBDesktopHelpUpgradeAdvisor\McciTrayApp.exe
C:\Windows\PixArt\Pac7311\Monitor.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\rundll32.exe
C:\ProgramData\hdmictpz\fmtqtchc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Windows\system32\igfxext.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Jason\Downloads\VundoFix.exe
C:\Users\Jason\Downloads\HiJackThis.exe

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\Windows\system32\lxdicoms.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4591 bytes


Uninstall List

4oD
ABBYY FineReader 6.0 Sprint
AC3Filter (remove only)
Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
AVG 7.5
BT Broadband Desktop Help Upgrade Advisor
BT Broadband Talk Softphone 3.1
BT Yahoo! Applications
Conexant HD Audio
Digital Effects for MSN Messenger
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Firebird SQL Server - MAGIX Edition
Flickr Uploadr 3.0.5
FlightGear v1.0.0
Hauppauge WinTV2000
HDAUDIO Soft Data Fax Modem with SmartCP
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
iLike Sidebar
Intel® Graphics Media Accelerator Driver
iTunes
Java™ 6 Update 3
Keyboard Manager Utility
Lexmark 3500-4500 Series
Lexmark Fax Solutions
Map Button (Windows Live Toolbar)
Microsoft Office Excel Viewer 2003
Microsoft Office Word Viewer 2003
Microsoft Picture It! Photo Standard 9
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (2.0.0.13)
MSVC80_x86
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 Parser and SDK
neroxml
Nokia Connectivity Cable Driver
Nokia Lifeblog 2.5
Nokia Map Loader
Nokia Multimedia Factory
Nokia Multimedia Factory
Nokia PC Suite
Nokia PC Suite
Nokia Software Updater
OpenOffice.org 2.0
PC Connectivity Solution
PC VGA Camera
Power2Go 5.0
QuickTime
Ralink Wireless LAN Card
Safari
SecondLife (remove only)
Smart Menus (Windows Live Toolbar)
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
Text Messenger Gadget
VCRedistSetup
Windows Driver Package - Nokia Modem (08/03/2007 3.2)
Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2)
Windows Driver Package - Nokia Modem (10/12/2007 3.6)
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Media Player Firefox Plugin
WinRAR archiver
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello greenshorts

Welcome to G2Go. :)
=====================
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
greenshorts

greenshorts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Thanks for the fast reply.

Main:

Deckard's System Scanner v20071014.68
Run by Jason on 2008-03-27 17:18:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 1 Restore Point(s) --
1: 2008-03-27 16:03:10 UTC - RP175 - malware


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Jason.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:20:38, on 27/03/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\ProgramData\adwtkvwd\ctwjcxwr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\BBDesktopHelpUpgradeAdvisor\McciTrayApp.exe
C:\Windows\PixArt\Pac7311\Monitor.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\ProgramData\hdmictpz\fmtqtchc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Windows\system32\igfxext.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\rundll32.exe
C:\Users\Jason\Desktop\dss.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchFilterHost.exe
C:\ProgramData\hdmictpz\fmtqtchc.exe
C:\Users\Jason\DOWNLO~1\Jason.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.thetechguys.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BTHelena_McciTrayApp] C:\Program Files\BBDesktopHelpUpgradeAdvisor\McciTrayApp.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC7311\Monitor.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [iLike] C:\Program Files\iLike\1.1.27\ilikesidebar.exe /checkforupdate
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Jason\AppData\Local\Temp\pmkjg.dll,#1
O4 - HKCU\..\Run: [ualyrvci] C:\Windows\system32\wbepirif.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [xciczcbw] C:\Windows\system32\butcbovu.exe
O4 - HKCU\..\Run: [hdmictpz] C:\ProgramData\hdmictpz\fmtqtchc.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Jason\AppData\Local\Temp\xxwxx.dll,c
O4 - HKCU\..\Run: [BMa9fbb516] Rundll32.exe "C:\Users\Jason\AppData\Local\Temp\bdjnhkow.dll",s
O4 - HKLM\..\Policies\Explorer\Run: [Cg2GRfoAYn] C:\ProgramData\adwtkvwd\ctwjcxwr.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\Windows\system32\lxdicoms.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10216 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 BDA_Capture_220A (Digital-TV receiver Driver 3.0.1.18) - c:\windows\system32\drivers\bda_capture_220a.sys <Not Verified; WideViewer Electronics CO., LTD; BDA Driver For Digital TV>
S3 BDA_Loader_220A (Digital-TV Receiver Firmware Loader 6.7.10.0) - c:\windows\system32\drivers\bda_loader_220a.sys <Not Verified; WideView Technology Inc.; Digital TV Receiver>
S3 NuVision (Hauppauge WinTV USB Pro (PAL I,D/K)) - c:\windows\system32\drivers\nuvision.sys <Not Verified; Hauppauge Computer Works; WinTV USB>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

S3 FirebirdServerMAGIXInstance (Firebird Server - MAGIX Instance) - c:\program files\magix\common\database\bin\fbserver.exe <Not Verified; MAGIX®; Firebird SQL Server - MAGIX Edition>
S3 UPnPService - c:\program files\common files\magix shared\upnpservice\upnpservice.exe <Not Verified; Magix AG; UPnPService Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia Windows Portable Device Driver
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0001
Manufacturer: Nokia
Name: Nokia 6270
PNP Device ID: ROOT\WPD\0001
Service: WUDFRd

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0002
Manufacturer: Nokia
Name: Nokia 6280
PNP Device ID: ROOT\WPD\0002
Service: WUDFRd

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Nokia N73
Device ID: ROOT\WPD\0003
Manufacturer: Nokia
Name: Nokia N73
PNP Device ID: ROOT\WPD\0003
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-03-26 23:29:10 418 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{0D9D18D2-1289-4143-BC59-7FDC01795ADB}.job


-- Files created between 2008-02-27 and 2008-03-27 -----------------------------

2008-03-27 16:16:24 0 d-------- C:\VundoFix Backups
2008-03-27 14:24:29 318 --a------ C:\delete.bat
2008-03-27 11:09:41 110592 --a------ C:\Windows\system32\butcbovu.exe
2008-03-27 11:02:53 0 d-------- C:\Program Files\Lavasoft
2008-03-27 11:00:32 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 00:09:56 4096 --a------ C:\Windows\userconfig9x.dll
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32winlogonpc.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32temp#01.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32taack.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32taack.dat
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32ssvchost.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32ssvchost.com
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32ssurf022.dll
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32sncntr.exe
2008-03-27 00:09:56 0 d-------- C:\Windows\system32smp
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32regm64.dll
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32regc64.dll
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32psoft1.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32psof1.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32ps1.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32netode.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32mwin32.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32mtr2.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32msvchost.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32msnbho.dll
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32msgp.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32medup020.dll
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32medup012.dll
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32hxiwlgpm.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32hxiwlgpm.dat
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32hoproxy.dll
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32h@tkeysh@@k.dll
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32dpcproxy.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\system32bsva-egihsg52.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\iTunesMusic.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\FVProtect.exe
2008-03-27 00:09:56 4096 --a------ C:\Windows\a.bat
2008-03-27 00:09:55 4096 --a------ C:\Windows\winsystem.exe
2008-03-27 00:09:55 4096 --a------ C:\Windows\system32WINWGPX.EXE
2008-03-27 00:09:55 4096 --a------ C:\Windows\system32winsystem.exe
2008-03-27 00:09:55 4096 --a------ C:\Windows\system32vcatchpi.dll
2008-03-27 00:09:55 4096 --a------ C:\Windows\system32vbsys2.dll
2008-03-27 00:09:55 4096 --a------ C:\Windows\system32thun32.dll
2008-03-27 00:09:55 4096 --a------ C:\Windows\system32thun.dll
2008-03-27 00:09:55 4096 --a------ C:\Windows\system32sysreq.exe
2008-03-27 00:09:55 4096 --a------ C:\Windows\system32Rundl1.exe
2008-03-27 00:09:55 4096 --a------ C:\Windows\system32newsd32.exe
2008-03-27 00:09:55 4096 --a------ C:\Windows\system32mssecu.exe
2008-03-27 00:09:55 4096 --a------ C:\Windows\system32emesx.dll
2008-03-27 00:09:55 4096 --a------ C:\Windows\system32bdn.com
2008-03-27 00:09:55 4096 --a------ C:\Windows\system32awtoolb.dll
2008-03-27 00:09:55 4096 --a------ C:\Windows\system32anticipator.dll
2008-03-27 00:09:55 4096 --a------ C:\Windows\system32akttzn.exe
2008-03-27 00:09:55 4096 --a------ C:\Windows\mssecu.exe
2008-03-27 00:09:55 4096 --a------ C:\Windows\bdn.com
2008-03-27 00:09:46 94208 --a------ C:\Windows\system32\wbepirif.exe
2008-03-27 00:09:15 323584 --a------ C:\Windows\dwnrpofk.dll
2008-03-26 22:29:50 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-26 17:51:16 0 d-------- C:\Program Files\OpenOffice.org 2.0
2008-03-26 12:45:13 0 d-------- C:\Program Files\Common Files\BTHelena
2008-03-26 12:45:09 0 d-------- C:\Program Files\BBDesktopHelpUpgradeAdvisor
2008-03-26 12:42:51 0 d-------- C:\Program Files\BT Broadband Talk Softphone
2008-03-26 01:58:17 0 d-------- C:\Program Files\Safari
2008-03-26 01:56:53 0 d-------- C:\Program Files\iPod
2008-03-26 01:55:04 0 d-------- C:\Program Files\QuickTime
2008-03-26 01:28:05 0 d-------- C:\PerfLogs
2008-03-26 01:10:48 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-26 00:49:55 0 d-------- C:\96c96424a564ed5d90617475d7f4b5
2008-03-25 11:18:58 0 d-------- C:\Program Files\SecondLife
2008-03-20 18:50:59 0 d-------- C:\Program Files\Windows Live Toolbar
2008-03-20 18:50:52 0 d-------- C:\Program Files\Windows Live Favorites
2008-03-20 18:50:03 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-18 21:31:16 0 d-------- C:\Program Files\FlightGear
2008-03-18 20:22:11 0 d--h----- C:\Windows\msdownld.tmp
2008-03-18 20:22:00 0 d-------- C:\Windows\system32\directx
2008-03-18 19:27:50 0 d-------- C:\Program Files\uTorrent
2008-03-03 23:54:01 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-03 19:15:40 921 --a------ C:\Windows\QSFVExit.bat
2008-02-28 21:55:34 0 d-------- C:\Program Files\Flickr Uploadr


