Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

TrojanDowloader.XS [RESOLVED]

Started by Nic_van_Dessel , Mar 28 2008 07:43 PM

  • This topic is locked This topic is locked

#1
Nic_van_Dessel
Posted 28 March 2008 - 07:43 PM

Nic_van_Dessel

    Member

  • Member
  • PipPip
  • 41 posts
I have followed the instructions on this topic [ http://www.geekstogo...al System error ] up to the Post #2 when the staff member asked to copy two notepad documents and i knew they would be different so i have created a new thread and here are the two documents.



Deckard's System Scanner v20071014.68
Run by Nic on 2008-03-29 11:28:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
70: 2008-03-29 01:28:17 UTC - RP191 - Deckard's System Scanner Restore Point
69: 2008-03-28 23:15:44 UTC - RP190 - Last known good configuration
68: 2008-03-28 23:15:15 UTC - RP189 - Installed Navman NavDesk 2008
67: 2008-03-28 23:15:14 UTC - RP188 - System Checkpoint
66: 2008-03-28 23:15:14 UTC - RP187 - System Checkpoint


-- First Restore Point --
1: 2008-03-28 23:13:51 UTC - RP122 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Nic.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