-- Find3M Report ---------------------------------------------------------------

2008-03-27 16:01:27 0 d-------- C:\Users\Jason\AppData\Roaming\OpenOffice.org2
2008-03-27 15:53:16 0 d-------- C:\Users\Jason\AppData\Roaming\uTorrent
2008-03-27 15:53:15 0 d-------- C:\Users\Jason\AppData\Roaming\AVG7
2008-03-27 11:00:32 0 d-------- C:\Program Files\Common Files
2008-03-27 00:46:57 0 d-------- C:\Users\Jason\AppData\Roaming\Skinux
2008-03-26 17:57:29 0 d-------- C:\Users\Jason\AppData\Roaming\PeerNetworking
2008-03-26 17:56:46 598829 --a------ C:\Users\Jason\AppData\Roaming\UserTile.png
2008-03-26 17:38:11 0 d-------- C:\Program Files\Microsoft Works
2008-03-26 13:04:26 0 d-------- C:\Users\Jason\AppData\Roaming\Apple Computer
2008-03-26 12:43:00 0 d-------- C:\Users\Jason\AppData\Roaming\BT
2008-03-26 12:35:37 0 d-------- C:\Program Files\Yahoo!
2008-03-26 01:57:01 0 d-------- C:\Program Files\iTunes
2008-03-26 01:40:17 174 --ahs---- C:\Program Files\desktop.ini
2008-03-26 01:32:12 0 d-------- C:\Program Files\Windows Sidebar
2008-03-26 01:32:12 0 d-------- C:\Program Files\Windows Calendar
2008-03-26 01:32:11 0 d-------- C:\Program Files\Movie Maker
2008-03-26 01:32:09 0 d-------- C:\Program Files\Windows Mail
2008-03-26 01:32:07 0 d-------- C:\Program Files\Windows Collaboration
2008-03-26 01:32:06 0 d-------- C:\Program Files\Windows Journal
2008-03-26 01:32:05 0 d-------- C:\Program Files\Windows Photo Gallery
2008-03-26 01:31:54 0 d-------- C:\Program Files\Windows Defender
2008-03-25 11:21:15 0 d-------- C:\Users\Jason\AppData\Roaming\SecondLife
2008-03-25 11:21:04 0 d-------- C:\Users\Jason\AppData\Roaming\Mozilla
2008-03-25 11:09:39 0 d-------- C:\Users\Jason\AppData\Roaming\Nokia Multimedia Player
2008-03-19 19:01:56 0 d-------- C:\Users\Jason\AppData\Roaming\flightgear.org
2008-03-05 18:36:39 0 d-------- C:\Program Files\BT Auto Backup
2008-03-04 21:08:30 3008 --a------ C:\Users\Jason\AppData\Roaming\wklnhst.dat
2008-03-04 13:34:17 5152 --a------ C:\Windows\ouwininit.exe
2008-03-03 19:46:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-03 19:39:38 0 d-------- C:\Program Files\Microsoft Games
2008-03-03 19:21:49 0 d-------- C:\Program Files\Common Files\Nero
2008-03-03 19:17:03 32 --a------ C:\Windows\0
2008-02-28 21:58:58 0 d-------- C:\Users\Jason\AppData\Roaming\Flickr
2008-02-26 00:31:23 0 d-------- C:\Program Files\Nokia
2008-02-06 17:27:20 0 d-------- C:\Users\Jason\AppData\Roaming\Atari
2008-02-03 11:02:28 0 d-------- C:\Program Files\iLike
2008-02-03 11:00:19 0 d-------- C:\Users\Jason\AppData\Roaming\WinRAR
2008-02-03 10:54:59 0 d-------- C:\Program Files\QuickSFV
2008-01-29 14:59:10 0 d-------- C:\Program Files\WinTV
2008-01-27 11:59:50 0 d-------- C:\Program Files\DivX
2008-01-15 18:55:45 230432 --a------ C:\PA7311.DAT
2008-01-08 17:50:42 0 --a------ C:\Windows\system32\0
2008-01-04 21:58:50 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-01-04 21:57:22 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-01-04 21:57:22 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-01-04 21:57:12 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-04 21:57:10 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-01-04 21:57:10 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-04 21:57:10 682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-01-04 21:56:24 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [18/01/2008 23:38]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [27/10/2006 12:50]
"Keyboard Manager Utility"="C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" [11/01/2007 18:54]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [21/12/2007 10:45]
"lxdimon.exe"="C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe" [07/05/2007 18:07]
"lxdiamon"="C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe" [05/03/2007 12:40]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [07/05/2007 18:10]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]
"BTHelena_McciTrayApp"="C:\Program Files\BBDesktopHelpUpgradeAdvisor\McciTrayApp.exe" [17/07/2007 10:26]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]
"Monitor"="C:\Windows\PixArt\PAC7311\Monitor.exe" [03/11/2006 11:01]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [02/01/2008 17:07]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [02/01/2008 17:06]
"Persistence"="C:\Windows\system32\igfxpers.exe" [02/01/2008 17:07]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [31/01/2008 23:13]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 13:10]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [18/01/2008 23:33]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [18/01/2008 23:33]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" []
"iLike"="C:\Program Files\iLike\1.1.27\ilikesidebar.exe" [13/09/2007 11:34]
"BTAgile"="C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe" [18/06/2007 09:39]
"MSServer"="C:\Users\Jason\AppData\Local\Temp\pmkjg.dll,#1" []
"ualyrvci"="C:\Windows\system32\wbepirif.exe" [27/03/2008 00:09]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]
"xciczcbw"="C:\Windows\system32\butcbovu.exe" [27/03/2008 11:09]
"hdmictpz"="C:\ProgramData\hdmictpz\fmtqtchc.exe" [27/03/2008 14:48]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [10/12/2007 10:12]
"cmds"="C:\Users\Jason\AppData\Local\Temp\xxwxx.dll,c" []
"BMa9fbb516"="C:\Users\Jason\AppData\Local\Temp\bdjnhkow.dll,s" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog

C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2/26/2006 5:19:16 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"Cg2GRfoAYn"=C:\ProgramData\adwtkvwd\ctwjcxwr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 13/11/2007 16:54 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{597b7401-e5f0-11dc-813a-101111111111}]
AutoRun\command- copetttt.com
explore\Command- copetttt.com
open\Command- copetttt.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2e316af-da6b-11dc-9a6b-101111111111}]
AutoRun\command- copetttt.com
explore\Command- copetttt.com
open\Command- copetttt.com


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8073 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-03-27 17:24:43 ------------



Extra:


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU T5300 @ 1.73GHz
Percentage of Memory in Use: 46%
Physical Memory (total/avail): 2037.45 MiB / 1092.18 MiB
Pagefile Memory (total/avail): 4314.18 MiB / 3070.2 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1849.62 MiB

C: is Fixed (NTFS) - 104.95 GiB total, 64.65 GiB free.
E: is CDROM (No Media)
S: is Fixed (NTFS) - 1.46 GiB total, 1.42 GiB free.

\\.\PHYSICALDRIVE0 - Hitachi HTS541612J9SA00 ATA Device - 111.79 GiB - 3 partitions
\PARTITION0 - Unknown - 5.37 GiB
\PARTITION1 (bootable) - Installable File System - 1500 MiB - S:
\PARTITION2 - Installable File System - 104.95 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: AVG 7.5.519 v7.5.519 (Grisoft)
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Jason\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JASON-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Jason
LOCALAPPDATA=C:\Users\Jason\AppData\Local
LOGONSERVER=\\JASON-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Jason\AppData\Local\Temp
TMP=C:\Users\Jason\AppData\Local\Temp
USERDOMAIN=Jason-PC
USERNAME=Jason
USERPROFILE=C:\Users\Jason
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Jason


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
4oD --> MsiExec.exe /I {8B7443F5-E141-42A0-AB61-ED2331AAD606}
ABBYY FineReader 6.0 Sprint --> MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
BT Broadband Desktop Help Upgrade Advisor --> "C:\Program Files\Common Files\BTHelena\uninstall.exe"
BT Broadband Talk Softphone 3.1 --> "C:\Program Files\BT Broadband Talk Softphone\unins000.exe"
BT Yahoo! Applications --> C:\Program Files\Yahoo!\Common\uninstall.exe
Conexant HD Audio --> C:\Program Files\CONEXANT\CNXT_HDAUDIO\HXFSETUP.EXE -U -ITW3Venza.inf
Digital Effects for MSN Messenger --> MsiExec.exe /I{F6466F13-8705-4408-A9B3-D915DF21FDD8}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Firebird SQL Server - MAGIX Edition --> C:\Program Files\MAGIX\Common\Database\instslct.exe /p
Flickr Uploadr 3.0.5 --> "C:\Program Files\Flickr Uploadr\uninstall.exe"
FlightGear v1.0.0 --> "C:\Program Files\FlightGear\unins000.exe"
Hauppauge WinTV2000 --> C:\PROGRA~1\WinTV\UNTV32.EXE C:\PROGRA~1\WinTV\WINTV2K.LOG
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_5045\HUFSetup.EXE -U -IDWSWTWz.inf
Highlight Viewer (Windows Live Toolbar) --> MsiExec.exe /X{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}
HijackThis 2.0.2 --> "C:\Users\Jason\Downloads\HijackThis.exe" /uninstall
iLike Sidebar --> MsiExec.exe /X{72D037A4-D311-4250-B987-7D854760452C}
Intel® Graphics Media Accelerator Driver --> C:\Windows\system32\igxpun.exe -uninstall
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Keyboard Manager Utility --> C:\Program Files\InstallShield Installation Information\{C99EF05C-A49C-4C8C-902B-BD4B96A6F3A8}\setup.exe -runfromtemp -l0x0409
Lexmark 3500-4500 Series --> C:\Program Files\Lexmark 3500-4500 Series\Install\x86\Uninst.exe
Lexmark Fax Solutions --> C:\Program Files\Lexmark Fax Solutions\Install\x86\Uninst.exe /R:faxunst
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
Microsoft Office Excel Viewer 2003 --> MsiExec.exe /I{90840409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word Viewer 2003 --> MsiExec.exe /I{90850409-6000-11D3-8CFE-0150048383C9}
Microsoft Picture It! Photo Standard 9 --> C:\Windows\system32\msiexec.exe /i {DBA8B9E1-C6FF-4624-9598-73D3B41A0903}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (2.0.0.13) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 Parser and SDK --> MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{0A3D3C54-2EC0-4D67-B265-FF17926E6D67}
Nokia Lifeblog 2.5 --> MsiExec.exe /I{E94603CA-2996-4154-8EE2-A5FCD4BFB500}
Nokia Map Loader --> MsiExec.exe /I{03528A01-7E5E-4C5F-94DF-1D8012E969EF}
Nokia Multimedia Factory --> "C:\ProgramData\Installations\{4CFB3821-1582-4f3b-BF8D-30986923B36B}\Nokia_Multimedia_Factory_2_0.exe" /MAINTENANCE /SILENT="SWLPCER" /LANG="2057" /MSI_COMMON_OPTIONS="PCSLANG= MMFLANG=eng"
Nokia Multimedia Factory --> MsiExec.exe /I{4CFB3821-1582-4F3B-BF8D-30986923B36B}
Nokia PC Suite --> C:\ProgramData\Installations\{29466F9C-7C6A-419C-B301-F440FAF78760}\Nokia_PC_Suite_rel_6_85_14_1_eng.exe
Nokia PC Suite --> MsiExec.exe /I{29466F9C-7C6A-419C-B301-F440FAF78760}
Nokia Software Updater --> MsiExec.exe /X{FE5D756F-71E1-47C4-972A-D6775344B40B}
OpenOffice.org 2.0 --> MsiExec.exe /I{BF4C2438-CAFF-4DB0-BB77-48BB1781F313}
PC Connectivity Solution --> MsiExec.exe /I{BA084E7C-8ABA-4670-BDE8-B85E689A5C1B}
PC VGA Camera --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{9F6C477B-12D6-43DB-BAD3-098E1D039FC1} /l1033
Power2Go 5.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
Ralink Wireless LAN Card --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FAB1F336-1B7C-4057-A7BC-2922CD82A781}\setup.exe" -l0x9 -removeonly
Safari --> MsiExec.exe /I{0AFC9710-5DD6-4C6A-BA52-91AE992B2C9D}
SecondLife (remove only) --> "C:\Program Files\SecondLife\uninst.exe" /P="SecondLife"
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\Program Files\InstallShield Installation Information\{0409969E-BEFB-44D3-90B9-63BE50FBAE5E}\setup.exe -runfromtemp -l0x0409
Text Messenger Gadget --> MsiExec.exe /I{DB6B4E03-63D2-41B7-9774-B87B923030A6}
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Windows Driver Package - Nokia Modem (08/03/2007 3.2) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\pccs_bluetooth.inf_5f8b7288\pccs_bluetooth.inf
Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\nokbtmdm.inf_7837a5db\nokbtmdm.inf
Windows Driver Package - Nokia Modem (10/12/2007 3.6) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\nokia_bluetooth.inf_ee12375f\nokia_bluetooth.inf
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type6034 / Success
Event Submitted/Written: 03/27/2008 03:57:39 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type6032 / Success
Event Submitted/Written: 03/27/2008 03:57:34 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type6030 / Success
Event Submitted/Written: 03/27/2008 03:57:18 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type6021 / Warning
Event Submitted/Written: 03/27/2008 03:50:50 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3206065437-719097110-3608468286-1000_Classes:
Process 920 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3206065437-719097110-3608468286-1000_CLASSES

Event Record #/Type6020 / Warning
Event Submitted/Written: 03/27/2008 03:50:48 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3206065437-719097110-3608468286-1000:
Process 920 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3206065437-719097110-3608468286-1000



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type28398 / Warning
Event Submitted/Written: 03/27/2008 05:20:55 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Jason-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Jason-PC27 can't undo changes that you allow.

For more information please see the following:
%Jason-PC275

Scan ID: {E301C752-5492-4347-8D2A-6147F148A64B}

User: Jason-PC\Jason

Name: %Jason-PC271

ID: %Jason-PC272

Severity ID: %Jason-PC273

Category ID: %Jason-PC274

Path Found: %Jason-PC276

Alert Type: %Jason-PC278

Detection Type: 1.1.1600.02

Event Record #/Type28397 / Warning
Event Submitted/Written: 03/27/2008 05:20:55 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Jason-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Jason-PC27 can't undo changes that you allow.

For more information please see the following:
%Jason-PC275

Scan ID: {19EA04DE-5695-497C-BEA3-391C1566E1A4}

User: Jason-PC\Jason

Name: %Jason-PC271

ID: %Jason-PC272

Severity ID: %Jason-PC273

Category ID: %Jason-PC274

Path Found: %Jason-PC276

Alert Type: %Jason-PC278

Detection Type: 1.1.1600.02

Event Record #/Type28396 / Warning
Event Submitted/Written: 03/27/2008 05:20:55 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Jason-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Jason-PC27 can't undo changes that you allow.

For more information please see the following:
%Jason-PC275

Scan ID: {396B03F8-2FEE-4B0E-88B3-D17327377A83}

User: Jason-PC\Jason

Name: %Jason-PC271

ID: %Jason-PC272

Severity ID: %Jason-PC273

Category ID: %Jason-PC274

Path Found: %Jason-PC276

Alert Type: %Jason-PC278

Detection Type: 1.1.1600.02

Event Record #/Type28395 / Warning
Event Submitted/Written: 03/27/2008 05:20:54 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Jason-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Jason-PC27 can't undo changes that you allow.

For more information please see the following:
%Jason-PC275

Scan ID: {E91FA142-3830-49D5-9739-4A85AB85C245}

User: Jason-PC\Jason

Name: %Jason-PC271

ID: %Jason-PC272

Severity ID: %Jason-PC273

Category ID: %Jason-PC274

Path Found: %Jason-PC276

Alert Type: %Jason-PC278

Detection Type: 1.1.1600.02

Event Record #/Type28394 / Warning
Event Submitted/Written: 03/27/2008 05:20:54 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Jason-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Jason-PC27 can't undo changes that you allow.

For more information please see the following:
%Jason-PC275

Scan ID: {D07A9F31-611C-454B-AF24-EF07CED9C5AB}

User: Jason-PC\Jason

Name: %Jason-PC271

ID: %Jason-PC272

Severity ID: %Jason-PC273

Category ID: %Jason-PC274

Path Found: %Jason-PC276

Alert Type: %Jason-PC278

Detection Type: 1.1.1600.02



-- End of Deckard's System Scanner: finished at 2008-03-27 17:24:43 ------------
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
greenshorts

greenshorts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
...

Edited by greenshorts, 27 March 2008 - 12:32 PM.

  • 0

#6
greenshorts

greenshorts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Reboot helped!

ComboFix 08-03-26.1 - Jason 2008-03-27 18:22:15.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1140 [GMT 0:00]
Running from: C:\Users\Jason\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-27 17:18 . 2008-03-27 17:18 <DIR> d-------- C:\Deckard
2008-03-27 16:16 . 2008-03-27 16:16 <DIR> d-------- C:\VundoFix Backups
2008-03-27 14:48 . 2008-03-27 15:53 <DIR> d-------- C:\ProgramData\hdmictpz
2008-03-27 14:24 . 2008-03-27 14:27 318 --a------ C:\delete.bat
2008-03-27 14:23 . 2008-03-27 14:23 1,066,176 --a------ C:\Windows\System32\mscomctl.ocx
2008-03-27 11:09 . 2008-03-27 11:09 110,592 --a------ C:\Windows\System32\butcbovu.exe
2008-03-27 11:02 . 2008-03-27 11:04 <DIR> d-------- C:\ProgramData\Lavasoft
2008-03-27 11:02 . 2008-03-27 11:02 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-27 11:00 . 2008-03-27 11:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 01:06 . 2008-03-27 15:53 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-03-27 01:06 . 2008-03-27 01:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-27 00:30 . 2008-03-27 00:30 <DIR> d-------- C:\ProgramData\Yahoo! Companion
2008-03-27 00:09 . 2008-03-27 00:09 <DIR> d-------- C:\ProgramData\adwtkvwd
2008-03-26 22:29 . 2008-03-26 22:30 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-26 17:58 . 2008-03-27 17:53 <DIR> d-------- C:\Users\Jason\AppData\Roaming\OpenOffice.org2
2008-03-26 17:56 . 2008-03-26 17:57 <DIR> d-------- C:\Users\Jason\AppData\Roaming\PeerNetworking
2008-03-26 17:51 . 2008-03-26 17:51 <DIR> d-------- C:\Program Files\OpenOffice.org 2.0
2008-03-26 12:45 . 2008-03-26 12:45 <DIR> d-------- C:\Program Files\Common Files\BTHelena
2008-03-26 12:45 . 2008-03-26 12:45 <DIR> d-------- C:\Program Files\BBDesktopHelpUpgradeAdvisor
2008-03-26 12:43 . 2008-03-27 00:46 <DIR> d-------- C:\Users\Jason\AppData\Roaming\Skinux
2008-03-26 12:43 . 2008-03-26 12:43 <DIR> d-------- C:\Users\Jason\AppData\Roaming\BT
2008-03-26 12:42 . 2008-03-26 12:42 <DIR> d-------- C:\Program Files\BT Broadband Talk Softphone
2008-03-26 01:58 . 2008-03-26 01:58 <DIR> d-------- C:\Program Files\Safari
2008-03-26 01:57 . 2008-03-26 01:57 54,156 --ah----- C:\Windows\QTFont.qfn
2008-03-26 01:57 . 2008-03-26 01:57 1,409 --a------ C:\Windows\QTFont.for
2008-03-26 01:56 . 2008-03-26 01:56 <DIR> d-------- C:\Program Files\iPod
2008-03-26 01:55 . 2008-03-26 01:55 <DIR> d-------- C:\Program Files\QuickTime
2008-03-26 01:28 . 2008-03-26 01:28 <DIR> d-------- C:\PerfLogs
2008-03-26 01:10 . 2008-03-26 00:49 152,576 --a------ C:\Windows\System32\SPWizUI.dll
2008-03-26 01:10 . 2008-03-26 00:49 47,560 --a------ C:\Windows\System32\SPReview.exe
2008-03-26 00:56 . 2008-01-18 23:33 599,552 --a------ C:\Windows\System32\vsp1cln.exe
2008-03-26 00:56 . 2008-01-18 23:33 193,024 --a------ C:\Windows\System32\recdisc.exe
2008-03-26 00:56 . 2008-01-18 23:36 142,336 --a------ C:\Windows\System32\spp.dll
2008-03-26 00:56 . 2008-01-18 23:36 28,160 --a------ C:\Windows\System32\sxproxy.dll
2008-03-26 00:56 . 2008-01-18 23:36 6,656 --a------ C:\Windows\System32\sdspres.dll
2008-03-26 00:53 . 2008-01-18 23:36 2,588,160 --a------ C:\Windows\System32\UIHub.dll
2008-03-26 00:51 . 2008-01-18 23:33 44,032 --a------ C:\Windows\System32\cbsra.exe
2008-03-26 00:50 . 2008-03-26 01:12 196,608 --a------ C:\Windows\SPInstall.etl
2008-03-26 00:49 . 2008-03-26 00:49 <DIR> d-------- C:\96c96424a564ed5d90617475d7f4b5
2008-03-25 11:19 . 2008-03-25 11:21 <DIR> d-------- C:\Users\Jason\AppData\Roaming\SecondLife
2008-03-25 11:18 . 2008-03-25 11:22 <DIR> d-------- C:\Program Files\SecondLife
2008-03-20 18:50 . 2008-03-20 18:50 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-03-20 18:50 . 2008-03-20 18:50 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-03-20 18:50 . 2008-03-20 18:50 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-18 21:33 . 2008-03-19 19:01 <DIR> d-------- C:\Users\Jason\AppData\Roaming\flightgear.org
2008-03-18 21:31 . 2008-03-18 21:33 <DIR> d-------- C:\Program Files\FlightGear
2008-03-18 20:23 . 2007-07-19 18:14 3,727,720 --a------ C:\Windows\System32\d3dx9_35.dll
2008-03-18 20:22 . 2008-03-18 20:23 <DIR> d--h----- C:\Windows\msdownld.tmp
2008-03-18 19:27 . 2008-03-27 15:53 <DIR> d-------- C:\Users\Jason\AppData\Roaming\uTorrent
2008-03-18 19:27 . 2008-03-18 19:27 <DIR> d-------- C:\Program Files\uTorrent
2008-03-04 18:55 . 2008-03-04 18:55 <DIR> d-------- C:\ProgramData\SSScanAppDataDir
2008-03-04 18:53 . 2006-10-26 19:58 30,512 --a------ C:\Windows\System32\mdimon.dll
2008-03-04 18:51 . 2008-03-04 18:51 <DIR> d-------- C:\ProgramData\MSScanAppDataDir
2008-03-03 23:54 . 2008-03-03 23:54 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-03 19:19 . 2008-03-03 19:19 0 --a------ C:\Windows\Irremote.ini
2008-03-03 19:15 . 2008-03-03 19:15 921 --a------ C:\Windows\QSFVExit.bat
2008-02-28 21:58 . 2008-02-28 21:58 <DIR> d-------- C:\Users\Jason\AppData\Roaming\Flickr
2008-02-28 21:55 . 2008-02-28 21:55 <DIR> d-------- C:\Program Files\Flickr Uploadr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 18:25 --------- d-----w C:\ProgramData\Kontiki
2008-03-27 15:53 --------- d-----w C:\Users\Jason\AppData\Roaming\AVG7
2008-03-26 17:38 --------- d-----w C:\ProgramData\Microsoft Help
2008-03-26 17:38 --------- d-----w C:\Program Files\Microsoft Works
2008-03-26 13:04 --------- d-----w C:\Users\Jason\AppData\Roaming\Apple Computer
2008-03-26 12:35 --------- d-----w C:\Program Files\Yahoo!
2008-03-26 01:57 --------- d-----w C:\Program Files\iTunes
2008-03-26 01:40 174 --sha-w C:\Program Files\desktop.ini
2008-03-26 01:32 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-26 01:32 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-26 01:32 --------- d-----w C:\Program Files\Windows Mail
2008-03-26 01:32 --------- d-----w C:\Program Files\Windows Journal
2008-03-26 01:32 --------- d-----w C:\Program Files\Windows Collaboration
2008-03-26 01:32 --------- d-----w C:\Program Files\Windows Calendar
2008-03-26 01:31 --------- d-----w C:\Program Files\Windows Defender
2008-03-26 01:17 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-26 01:17 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-25 11:09 --------- d-----w C:\Users\Jason\AppData\Roaming\Nokia Multimedia Player
2008-03-18 18:02 53,768 ----a-w C:\Windows\system32\drivers\avgwfp.sys
2008-03-05 18:36 --------- d-----w C:\Program Files\BT Auto Backup
2008-03-05 16:03 479,752 ----a-w C:\Windows\System32\XAudio2_0.dll
2008-03-05 16:03 238,088 ----a-w C:\Windows\System32\xactengine3_0.dll
2008-03-05 16:00 25,608 ----a-w C:\Windows\System32\X3DAudio1_3.dll
2008-03-05 15:56 3,786,760 ----a-w C:\Windows\System32\D3DX9_37.dll
2008-03-05 15:56 1,420,824 ----a-w C:\Windows\System32\D3DCompiler_37.dll
2008-03-04 21:08 3,008 ----a-w C:\Users\Jason\AppData\Roaming\wklnhst.dat
2008-03-04 19:10 --------- d-----w C:\ProgramData\Lx_cats
2008-03-04 13:34 5,152 ----a-w C:\Windows\ouwininit.exe
2008-03-03 19:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 19:39 --------- d-----w C:\Program Files\Microsoft Games
2008-03-03 19:21 --------- d-----w C:\ProgramData\Nero
2008-03-03 19:21 --------- d-----w C:\Program Files\Common Files\Nero
2008-02-26 00:31 --------- d-----w C:\Program Files\Nokia
2008-02-23 01:29 --------- d-----w C:\ProgramData\Installations
2008-02-19 09:51 --------- d-----w C:\ProgramData\App4rTemp
2008-02-13 11:31 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-06 17:27 --------- d-----w C:\Users\Jason\AppData\Roaming\Atari
2008-02-05 23:07 462,864 ----a-w C:\Windows\System32\d3dx10_37.dll
2008-02-03 11:02 --------- d-----w C:\Program Files\iLike
2008-02-03 10:54 --------- d-----w C:\Program Files\QuickSFV
2008-01-29 14:59 --------- d-----w C:\Program Files\WinTV
2008-01-27 11:59 --------- d-----w C:\Program Files\DivX
2008-01-18 23:44 986,680 ----a-w C:\Windows\System32\winload.exe
2008-01-18 23:44 926,776 ----a-w C:\Windows\System32\winresume.exe
2008-01-18 23:43 614,968 ----a-w C:\Windows\System32\ci.dll
2008-01-18 23:43 376,376 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-01-18 23:43 3,600,440 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-01-18 23:43 3,548,728 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-01-18 23:43 247,352 ----a-w C:\Windows\System32\clfs.sys
2008-01-18 23:42 94,776 ----a-w C:\Windows\System32\MigAutoPlay.exe
2008-01-18 23:42 51,768 ----a-w C:\Windows\System32\PSHED.DLL
2008-01-18 23:42 177,208 ----a-w C:\Windows\System32\halmacpi.dll
2008-01-18 23:42 141,880 ----a-w C:\Windows\System32\halacpi.dll
2008-01-18 23:41 24,120 ----a-w C:\Windows\System32\BOOTVID.DLL
2008-01-18 23:41 21,560 ----a-w C:\Windows\System32\kdusb.dll
2008-01-18 23:41 19,512 ----a-w C:\Windows\System32\kdcom.dll
2008-01-18 23:38 46,080 ----a-w C:\Windows\System32\NAPCRYPT.DLL
2008-01-18 23:38 4,595,712 ----a-w C:\Windows\System32\AuthFWSnapin.dll
2008-01-18 23:38 242,744 ----a-w C:\Windows\System32\rsaenh.dll
2008-01-18 23:38 155,704 ----a-w C:\Windows\System32\dssenh.dll
2008-01-18 23:38 131,640 ----a-w C:\Windows\System32\basecsp.dll
2008-01-18 23:38 103,936 ----a-w C:\Windows\System32\NAPHLPR.DLL
2008-01-18 23:38 1,203,792 ----a-w C:\Windows\System32\ntdll.dll
2008-01-18 23:36 99,840 ----a-w C:\Windows\System32\ulib.dll
2008-01-18 23:35 98,304 ----a-w C:\Windows\System32\mssitlb.dll
2008-01-18 23:34 98,816 ----a-w C:\Windows\System32\mfps.dll
2008-01-18 23:33 98,304 ----a-w C:\Windows\System32\makecab.exe
2008-01-18 23:32 258,048 ----a-w C:\Windows\System32\winspool.drv
2008-01-18 23:32 21,504 ----a-w C:\Windows\System32\msacm32.drv
2008-01-18 23:32 166,912 ----a-w C:\Windows\System32\wdmaud.drv
2008-01-18 23:32 1,370,624 ----a-w C:\Windows\System32\Aurora.scr
2008-01-18 23:31 7,680 ----a-w C:\Windows\System32\spwizres.dll
2008-01-18 23:31 57,856 ----a-w C:\Windows\System32\nlsbres.dll
2008-01-18 23:31 118,272 ----a-w C:\Windows\System32\RDPENCDD.dll
2008-01-18 23:30 17,920 ----a-w C:\Windows\System32\netevent.dll
2008-01-18 23:29 705,536 ----a-w C:\Windows\System32\imagesp1.dll
2008-01-18 23:29 58,880 ----a-w C:\Windows\System32\msobjs.dll
2008-01-18 23:28 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-01-18 23:26 36,864 ----a-w C:\Windows\System32\cdd.dll
2008-01-18 22:06 8,147,456 ----a-w C:\Windows\System32\wmploc.DLL
2008-01-18 22:01 14,336 ----a-w C:\Windows\System32\tsddd.dll
2008-01-18 22:01 134,656 ----a-w C:\Windows\System32\rdpdd.dll
2008-01-18 21:52 56,320 ----a-w C:\Windows\System32\vga256.dll
2008-01-18 21:52 21,504 ----a-w C:\Windows\System32\vga64k.dll
2008-01-18 21:52 11,776 ----a-w C:\Windows\System32\framebuf.dll
2008-01-18 21:52 10,752 ----a-w C:\Windows\System32\vga.dll
2008-01-18 21:50 14,848 ----a-w C:\Windows\System32\iscsilog.dll
2008-01-18 21:48 20,992 ----a-w C:\Windows\System32\msdtcVSp1res.dll
2008-01-18 21:48 1,291,264 ----a-w C:\Windows\System32\comres.dll
2008-01-18 21:46 4,240,384 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-18 21:39 13,312 ----a-w C:\Windows\System32\WsmRes.dll
2008-01-18 21:37 2,031,616 ----a-w C:\Windows\System32\win32k.sys
2008-01-18 21:36 289,792 ----a-w C:\Windows\System32\atmfd.dll
2008-01-18 21:33 56,320 ----a-w C:\Windows\System32\graftabl.com
2008-01-18 21:31 8,322,048 ----a-w C:\Windows\System32\spwizimg.dll
2008-01-18 21:27 8,704 ----a-w C:\Windows\System32\kd1394.dll
2008-01-18 21:26 605,696 ----a-w C:\Windows\System32\adtschema.dll
2008-01-18 19:17 100,043 ----a-w C:\Windows\System32\StructuredQuerySchema.bin
2008-01-15 18:55 230,432 ----a-w C:\PA7311.DAT
2008-01-05 03:36 195,122 ----a-w C:\Windows\System32\winrm.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-18 23:33 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-18 23:33 125952]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [ ]
"iLike"="C:\Program Files\iLike\1.1.27\ilikesidebar.exe" [2007-09-13 11:34 63024]
"BTAgile"="C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe" [2007-06-18 09:39 61440]
"ualyrvci"="C:\Windows\system32\wbepirif.exe" [2008-03-27 00:09 94208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"xciczcbw"="C:\Windows\system32\butcbovu.exe" [2008-03-27 11:09 110592]
"hdmictpz"="C:\ProgramData\hdmictpz\fmtqtchc.exe" [2008-03-27 14:48 98304]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12 695808]
"cmds"="C:\Users\Jason\AppData\Local\Temp\xxwxx.dll" [2008-03-27 11:39 273920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-18 23:38 1008184]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 12:50 815104]
"Keyboard Manager Utility"="C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" [2007-01-11 18:54 1359872]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 10:45 579072]
"lxdimon.exe"="C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 18:07 435120]
"lxdiamon"="C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 12:40 20480]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 18:10 312240]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"BTHelena_McciTrayApp"="C:\Program Files\BBDesktopHelpUpgradeAdvisor\McciTrayApp.exe" [2007-07-17 10:26 1001472]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"Monitor"="C:\Windows\PixArt\PAC7311\Monitor.exe" [2006-11-03 11:01 319488]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-01-02 17:07 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-02 17:06 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-01-02 17:07 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-13 16:54 219136]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2/26/2006 5:19:16 AM 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Cg2GRfoAYn"= C:\ProgramData\adwtkvwd\ctwjcxwr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-11-13 16:54 9216 C:\Windows\System32\avgwlntf.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{05A0E0ED-FD28-4BFC-B0C1-DA7149AB8FB4}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{D49D037D-8D68-4C23-8843-3652F8E98F9E}"= UDP:C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe:Lexmark Device Monitor
"{1ABE9E9D-2759-40CF-BD8C-BCD9DD5DA4C7}"= TCP:C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe:Lexmark Device Monitor
"{BB8FA5EA-D7E9-4F4C-92BF-8CD7746E4796}"= UDP:C:\Program Files\Lexmark 3500-4500 Series\App4R.exe:Lexmark Imaging Studio
"{52F21DF1-7418-4BF6-AB66-C6631C096F8F}"= TCP:C:\Program Files\Lexmark 3500-4500 Series\App4R.exe:Lexmark Imaging Studio
"{5E16C515-537B-4E54-A54C-AD494F0E28CB}"= UDP:C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:ABBYY FineReader
"{777C98E9-F051-49CD-9C0A-8C4582D94DD7}"= TCP:C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:ABBYY FineReader
"{BC229516-9740-407C-A451-42DFAAC89E4C}"= UDP:C:\Program Files\Lexmark Fax Solutions\FaxCtr.exe:Fax software
"{BA44E744-0C89-4348-ADEE-0F19C2DD779F}"= TCP:C:\Program Files\Lexmark Fax Solutions\FaxCtr.exe:Fax software
"{B0C87F4C-E2FF-4463-926F-D6D9F388EE1F}"= UDP:C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe:Device Monitor
"{7746E622-3FA0-4D4A-B3F9-AE02AF29E72C}"= TCP:C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe:Device Monitor
"{E44E4477-93C5-4D2A-AF9B-5633715291FD}"= UDP:C:\Windows\System32\lxdicfg.exe:Printer Communication System
"{896A09CB-4FD0-4C13-9F14-63F37384DA4B}"= TCP:C:\Windows\System32\lxdicfg.exe:Printer Communication System
"{D1DF1426-64CF-47CA-A5E3-FF4F3EFD2672}"= UDP:C:\Windows\System32\lxdicoms.exe:Lexmark Communications System
"{A391D89F-47DF-4D71-AEB7-04CAC9D9BC1C}"= TCP:C:\Windows\System32\lxdicoms.exe:Lexmark Communications System
"{0A599942-3263-4A75-B345-4752237F4055}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxdipswx.exe:Printer Status Window Interface
"{3926CF55-18B4-4752-835A-F772B23E4F33}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxdipswx.exe:Printer Status Window Interface
"{772A7866-F7AB-4DC5-B7F3-F46C93E04A1C}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxditime.exe:Lexmark Connect Time Executable
"{983E1067-1172-43F5-9F78-35F06BBF3D86}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxditime.exe:Lexmark Connect Time Executable
"TCP Query User{C1B8B744-AB82-4234-9B01-BDF92E3300FC}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{3BDAABE5-85BF-4BC8-B6FF-D2CA8FCAABA4}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{A524D459-9088-4EF2-96B8-F1841618034C}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{002B2B1C-B6FE-4AD2-8016-E08A2E82459A}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{E68E7F6E-D15B-4385-882C-342125667501}C:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:C:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{A28BABCF-79BB-4535-9E1E-EAFEF4A49BBC}C:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:C:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"TCP Query User{1FFB750F-5A65-4454-B75A-4A6B7C30601A}C:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:C:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{E2D71DF1-EE64-48C0-A0B8-FADAF1C028F6}C:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:C:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{395FEFD8-077C-45A1-A998-3B864F376B68}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{C2E21251-CD53-4E29-B829-616FDAE5D0CD}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{57E558AE-95D3-4B05-BD14-BF56CE148281}C:\\program files\\lexmark 3500-4500 series\\lxdiamon.exe"= UDP:C:\program files\lexmark 3500-4500 series\lxdiamon.exe:Device Monitor Application
"UDP Query User{650E470E-A125-4547-9C53-843F16D8D05F}C:\\program files\\lexmark 3500-4500 series\\lxdiamon.exe"= TCP:C:\program files\lexmark 3500-4500 series\lxdiamon.exe:Device Monitor Application
"TCP Query User{24FB43A7-E59C-4EB4-B20E-08A844F28933}C:\\program files\\lexmark 3500-4500 series\\lxdimon.exe"= UDP:C:\program files\lexmark 3500-4500 series\lxdimon.exe:Device Monitor
"UDP Query User{3F872F66-E031-49A8-9C49-77BADE92A71D}C:\\program files\\lexmark 3500-4500 series\\lxdimon.exe"= TCP:C:\program files\lexmark 3500-4500 series\lxdimon.exe:Device Monitor
"{04B06B3C-DF7D-415F-9DD1-68162BE59E54}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS
"{7697714E-A05A-4380-89BA-D94118B1E3CD}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS
"TCP Query User{19EB2676-AF5B-4A93-AFB8-4374FB535195}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{EEA643EA-806D-47DE-BFB1-DAF45F94FF22}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{18CFAD02-CE40-4BB5-A624-1170CD5560D8}C:\\program files\\kontiki\\khost.exe"= UDP:C:\program files\kontiki\khost.exe:Delivery Manager
"UDP Query User{B6B413E0-1FD1-4B18-BBFA-13E54ACA484F}C:\\program files\\kontiki\\khost.exe"= TCP:C:\program files\kontiki\khost.exe:Delivery Manager
"TCP Query User{0B573D77-0A99-4AA2-916D-B5CFD6838AA9}C:\\program files\\kontiki\\khost.exe"= UDP:C:\program files\kontiki\khost.exe:Delivery Manager
"UDP Query User{D703A1D3-6767-4B0E-A07B-14BF257D6648}C:\\program files\\kontiki\\khost.exe"= TCP:C:\program files\kontiki\khost.exe:Delivery Manager
"{82E28686-C0FD-48FE-A7DF-415BFD5394F6}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C7C4C44F-289A-4630-8F35-E61B17C0CD4E}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5D9F19C3-6163-4C6B-8609-AF7625C1A634}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{6C68485F-743C-4331-8E9A-805ABAB7EA5A}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{1EDDA2C7-F801-44DA-BE9A-C31A34E2FC9E}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{7D1793FE-7A6F-4214-8E46-A787785AF0B6}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{E6E4A50B-471D-4141-8EE0-1F2A4775D365}C:\\program files\\lexmark 3500-4500 series\\app4r.exe"= UDP:C:\program files\lexmark 3500-4500 series\app4r.exe:Printing Application
"UDP Query User{5B03DBF0-CB17-4EF0-AA97-42B353F9D7D6}C:\\program files\\lexmark 3500-4500 series\\app4r.exe"= TCP:C:\program files\lexmark 3500-4500 series\app4r.exe:Printing Application
"TCP Query User{C45D540F-2CE5-4300-BE48-98C538FBD964}C:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"= UDP:C:\windows\system32\spool\drivers\w32x86\3\lxdipswx.exe:Printer Status Window Interface
"UDP Query User{B1365460-3748-440C-8B45-2581F1E3FC36}C:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"= TCP:C:\windows\system32\spool\drivers\w32x86\3\lxdipswx.exe:Printer Status Window Interface
"TCP Query User{CB22F152-80E2-48D0-9BD3-3A46F86BEA1E}C:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:C:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{653E62E3-86D7-46A2-8CE1-74E6272ADFE2}C:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:C:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"TCP Query User{E6E47FEF-6B61-4A35-B0E7-C7B64F7851BD}C:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:C:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{D407D40E-A43B-4B87-B962-83C2DCAB6418}C:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:C:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{616F69C9-467B-4427-B023-536871E37878}C:\\program files\\flightgear\\bin\\win32\\fgfs.exe"= UDP:C:\program files\flightgear\bin\win32\fgfs.exe:fgfs
"UDP Query User{FD57DBE2-AE65-4236-8C8A-E45F4DF042C9}C:\\program files\\flightgear\\bin\\win32\\fgfs.exe"= TCP:C:\program files\flightgear\bin\win32\fgfs.exe:fgfs
"TCP Query User{E0F75B71-535F-4EF2-984F-1BC7A5C0057B}C:\\program files\\secondlife\\slvoice.exe"= UDP:C:\program files\secondlife\slvoice.exe:SLVoice
"UDP Query User{2FBFE82B-35A9-423E-B13A-E28CEA867E84}C:\\program files\\secondlife\\slvoice.exe"= TCP:C:\program files\secondlife\slvoice.exe:SLVoice
"{182E8EED-1BC0-4E31-9F01-84E3044D03C9}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{BABC1342-E570-4F45-B007-C796FA5DE66E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

R2 lxdi_device;lxdi_device;C:\Windows\system32\lxdicoms.exe [2007-04-26 15:38]
R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-04-26 15:38]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 15:39]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-18 18:02]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-01-02 16:48]
R3 qkbfiltr;Quanta Keyboard Filter Driver;C:\Windows\system32\DRIVERS\qkbfiltr.sys [2006-08-17 14:32]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 09:51]
S3 BDA_Capture_220A;Digital-TV receiver Driver 3.0.1.18;C:\Windows\system32\Drivers\BDA_Capture_220A.sys [2007-02-27 10:19]
S3 BDA_Loader_220A;Digital-TV Receiver Firmware Loader 6.7.10.0;C:\Windows\system32\Drivers\BDA_Loader_220A.sys [2006-07-10 16:17]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 15:18]
S3 NuVision;Hauppauge WinTV USB Pro (PAL I,D/K);C:\Windows\system32\DRIVERS\NUVision.sys [2005-07-08 16:40]
S3 PAC7311;VGA SoC PC-Camera;C:\Windows\system32\DRIVERS\PA707UCM.SYS [2006-11-08 09:59]
S3 UPnPService;UPnPService;C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 17:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{597b7401-e5f0-11dc-813a-101111111111}]
\shell\AutoRun\command - copetttt.com
\shell\explore\Command - copetttt.com
\shell\open\Command - copetttt.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2e316af-da6b-11dc-9a6b-101111111111}]
\shell\AutoRun\command - copetttt.com
\shell\explore\Command - copetttt.com
\shell\open\Command - copetttt.com

.
Contents of the 'Scheduled Tasks' folder
"2008-03-26 23:29:10 C:\Windows\Tasks\User_Feed_Synchronization-{0D9D18D2-1289-4143-BC59-7FDC01795ADB}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 18:25:56
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Users\Jason\AppData\Local\Temp\xxwxx.dll
.
Completion time: 2008-03-27 18:26:39
ComboFix-quarantined-files.txt 2008-03-27 18:26:36
Pre-Run: 69,354,803,200 bytes free
Post-Run: 69,333,635,072 bytes free
.
2008-03-25 22:47:57 --- E O F ---



Now Hijack


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:29:45, on 27/03/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\ProgramData\adwtkvwd\ctwjcxwr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\BBDesktopHelpUpgradeAdvisor\McciTrayApp.exe
C:\Program Files\Kontiki\KHost.exe
C:\Windows\PixArt\Pac7311\Monitor.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Windows\System32\butcbovu.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxext.exe
C:\Windows\Explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Jason\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.thetechguys.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BTHelena_McciTrayApp] C:\Program Files\BBDesktopHelpUpgradeAdvisor\McciTrayApp.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC7311\Monitor.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [iLike] C:\Program Files\iLike\1.1.27\ilikesidebar.exe /checkforupdate
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKCU\..\Run: [ualyrvci] C:\Windows\system32\wbepirif.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [xciczcbw] C:\Windows\system32\butcbovu.exe
O4 - HKCU\..\Run: [hdmictpz] C:\ProgramData\hdmictpz\fmtqtchc.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Jason\AppData\Local\Temp\xxwxx.dll,c
O4 - HKLM\..\Policies\Explorer\Run: [Cg2GRfoAYn] C:\ProgramData\adwtkvwd\ctwjcxwr.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\Windows\system32\lxdicoms.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9569 bytes
  • 0

#7
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.geekstogo.com/forum/Malware-Problem-t192666.html

Collect::
C:\ProgramData\adwtkvwd\ctwjcxwr.exe
C:\Windows\System32\butcbovu.exe
C:\Windows\ouwininit.exe
C:\Windows\system32\wbepirif.exe
Folder::
C:\ProgramData\adwtkvwd
File::
C:\delete.bat
C:\copetttt.com
D:\copetttt.com
E:\copetttt.com
F:\copetttt.com
G:\copetttt.com
C:\Users\Jason\AppData\Local\Temp\xxwxx.dll
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ualyrvci"=-
"xciczcbw"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Cg2GRfoAYn"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{597b7401-e5f0-11dc-813a-101111111111}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2e316af-da6b-11dc-9a6b-101111111111}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
10. Once the file has been submitted, please DELETE both files on your desktop.

11. Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run after ComboFix has finished its work.)

  • 0

#8
greenshorts

greenshorts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
ComboFix 08-03-26.1 - Jason 2008-03-28 17:28:24.2 - NTFSx86
Running from: C:\Users\Jason\Desktop\ComboFix.exe
Command switches used :: C:\Users\Jason\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\copetttt.com
C:\delete.bat
C:\Users\Jason\AppData\Local\Temp\xxwxx.dll
D:\copetttt.com
E:\copetttt.com
F:\copetttt.com
G:\copetttt.com
.
TimedOut: Windir.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\delete.bat
C:\ProgramData\adwtkvwd
C:\ProgramData\adwtkvwd\ctwjcxwr.exe
C:\Users\Jason\AppData\Local\Temp\xxwxx.dll
C:\Windows\ouwininit.exe
C:\Windows\System32\butcbovu.exe
C:\Windows\system32\wbepirif.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-27 21:30 . 2008-03-27 21:34 <DIR> d-------- C:\Users\Jason\AppData\Roaming\Motive
2008-03-27 21:15 . 2008-03-27 21:30 <DIR> d-------- C:\Program Files\BT Broadband Desktop Help
2008-03-27 18:51 . 2008-03-27 18:51 <DIR> d-------- C:\ProgramData\jpaktkqq
2008-03-27 17:18 . 2008-03-27 17:18 <DIR> d-------- C:\Deckard
2008-03-27 16:16 . 2008-03-27 16:16 <DIR> d-------- C:\VundoFix Backups
2008-03-27 14:48 . 2008-03-27 15:53 <DIR> d-------- C:\ProgramData\hdmictpz
2008-03-27 14:23 . 2008-03-27 14:23 1,066,176 --a------ C:\Windows\System32\mscomctl.ocx
2008-03-27 11:02 . 2008-03-27 11:04 <DIR> d-------- C:\ProgramData\Lavasoft
2008-03-27 11:02 . 2008-03-27 11:02 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-27 11:00 . 2008-03-27 11:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 01:06 . 2008-03-27 15:53 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-03-27 01:06 . 2008-03-27 01:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-27 00:30 . 2008-03-27 00:30 <DIR> d-------- C:\ProgramData\Yahoo! Companion
2008-03-26 22:29 . 2008-03-26 22:30 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-26 17:58 . 2008-03-28 16:56 <DIR> d-------- C:\Users\Jason\AppData\Roaming\OpenOffice.org2
2008-03-26 17:56 . 2008-03-26 17:57 <DIR> d-------- C:\Users\Jason\AppData\Roaming\PeerNetworking
2008-03-26 17:51 . 2008-03-26 17:51 <DIR> d-------- C:\Program Files\OpenOffice.org 2.0
2008-03-26 12:43 . 2008-03-27 00:46 <DIR> d-------- C:\Users\Jason\AppData\Roaming\Skinux
2008-03-26 12:43 . 2008-03-26 12:43 <DIR> d-------- C:\Users\Jason\AppData\Roaming\BT
2008-03-26 12:42 . 2008-03-26 12:42 <DIR> d-------- C:\Program Files\BT Broadband Talk Softphone
2008-03-26 01:58 . 2008-03-26 01:58 <DIR> d-------- C:\Program Files\Safari
2008-03-26 01:57 . 2008-03-26 01:57 54,156 --ah----- C:\Windows\QTFont.qfn
2008-03-26 01:57 . 2008-03-26 01:57 1,409 --a------ C:\Windows\QTFont.for
2008-03-26 01:56 . 2008-03-26 01:56 <DIR> d-------- C:\Program Files\iPod
2008-03-26 01:55 . 2008-03-26 01:55 <DIR> d-------- C:\Program Files\QuickTime
2008-03-26 01:28 . 2008-03-26 01:28 <DIR> d-------- C:\PerfLogs
2008-03-26 01:10 . 2008-03-26 00:49 152,576 --a------ C:\Windows\System32\SPWizUI.dll
2008-03-26 01:10 . 2008-03-26 00:49 47,560 --a------ C:\Windows\System32\SPReview.exe
2008-03-26 00:56 . 2008-01-18 23:33 599,552 --a------ C:\Windows\System32\vsp1cln.exe
2008-03-26 00:56 . 2008-01-18 23:33 193,024 --a------ C:\Windows\System32\recdisc.exe
2008-03-26 00:56 . 2008-01-18 23:36 142,336 --a------ C:\Windows\System32\spp.dll
2008-03-26 00:56 . 2008-01-18 23:36 28,160 --a------ C:\Windows\System32\sxproxy.dll
2008-03-26 00:56 . 2008-01-18 23:36 6,656 --a------ C:\Windows\System32\sdspres.dll
2008-03-26 00:53 . 2008-01-18 23:36 2,588,160 --a------ C:\Windows\System32\UIHub.dll
2008-03-26 00:51 . 2008-01-18 23:33 44,032 --a------ C:\Windows\System32\cbsra.exe
2008-03-26 00:50 . 2008-03-26 01:12 196,608 --a------ C:\Windows\SPInstall.etl
2008-03-26 00:49 . 2008-03-26 00:49 <DIR> d-------- C:\96c96424a564ed5d90617475d7f4b5
2008-03-25 11:19 . 2008-03-25 11:21 <DIR> d-------- C:\Users\Jason\AppData\Roaming\SecondLife
2008-03-25 11:18 . 2008-03-25 11:22 <DIR> d-------- C:\Program Files\SecondLife
2008-03-20 18:50 . 2008-03-20 18:50 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-03-20 18:50 . 2008-03-20 18:50 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-03-20 18:50 . 2008-03-20 18:50 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-18 21:33 . 2008-03-19 19:01 <DIR> d-------- C:\Users\Jason\AppData\Roaming\flightgear.org
2008-03-18 21:31 . 2008-03-18 21:33 <DIR> d-------- C:\Program Files\FlightGear
2008-03-18 20:23 . 2007-07-19 18:14 3,727,720 --a------ C:\Windows\System32\d3dx9_35.dll
2008-03-18 20:22 . 2008-03-18 20:23 <DIR> d--h----- C:\Windows\msdownld.tmp
2008-03-18 19:27 . 2008-03-27 15:53 <DIR> d-------- C:\Users\Jason\AppData\Roaming\uTorrent
2008-03-18 19:27 . 2008-03-18 19:27 <DIR> d-------- C:\Program Files\uTorrent
2008-03-04 18:55 . 2008-03-04 18:55 <DIR> d-------- C:\ProgramData\SSScanAppDataDir
2008-03-04 18:53 . 2006-10-26 19:58 30,512 --a------ C:\Windows\System32\mdimon.dll
2008-03-04 18:51 . 2008-03-04 18:51 <DIR> d-------- C:\ProgramData\MSScanAppDataDir
2008-03-03 23:54 . 2008-03-03 23:54 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-03 19:19 . 2008-03-03 19:19 0 --a------ C:\Windows\Irremote.ini
2008-03-03 19:15 . 2008-03-03 19:15 921 --a------ C:\Windows\QSFVExit.bat
2008-02-28 21:58 . 2008-02-28 21:58 <DIR> d-------- C:\Users\Jason\AppData\Roaming\Flickr
2008-02-28 21:55 . 2008-02-28 21:55 <DIR> d-------- C:\Program Files\Flickr Uploadr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 18:43 --------- d-----w C:\ProgramData\Kontiki
2008-03-27 21:36 --------- d-----w C:\ProgramData\Motive
2008-03-27 21:29 --------- d-----w C:\Program Files\Common Files\Motive
2008-03-27 15:53 --------- d-----w C:\Users\Jason\AppData\Roaming\AVG7
2008-03-26 17:38 --------- d-----w C:\ProgramData\Microsoft Help
2008-03-26 17:38 --------- d-----w C:\Program Files\Microsoft Works
2008-03-26 13:04 --------- d-----w C:\Users\Jason\AppData\Roaming\Apple Computer
2008-03-26 12:35 --------- d-----w C:\Program Files\Yahoo!
2008-03-26 01:57 --------- d-----w C:\Program Files\iTunes
2008-03-26 01:40 174 --sha-w C:\Program Files\desktop.ini
2008-03-26 01:32 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-26 01:32 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-26 01:32 --------- d-----w C:\Program Files\Windows Mail
2008-03-26 01:32 --------- d-----w C:\Program Files\Windows Journal
2008-03-26 01:32 --------- d-----w C:\Program Files\Windows Collaboration
2008-03-26 01:32 --------- d-----w C:\Program Files\Windows Calendar
2008-03-26 01:31 --------- d-----w C:\Program Files\Windows Defender
2008-03-26 01:17 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-26 01:17 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-25 11:09 --------- d-----w C:\Users\Jason\AppData\Roaming\Nokia Multimedia Player
2008-03-18 18:02 53,768 ----a-w C:\Windows\system32\drivers\avgwfp.sys
2008-03-05 18:36 --------- d-----w C:\Program Files\BT Auto Backup
2008-03-05 16:03 479,752 ----a-w C:\Windows\System32\XAudio2_0.dll
2008-03-05 16:03 238,088 ----a-w C:\Windows\System32\xactengine3_0.dll
2008-03-05 16:00 25,608 ----a-w C:\Windows\System32\X3DAudio1_3.dll
2008-03-05 15:56 3,786,760 ----a-w C:\Windows\System32\D3DX9_37.dll
2008-03-05 15:56 1,420,824 ----a-w C:\Windows\System32\D3DCompiler_37.dll
2008-03-04 21:08 3,008 ----a-w C:\Users\Jason\AppData\Roaming\wklnhst.dat
2008-03-04 19:10 --------- d-----w C:\ProgramData\Lx_cats
2008-03-03 19:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 19:39 --------- d-----w C:\Program Files\Microsoft Games
2008-03-03 19:21 --------- d-----w C:\ProgramData\Nero
2008-03-03 19:21 --------- d-----w C:\Program Files\Common Files\Nero
2008-02-26 00:31 --------- d-----w C:\Program Files\Nokia
2008-02-23 01:29 --------- d-----w C:\ProgramData\Installations
2008-02-19 09:51 --------- d-----w C:\ProgramData\App4rTemp
2008-02-13 11:31 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-06 17:27 --------- d-----w C:\Users\Jason\AppData\Roaming\Atari
2008-02-05 23:07 462,864 ----a-w C:\Windows\System32\d3dx10_37.dll
2008-02-03 11:02 --------- d-----w C:\Program Files\iLike
2008-02-03 10:54 --------- d-----w C:\Program Files\QuickSFV
2008-01-29 14:59 --------- d-----w C:\Program Files\WinTV
2008-01-18 23:44 986,680 ----a-w C:\Windows\System32\winload.exe
2008-01-18 23:44 926,776 ----a-w C:\Windows\System32\winresume.exe
2008-01-18 23:43 614,968 ----a-w C:\Windows\System32\ci.dll
2008-01-18 23:43 376,376 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-01-18 23:43 3,600,440 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-01-18 23:43 3,548,728 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-01-18 23:43 247,352 ----a-w C:\Windows\System32\clfs.sys
2008-01-18 23:42 94,776 ----a-w C:\Windows\System32\MigAutoPlay.exe
2008-01-18 23:42 51,768 ----a-w C:\Windows\System32\PSHED.DLL
2008-01-18 23:42 177,208 ----a-w C:\Windows\System32\halmacpi.dll
2008-01-18 23:42 141,880 ----a-w C:\Windows\System32\halacpi.dll
2008-01-18 23:41 24,120 ----a-w C:\Windows\System32\BOOTVID.DLL
2008-01-18 23:41 21,560 ----a-w C:\Windows\System32\kdusb.dll
2008-01-18 23:41 19,512 ----a-w C:\Windows\System32\kdcom.dll
2008-01-18 23:38 46,080 ----a-w C:\Windows\System32\NAPCRYPT.DLL
2008-01-18 23:38 4,595,712 ----a-w C:\Windows\System32\AuthFWSnapin.dll
2008-01-18 23:38 242,744 ----a-w C:\Windows\System32\rsaenh.dll
2008-01-18 23:38 155,704 ----a-w C:\Windows\System32\dssenh.dll
2008-01-18 23:38 131,640 ----a-w C:\Windows\System32\basecsp.dll
2008-01-18 23:38 103,936 ----a-w C:\Windows\System32\NAPHLPR.DLL
2008-01-18 23:38 1,203,792 ----a-w C:\Windows\System32\ntdll.dll
2008-01-18 23:36 99,840 ----a-w C:\Windows\System32\ulib.dll
2008-01-18 23:35 98,304 ----a-w C:\Windows\System32\mssitlb.dll
2008-01-18 23:34 98,816 ----a-w C:\Windows\System32\mfps.dll
2008-01-18 23:33 98,304 ----a-w C:\Windows\System32\makecab.exe
2008-01-18 23:32 258,048 ----a-w C:\Windows\System32\winspool.drv
2008-01-18 23:32 21,504 ----a-w C:\Windows\System32\msacm32.drv
2008-01-18 23:32 166,912 ----a-w C:\Windows\System32\wdmaud.drv
2008-01-18 23:32 1,370,624 ----a-w C:\Windows\System32\Aurora.scr
2008-01-18 23:31 7,680 ----a-w C:\Windows\System32\spwizres.dll
2008-01-18 23:31 57,856 ----a-w C:\Windows\System32\nlsbres.dll
2008-01-18 23:31 118,272 ----a-w C:\Windows\System32\RDPENCDD.dll
2008-01-18 23:30 17,920 ----a-w C:\Windows\System32\netevent.dll
2008-01-18 23:29 705,536 ----a-w C:\Windows\System32\imagesp1.dll
2008-01-18 23:29 58,880 ----a-w C:\Windows\System32\msobjs.dll
2008-01-18 23:28 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-01-18 23:26 36,864 ----a-w C:\Windows\System32\cdd.dll
2008-01-18 22:06 8,147,456 ----a-w C:\Windows\System32\wmploc.DLL
2008-01-18 22:01 14,336 ----a-w C:\Windows\System32\tsddd.dll
2008-01-18 22:01 134,656 ----a-w C:\Windows\System32\rdpdd.dll
2008-01-18 21:52 56,320 ----a-w C:\Windows\System32\vga256.dll
2008-01-18 21:52 21,504 ----a-w C:\Windows\System32\vga64k.dll
2008-01-18 21:52 11,776 ----a-w C:\Windows\System32\framebuf.dll
2008-01-18 21:52 10,752 ----a-w C:\Windows\System32\vga.dll
2008-01-18 21:50 14,848 ----a-w C:\Windows\System32\iscsilog.dll
2008-01-18 21:48 20,992 ----a-w C:\Windows\System32\msdtcVSp1res.dll
2008-01-18 21:48 1,291,264 ----a-w C:\Windows\System32\comres.dll
2008-01-18 21:46 4,240,384 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-18 21:39 13,312 ----a-w C:\Windows\System32\WsmRes.dll
2008-01-18 21:37 2,031,616 ----a-w C:\Windows\System32\win32k.sys
2008-01-18 21:36 289,792 ----a-w C:\Windows\System32\atmfd.dll
2008-01-18 21:33 56,320 ----a-w C:\Windows\System32\graftabl.com
2008-01-18 21:31 8,322,048 ----a-w C:\Windows\System32\spwizimg.dll
2008-01-18 21:27 8,704 ----a-w C:\Windows\System32\kd1394.dll
2008-01-18 21:26 605,696 ----a-w C:\Windows\System32\adtschema.dll
2008-01-18 19:17 100,043 ----a-w C:\Windows\System32\StructuredQuerySchema.bin
2008-01-15 18:55 230,432 ----a-w C:\PA7311.DAT
2008-01-05 03:36 195,122 ----a-w C:\Windows\System32\winrm.vbs
.

((((((((((((((((((((((((((((( snapshot@2008-03-27_18.26.21.55 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-27 17:50:32 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-03-28 17:33:20 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-03-27 18:00:17 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-03-28 17:48:31 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-03-27 17:52:49 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-03-28 17:44:05 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-03-28 17:44:05 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-03-27 18:20:48 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-03-28 17:36:57 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-03-27 17:52:55 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-03-28 17:44:00 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-03-27 17:50:54 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-03-28 17:33:41 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-03-27 17:50:54 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-28 17:33:41 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-27 17:50:54 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-03-28 17:33:41 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-03-27 17:58:49 105,852 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-03-28 17:40:08 105,852 ----a-w C:\Windows\System32\perfc009.dat
- 2008-03-27 17:58:49 600,378 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-03-28 17:40:08 600,378 ----a-w C:\Windows\System32\perfh009.dat
- 2008-03-27 17:52:35 5,846 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3206065437-719097110-3608468286-1000_UserData.bin
+ 2008-03-27 20:25:08 5,854 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3206065437-719097110-3608468286-1000_UserData.bin
- 2008-03-27 17:52:35 63,408 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-03-28 16:54:45 63,566 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-03-26 01:12:12 3,382 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-03-28 04:21:55 6,332 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-03-27 14:48:45 43,056 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-03-28 16:54:39 45,056 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-01-14 16:16:14 160,600 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-03-28 04:21:07 182,748 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-18 23:33 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-18 23:33 125952]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [ ]
"iLike"="C:\Program Files\iLike\1.1.27\ilikesidebar.exe" [2007-09-13 11:34 63024]
"BTAgile"="C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe" [2007-06-18 09:39 61440]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"hdmictpz"="C:\ProgramData\hdmictpz\fmtqtchc.exe" [2008-03-27 14:48 98304]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-18 23:38 1008184]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 12:50 815104]
"Keyboard Manager Utility"="C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" [2007-01-11 18:54 1359872]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 10:45 579072]
"lxdimon.exe"="C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 18:07 435120]
"lxdiamon"="C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 12:40 20480]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 18:10 312240]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"Monitor"="C:\Windows\PixArt\PAC7311\Monitor.exe" [2006-11-03 11:01 319488]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-01-02 17:07 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-02 17:06 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-01-02 17:07 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2007-11-01 03:39 1475072]
"btbb_wcm_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2007-11-29 12:30 1474048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-13 16:54 219136]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2/26/2006 5:19:16 AM 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-11-13 16:54 9216 C:\Windows\System32\avgwlntf.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{05A0E0ED-FD28-4BFC-B0C1-DA7149AB8FB4}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{D49D037D-8D68-4C23-8843-3652F8E98F9E}"= UDP:C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe:Lexmark Device Monitor
"{1ABE9E9D-2759-40CF-BD8C-BCD9DD5DA4C7}"= TCP:C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe:Lexmark Device Monitor
"{BB8FA5EA-D7E9-4F4C-92BF-8CD7746E4796}"= UDP:C:\Program Files\Lexmark 3500-4500 Series\App4R.exe:Lexmark Imaging Studio
"{52F21DF1-7418-4BF6-AB66-C6631C096F8F}"= TCP:C:\Program Files\Lexmark 3500-4500 Series\App4R.exe:Lexmark Imaging Studio
"{5E16C515-537B-4E54-A54C-AD494F0E28CB}"= UDP:C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:ABBYY FineReader
"{777C98E9-F051-49CD-9C0A-8C4582D94DD7}"= TCP:C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:ABBYY FineReader
"{BC229516-9740-407C-A451-42DFAAC89E4C}"= UDP:C:\Program Files\Lexmark Fax Solutions\FaxCtr.exe:Fax software
"{BA44E744-0C89-4348-ADEE-0F19C2DD779F}"= TCP:C:\Program Files\Lexmark Fax Solutions\FaxCtr.exe:Fax software
"{B0C87F4C-E2FF-4463-926F-D6D9F388EE1F}"= UDP:C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe:Device Monitor
"{7746E622-3FA0-4D4A-B3F9-AE02AF29E72C}"= TCP:C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe:Device Monitor
"{E44E4477-93C5-4D2A-AF9B-5633715291FD}"= UDP:C:\Windows\System32\lxdicfg.exe:Printer Communication System
"{896A09CB-4FD0-4C13-9F14-63F37384DA4B}"= TCP:C:\Windows\System32\lxdicfg.exe:Printer Communication System
"{D1DF1426-64CF-47CA-A5E3-FF4F3EFD2672}"= UDP:C:\Windows\System32\lxdicoms.exe:Lexmark Communications System
"{A391D89F-47DF-4D71-AEB7-04CAC9D9BC1C}"= TCP:C:\Windows\System32\lxdicoms.exe:Lexmark Communications System
"{0A599942-3263-4A75-B345-4752237F4055}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxdipswx.exe:Printer Status Window Interface
"{3926CF55-18B4-4752-835A-F772B23E4F33}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxdipswx.exe:Printer Status Window Interface
"{772A7866-F7AB-4DC5-B7F3-F46C93E04A1C}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxditime.exe:Lexmark Connect Time Executable
"{983E1067-1172-43F5-9F78-35F06BBF3D86}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxditime.exe:Lexmark Connect Time Executable
"TCP Query User{C1B8B744-AB82-4234-9B01-BDF92E3300FC}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{3BDAABE5-85BF-4BC8-B6FF-D2CA8FCAABA4}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{A524D459-9088-4EF2-96B8-F1841618034C}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{002B2B1C-B6FE-4AD2-8016-E08A2E82459A}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{E68E7F6E-D15B-4385-882C-342125667501}C:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:C:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{A28BABCF-79BB-4535-9E1E-EAFEF4A49BBC}C:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:C:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"TCP Query User{1FFB750F-5A65-4454-B75A-4A6B7C30601A}C:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:C:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{E2D71DF1-EE64-48C0-A0B8-FADAF1C028F6}C:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:C:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{395FEFD8-077C-45A1-A998-3B864F376B68}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{C2E21251-CD53-4E29-B829-616FDAE5D0CD}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{57E558AE-95D3-4B05-BD14-BF56CE148281}C:\\program files\\lexmark 3500-4500 series\\lxdiamon.exe"= UDP:C:\program files\lexmark 3500-4500 series\lxdiamon.exe:Device Monitor Application
"UDP Query User{650E470E-A125-4547-9C53-843F16D8D05F}C:\\program files\\lexmark 3500-4500 series\\lxdiamon.exe"= TCP:C:\program files\lexmark 3500-4500 series\lxdiamon.exe:Device Monitor Application
"TCP Query User{24FB43A7-E59C-4EB4-B20E-08A844F28933}C:\\program files\\lexmark 3500-4500 series\\lxdimon.exe"= UDP:C:\program files\lexmark 3500-4500 series\lxdimon.exe:Device Monitor
"UDP Query User{3F872F66-E031-49A8-9C49-77BADE92A71D}C:\\program files\\lexmark 3500-4500 series\\lxdimon.exe"= TCP:C:\program files\lexmark 3500-4500 series\lxdimon.exe:Device Monitor
"{04B06B3C-DF7D-415F-9DD1-68162BE59E54}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS
"{7697714E-A05A-4380-89BA-D94118B1E3CD}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS
"TCP Query User{19EB2676-AF5B-4A93-AFB8-4374FB535195}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{EEA643EA-806D-47DE-BFB1-DAF45F94FF22}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{18CFAD02-CE40-4BB5-A624-1170CD5560D8}C:\\program files\\kontiki\\khost.exe"= UDP:C:\program files\kontiki\khost.exe:Delivery Manager
"UDP Query User{B6B413E0-1FD1-4B18-BBFA-13E54ACA484F}C:\\program files\\kontiki\\khost.exe"= TCP:C:\program files\kontiki\khost.exe:Delivery Manager
"TCP Query User{0B573D77-0A99-4AA2-916D-B5CFD6838AA9}C:\\program files\\kontiki\\khost.exe"= UDP:C:\program files\kontiki\khost.exe:Delivery Manager
"UDP Query User{D703A1D3-6767-4B0E-A07B-14BF257D6648}C:\\program files\\kontiki\\khost.exe"= TCP:C:\program files\kontiki\khost.exe:Delivery Manager
"{82E28686-C0FD-48FE-A7DF-415BFD5394F6}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C7C4C44F-289A-4630-8F35-E61B17C0CD4E}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5D9F19C3-6163-4C6B-8609-AF7625C1A634}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{6C68485F-743C-4331-8E9A-805ABAB7EA5A}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{1EDDA2C7-F801-44DA-BE9A-C31A34E2FC9E}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{7D1793FE-7A6F-4214-8E46-A787785AF0B6}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{E6E4A50B-471D-4141-8EE0-1F2A4775D365}C:\\program files\\lexmark 3500-4500 series\\app4r.exe"= UDP:C:\program files\lexmark 3500-4500 series\app4r.exe:Printing Application
"UDP Query User{5B03DBF0-CB17-4EF0-AA97-42B353F9D7D6}C:\\program files\\lexmark 3500-4500 series\\app4r.exe"= TCP:C:\program files\lexmark 3500-4500 series\app4r.exe:Printing Application
"TCP Query User{C45D540F-2CE5-4300-BE48-98C538FBD964}C:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"= UDP:C:\windows\system32\spool\drivers\w32x86\3\lxdipswx.exe:Printer Status Window Interface
"UDP Query User{B1365460-3748-440C-8B45-2581F1E3FC36}C:\\windows\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"= TCP:C:\windows\system32\spool\drivers\w32x86\3\lxdipswx.exe:Printer Status Window Interface
"TCP Query User{CB22F152-80E2-48D0-9BD3-3A46F86BEA1E}C:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:C:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{653E62E3-86D7-46A2-8CE1-74E6272ADFE2}C:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:C:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"TCP Query User{E6E47FEF-6B61-4A35-B0E7-C7B64F7851BD}C:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:C:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{D407D40E-A43B-4B87-B962-83C2DCAB6418}C:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:C:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{616F69C9-467B-4427-B023-536871E37878}C:\\program files\\flightgear\\bin\\win32\\fgfs.exe"= UDP:C:\program files\flightgear\bin\win32\fgfs.exe:fgfs
"UDP Query User{FD57DBE2-AE65-4236-8C8A-E45F4DF042C9}C:\\program files\\flightgear\\bin\\win32\\fgfs.exe"= TCP:C:\program files\flightgear\bin\win32\fgfs.exe:fgfs
"TCP Query User{E0F75B71-535F-4EF2-984F-1BC7A5C0057B}C:\\program files\\secondlife\\slvoice.exe"= UDP:C:\program files\secondlife\slvoice.exe:SLVoice
"UDP Query User{2FBFE82B-35A9-423E-B13A-E28CEA867E84}C:\\program files\\secondlife\\slvoice.exe"= TCP:C:\program files\secondlife\slvoice.exe:SLVoice
"{182E8EED-1BC0-4E31-9F01-84E3044D03C9}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{BABC1342-E570-4F45-B007-C796FA5DE66E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{014D043B-C0D0-4B84-9F6E-CAB87EC49BA5}C:\\program files\\bt broadband desktop help\\btbb\\bthelpbrowser.exe"= UDP:C:\program files\bt broadband desktop help\btbb\bthelpbrowser.exe:mcci+McciBrowser
"UDP Query User{8ABA3B3B-A466-42EB-8835-F92D82C64445}C:\\program files\\bt broadband desktop help\\btbb\\bthelpbrowser.exe"= TCP:C:\program files\bt broadband desktop help\btbb\bthelpbrowser.exe:mcci+McciBrowser

R2 lxdi_device;lxdi_device;C:\Windows\system32\lxdicoms.exe [2007-04-26 15:38]
R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-04-26 15:38]
R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2007-11-17 01:34]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 15:39]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-18 18:02]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-01-02 16:48]
R3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-11-17 01:34]
R3 qkbfiltr;Quanta Keyboard Filter Driver;C:\Windows\system32\DRIVERS\qkbfiltr.sys [2006-08-17 14:32]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 09:51]
S3 BDA_Capture_220A;Digital-TV receiver Driver 3.0.1.18;C:\Windows\system32\Drivers\BDA_Capture_220A.sys [2007-02-27 10:19]
S3 BDA_Loader_220A;Digital-TV Receiver Firmware Loader 6.7.10.0;C:\Windows\system32\Drivers\BDA_Loader_220A.sys [2006-07-10 16:17]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 15:18]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-11-17 01:34]
S3 NuVision;Hauppauge WinTV USB Pro (PAL I,D/K);C:\Windows\system32\DRIVERS\NUVision.sys [2005-07-08 16:40]
S3 PAC7311;VGA SoC PC-Camera;C:\Windows\system32\DRIVERS\PA707UCM.SYS [2006-11-08 09:59]
S3 UPnPService;UPnPService;C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 17:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-28 00:10:07 C:\Windows\Tasks\User_Feed_Synchronization-{0D9D18D2-1289-4143-BC59-7FDC01795ADB}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 18:43:23
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\lxdiserv.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-03-28 18:45:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-28 18:45:14
ComboFix2.txt 2008-03-27 18:26:40
Pre-Run: 66,193,178,624 bytes free
Post-Run: 65,903,296,512 bytes free
.
2008-03-28 17:01:00 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:19:42, on 28/03/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Kontiki\KHost.exe
C:\Windows\PixArt\Pac7311\Monitor.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxext.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\ProgramData\hdmictpz\fmtqtchc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Users\Jason\Downloads\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.thetechguys.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC7311\Monitor.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [iLike] C:\Program Files\iLike\1.1.27\ilikesidebar.exe /checkforupdate
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [hdmictpz] C:\ProgramData\hdmictpz\fmtqtchc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\Windows\system32\lxdicoms.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9720 bytes
  • 0

#9
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#10
greenshorts

greenshorts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Malwarebytes' Anti-Malware 1.09
Database version: 563

Scan type: Full Scan (C:\|S:\|)
Objects scanned: 149024
Time elapsed: 46 minute(s), 20 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
c:\programdata\hdmictpz\fmtqtchc.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hdmictpz (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\system32smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
c:\programdata\hdmictpz\fmtqtchc.exe (Trojan.Agent) -> Delete on reboot.
C:\Windows\Web\def.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\system32smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
  • 0

Advertisements


#11
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Windows\a.bat
    C:\Windows\winsystem.exe
    C:\Windows\system32WINWGPX.EXE
    C:\Windows\system32winsystem.exe
    C:\Windows\system32vcatchpi.dll
    C:\Windows\system32vbsys2.dll
    C:\Windows\system32thun32.dll
    C:\Windows\system32thun.dll
    C:\Windows\system32sysreq.exe
    C:\Windows\system32Rundl1.exe
    C:\Windows\system32newsd32.exe
    C:\Windows\system32mssecu.exe
    C:\Windows\system32emesx.dll
    C:\Windows\system32bdn.com
    C:\Windows\system32awtoolb.dll
    C:\Windows\system32anticipator.dll
    C:\Windows\system32akttzn.exe
    C:\Windows\mssecu.exe
    C:\Windows\bdn.com
    C:\Windows\system32\wbepirif.exe
    C:\Windows\dwnrpofk.dll
    C:\Windows\system32winlogonpc.exe
    C:\Windows\system32temp#01.exe
    C:\Windows\system32taack.exe
    C:\Windows\system32taack.dat
    C:\Windows\system32ssvchost.exe
    C:\Windows\system32ssvchost.com
    C:\Windows\system32ssurf022.dll
    C:\Windows\system32sncntr.exe
    C:\Windows\system32smp
    C:\Windows\system32regm64.dll
    C:\Windows\system32regc64.dll
    C:\Windows\system32psoft1.exe
    C:\Windows\system32psof1.exe
    C:\Windows\system32ps1.exe
    C:\Windows\system32netode.exe
    C:\Windows\system32mwin32.exe
    C:\Windows\system32mtr2.exe
    C:\Windows\system32msvchost.exe
    C:\Windows\system32msnbho.dll
    C:\Windows\system32msgp.exe
    C:\Windows\system32medup020.dll
    C:\Windows\system32medup012.dll
    C:\Windows\system32hxiwlgpm.exe
    C:\Windows\system32hxiwlgpm.dat
    C:\Windows\system32hoproxy.dll
    C:\Windows\system32h@tkeysh@@k.dll
    C:\Windows\system32dpcproxy.exe
    C:\Windows\system32bsva-egihsg52.exe
    C:\Windows\iTunesMusic.exe
    C:\Windows\FVProtect.exe
    C:\Windows\userconfig9x.dll
    C:\Windows\system32\butcbovu.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
============================
After that Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
=======================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
===============
Post these logs in your next reply:
New Hijackthis log
OTMoveit log
Kaspersky log


If you cannot fit them all in one post then please make multiple posts
  • 0

#12
greenshorts

greenshorts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 29, 2008 3:34:16 PM
Operating System: Microsoft Windows Vista Home Edition, Service Pack 1 (Build 6001)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/03/2008
Kaspersky Anti-Virus database records: 672287
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
E:\
S:\

Scan Statistics:
Total number of scanned objects: 108066
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:16:34

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\Users\Jason\AppData\Local\Temp\bdjnhkow.dll Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\ASPNETSetup_00000.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\coinlog.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\conexant.cer Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\D653F3EC.TMP Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\DMI25C7.tmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\DMI6DFE.tmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\DMI86F9.tmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\DMIA015.tmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\DMIA128.tmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\DMIA388.tmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\DMIB9F3.tmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\DMIC2A2.tmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\DMIC956.tmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\DMICD83.tmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\DMID45E.tmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\DMIDFA4.tmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\ehprivjob.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\ehprivjob1.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\ehprivjob2.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\ehprivjob3.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\ehprivjob4.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\ehprivjob5.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\ehprivjob6.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\ehprivjob7.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\ehprivjob8.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\ehprivjob9.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20071114-163624-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20071114-163636-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20071117-032309-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20071117-032320-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20071207-100245-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20071207-100307-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20071214-032855-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20071214-032907-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20071214-235451-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20071214-235501-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080105-152206-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080105-152217-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080107-200220-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080107-200230-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080108-011307-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080108-011319-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080108-181011-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080108-181021-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080109-163415-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080109-163426-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080113-211922-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080113-211932-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080123-170548-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080123-170600-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080129-124407-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080129-124417-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080129-154716-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080129-154727-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080130-143148-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080130-143158-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080203-134426-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080203-134439-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080213-195822-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080213-195836-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080216-032456-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080216-032509-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080223-003438-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080223-003451-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080226-231629-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080226-231643-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080226-234948-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080226-235002-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080227-172225-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080227-172249-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080227-180608-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080227-180620-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080228-114419-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080228-114431-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080229-005652-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080229-005704-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080302-103817-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080302-103828-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080303-143146-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080303-143342-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080303-211155-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080303-211208-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080303-234419-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080303-234820-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080304-002056-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080304-002120-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080314-133516-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080314-133531-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080317-061557-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080317-061612-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080317-081021-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080317-081034-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080318-181301-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080318-181327-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080318-191511-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080318-191525-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080326-012841-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\lpksetup-20080326-012939-0.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\MpCmdRun.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\MpSigStub.log Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\OLD2D.tmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\OLDA0E.tmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\OLDF775.tmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\profiles.ref Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\RTWaveTempINI.ini Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\TMP0000002FB66917E352C1B17A Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\VistaSP1_InstallPerf_142855.sqm Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\vlt101A.tm Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\WER3614.tmp.version.txt Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\WER36B1.tmp.appcompat.txt Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\WER3BFF.tmp.hdmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\WER6887.tmp.version.txt Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\WER6898.tmp.appcompat.txt Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\WER6935.tmp.hdmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\WER882B.tmp.mdmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\WERAD56.tmp.hdmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\WERD1D7.tmp.mdmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\WERE57A.tmp.version.txt Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\WERE57B.tmp.appcompat.txt Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\WERE5CA.tmp.hdmp Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\WinSAT_DX.etl Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\WinSAT_KernelLog.etl Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\WinSAT_StorageAsmt.etl Object is locked skipped
C:\Deckard\System Scanner\backup\Windows\temp\wmsetup.log Object is locked skipped
C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.ilg Object is locked skipped
C:\ProgramData\avg7\Log\emc.log Object is locked skipped
C:\ProgramData\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\ProgramData\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\ProgramData\Kontiki\error.log Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8c8f38f345bf6bd16c321b9e6a26a71e_df0ecf26-5711-4e91-8b47-baaab41ffb02 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\af33a874cd63eb202a368314d06c152f_df0ecf26-5711-4e91-8b47-baaab41ffb02 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\e114d61688bfa3fef5217f1b1bd5b87a_df0ecf26-5711-4e91-8b47-baaab41ffb02 Object is locked skipped
C:\QooBox\Quarantine\C\Users\Jason\AppData\Local\Temp\xxwxx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008032920080330\index.dat Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\UsrClass.dat{dbee5587-9240-11dc-8f7a-001b245f433f}.TM.blf Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\UsrClass.dat{dbee5587-9240-11dc-8f7a-001b245f433f}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows\UsrClass.dat{dbee5587-9240-11dc-8f7a-001b245f433f}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_EAA_C8A0_AAC8_8625\dfsr.db Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_EAA_C8A0_AAC8_8625\fsr.log Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_EAA_C8A0_AAC8_8625\fsrtmp.log Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_EAA_C8A0_AAC8_8625\tmp.edb Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows Defender\FileTracker\{34BA5938-C96A-4F53-95AC-7A8A18683304} Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped
C:\Users\Jason\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
C:\Users\Jason\AppData\Local\Temp\~DF6908.tmp Object is locked skipped
C:\Users\Jason\AppData\Local\Temp\~DF6D5B.tmp Object is locked skipped
C:\Users\Jason\AppData\Local\Temp\~DFEDB6.tmp Object is locked skipped
C:\Users\Jason\AppData\Local\Temp\~DFEE27.tmp Object is locked skipped
C:\Users\Jason\AppData\Local\Mozilla\Firefox\Profiles\1g9wwjtt.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\Jason\AppData\Local\Mozilla\Firefox\Profiles\1g9wwjtt.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\Jason\AppData\Local\Mozilla\Firefox\Profiles\1g9wwjtt.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\Jason\AppData\Local\Mozilla\Firefox\Profiles\1g9wwjtt.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\Jason\AppData\Roaming\microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Users\Jason\AppData\Roaming\microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Jason\AppData\Roaming\microsoft\Windows\Cookies\Low\index.dat Object is locked skipped
C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\1g9wwjtt.default\cert8.db Object is locked skipped
C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\1g9wwjtt.default\foxmarks.log Object is locked skipped
C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\1g9wwjtt.default\GoogleToolbarData\googlesafebrowsing.db Object is locked skipped
C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\1g9wwjtt.default\history.dat Object is locked skipped
C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\1g9wwjtt.default\key3.db Object is locked skipped
C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\1g9wwjtt.default\parent.lock Object is locked skipped
C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\1g9wwjtt.default\search.sqlite Object is locked skipped
C:\Users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\1g9wwjtt.default\urlclassifier2.sqlite Object is locked skipped
C:\Users\Jason\ntuser.dat Object is locked skipped
C:\Users\Jason\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Jason\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Jason\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Users\Jason\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Jason\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.persist.log Object is locked skipped
C:\Windows\Logs\DPX\setupact.log Object is locked skipped
C:\Windows\Logs\DPX\setuperr.log Object is locked skipped
C:\Windows\MEMORY.DMP Object is locked skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
C:\Windows\security\database\secedit.sdb Object is locked skipped
C:\Windows\SoftwareDistribution\EventCache\{D459C011-D571-4BC4-95D6-43E36420419A}.bin Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagerr.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagwrn.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\setupact.log Object is locked skipped
C:\Windows\System32\sysprep\Panther\setuperr.log Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0296C47314AB746EC35476488248FCD9.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\040270F850D5C3C91057DDDA2DA294D8.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0A9DBC92D554324656F61F9862679F27.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\0DF617D6737A7561E732F853792261C3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\1E2E58C73053C7775EB226DB5E739137.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\26C097A9392F8C541AD42E89B7909073.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2A811E5CCC22CC9D7AE2B04EF0402688.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2AA23BB86A5EBD8BC2D820944E55B233.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2CE523184A801AA7361A7039E2D6B41D.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\2D57A7682ACD19214C258D31A06D008F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\376786241A5443E41378D25CF812FCC1.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3DC0BABDCA20E5E319117C21BD4BD795.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\494C62FAA08CD5217399BAA555FF491B.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4A01E0F376B5833EBA98F0D1D5F60CD1.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4B471F64BAF831EC7945C820FD5A16E5.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\4CB32C0A77CD4D9B0C9618F73F786C32.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5774C77265BE4C55B5C6C9718979E015.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5966D45C7B25EACA46E87DD8E5703964.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\5B5D21CF62E70BACF9D085E6AA6CE143.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\69554D930FCA40B0304B9A43A8036F2D.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\72F867EF62976CE9F70993FF3E68A4EB.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\7851AF96EA828F912853F32DB0D96138.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\7F417E1A6D819A9B2FEB55DA6858EA0A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\87AA2A001CE3E89926688B93E4DC2992.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\8C718B5AFD373885B68D2836088CAF9A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\903E49C444C46FEF5F2C3A189C9CEF71.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\96ABB1671705F680578FE240427CBD4F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9A72EE7775E8021F75961342B8AFD1B4.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9AD3182A2F39A3E091E15109132EC6CC.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9CD33F0956942860B50AA1B9330DEFAF.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\9E06E4FE97F0CBB8D659894823F805D7.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\A80FF2DC09487ECD60AFB147B262BDD7.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\AA6E0E396C238977CA909EFD82299737.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\AA742824DCADA846BA4B665D686DD5D6.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\BBF206490BAA431B592F9A13534F43F6.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\BE81B2C0741907C1FC1C42B6223E59AD.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\D1A1B12A7DA3F9675C01397A26DBF4B3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\D4C4BA54B6A8FA6211E60E2ADFF7426A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DE391013DA56ABA39FFF40A9ABDF052F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DF80FD3849FFF74B4BF43E2EA8ADEC8A.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DFB9AD54AC2D3B8122567AAD3BF3EB7F.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E04DE4CDFEC284A342159BB920976701.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E478A5DB75C9721E744C05D78DBACFD3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E737DE61441445E1FDFCA45EF5E7D987.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\E9D8A460B2C986DD5FF19F299F4A27EC.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\EC45C70F2A3D9DED718E71631C38E2FE.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\F01326692CC5736EBAC31B9FC2381CF2.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\F81E6BEBC3067C406E6C491608474198.mof Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DateTimeControlPanel%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Forwarding%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Admin.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6001.18000_none_d12e90ac35ffb753\dnary.xsd Object is locked skipped
S:\Boot\BCD Object is locked skipped
S:\Boot\BCD.LOG Object is locked skipped

Scan process completed.



C:\Windows\a.bat moved successfully.
C:\Windows\winsystem.exe moved successfully.
C:\Windows\system32WINWGPX.EXE moved successfully.
C:\Windows\system32winsystem.exe moved successfully.
LoadLibrary failed for C:\Windows\system32vcatchpi.dll
C:\Windows\system32vcatchpi.dll NOT unregistered.
C:\Windows\system32vcatchpi.dll moved successfully.
LoadLibrary failed for C:\Windows\system32vbsys2.dll
C:\Windows\system32vbsys2.dll NOT unregistered.
C:\Windows\system32vbsys2.dll moved successfully.
LoadLibrary failed for C:\Windows\system32thun32.dll
C:\Windows\system32thun32.dll NOT unregistered.
C:\Windows\system32thun32.dll moved successfully.
LoadLibrary failed for C:\Windows\system32thun.dll
C:\Windows\system32thun.dll NOT unregistered.
C:\Windows\system32thun.dll moved successfully.
C:\Windows\system32sysreq.exe moved successfully.
C:\Windows\system32Rundl1.exe moved successfully.
C:\Windows\system32newsd32.exe moved successfully.
C:\Windows\system32mssecu.exe moved successfully.
LoadLibrary failed for C:\Windows\system32emesx.dll
C:\Windows\system32emesx.dll NOT unregistered.
C:\Windows\system32emesx.dll moved successfully.
C:\Windows\system32bdn.com moved successfully.
LoadLibrary failed for C:\Windows\system32awtoolb.dll
C:\Windows\system32awtoolb.dll NOT unregistered.
C:\Windows\system32awtoolb.dll moved successfully.
LoadLibrary failed for C:\Windows\system32anticipator.dll
C:\Windows\system32anticipator.dll NOT unregistered.
C:\Windows\system32anticipator.dll moved successfully.
C:\Windows\system32akttzn.exe moved successfully.
C:\Windows\mssecu.exe moved successfully.
C:\Windows\bdn.com moved successfully.
File/Folder C:\Windows\system32\wbepirif.exe not found.
File/Folder C:\Windows\dwnrpofk.dll not found.
C:\Windows\system32winlogonpc.exe moved successfully.
C:\Windows\system32temp#01.exe moved successfully.
C:\Windows\system32taack.exe moved successfully.
C:\Windows\system32taack.dat moved successfully.
C:\Windows\system32ssvchost.exe moved successfully.
C:\Windows\system32ssvchost.com moved successfully.
LoadLibrary failed for C:\Windows\system32ssurf022.dll
C:\Windows\system32ssurf022.dll NOT unregistered.
C:\Windows\system32ssurf022.dll moved successfully.
C:\Windows\system32sncntr.exe moved successfully.
File/Folder C:\Windows\system32smp not found.
LoadLibrary failed for C:\Windows\system32regm64.dll
C:\Windows\system32regm64.dll NOT unregistered.
C:\Windows\system32regm64.dll moved successfully.
LoadLibrary failed for C:\Windows\system32regc64.dll
C:\Windows\system32regc64.dll NOT unregistered.
C:\Windows\system32regc64.dll moved successfully.
C:\Windows\system32psoft1.exe moved successfully.
C:\Windows\system32psof1.exe moved successfully.
C:\Windows\system32ps1.exe moved successfully.
C:\Windows\system32netode.exe moved successfully.
C:\Windows\system32mwin32.exe moved successfully.
C:\Windows\system32mtr2.exe moved successfully.
C:\Windows\system32msvchost.exe moved successfully.
LoadLibrary failed for C:\Windows\system32msnbho.dll
C:\Windows\system32msnbho.dll NOT unregistered.
C:\Windows\system32msnbho.dll moved successfully.
C:\Windows\system32msgp.exe moved successfully.
LoadLibrary failed for C:\Windows\system32medup020.dll
C:\Windows\system32medup020.dll NOT unregistered.
C:\Windows\system32medup020.dll moved successfully.
LoadLibrary failed for C:\Windows\system32medup012.dll
C:\Windows\system32medup012.dll NOT unregistered.
C:\Windows\system32medup012.dll moved successfully.
C:\Windows\system32hxiwlgpm.exe moved successfully.
C:\Windows\system32hxiwlgpm.dat moved successfully.
LoadLibrary failed for C:\Windows\system32hoproxy.dll
C:\Windows\system32hoproxy.dll NOT unregistered.
C:\Windows\system32hoproxy.dll moved successfully.
LoadLibrary failed for C:\Windows\system32h@tkeysh@@k.dll
C:\Windows\system32h@tkeysh@@k.dll NOT unregistered.
C:\Windows\system32h@tkeysh@@k.dll moved successfully.
C:\Windows\system32dpcproxy.exe moved successfully.
C:\Windows\system32bsva-egihsg52.exe moved successfully.
C:\Windows\iTunesMusic.exe moved successfully.
C:\Windows\FVProtect.exe moved successfully.
LoadLibrary failed for C:\Windows\userconfig9x.dll
C:\Windows\userconfig9x.dll NOT unregistered.
C:\Windows\userconfig9x.dll moved successfully.
File/Folder C:\Windows\system32\butcbovu.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03292008_140331

Hijack to follow...
  • 0

#13
greenshorts

greenshorts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:37:43, on 29/03/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\PixArt\Pac7311\Monitor.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Kontiki\KHost.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\Jason\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.thetechguys.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC7311\Monitor.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [iLike] C:\Program Files\iLike\1.1.27\ilikesidebar.exe /checkforupdate
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ualyrvci] C:\Windows\system32\wbepirif.exe
O4 - HKCU\..\Run: [xciczcbw] C:\Windows\system32\butcbovu.exe
O4 - HKCU\..\Run: [BMa9fbb516] Rundll32.exe "C:\Users\Jason\AppData\Local\Temp\yawowjni.dll",s
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\Windows\system32\lxdicoms.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10094 bytes
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKCU\..\Run: [ualyrvci] C:\Windows\system32\wbepirif.exe
O4 - HKCU\..\Run: [xciczcbw] C:\Windows\system32\butcbovu.exe
O4 - HKCU\..\Run: [BMa9fbb516] Rundll32.exe "C:\Users\Jason\AppData\Local\Temp\yawowjni.dll",s



Now click on Fix Checked and then close Hijackthis.
=====================================================
Please uninstall MalwareBytes antimalware

After that please update your Java:
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:After that
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
============================================================
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image

Doing this uninstalls Combofix and does the following:

  • Deletes ComboFix and its associated files and folders.
  • Deletes VundoFix backups, if present
  • Deletes the C:\Deckard folder, if present
  • Deletes the C:_OtMoveIt folder, if present
  • Resets the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete\uninstall anything that we used that is left over.
===================================================================
After that your log is clean. :)

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Ad-Aware-Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Castle Cops To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
  • 0

#15
greenshorts

greenshorts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
:) Many thanks for your help Kahdah! :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP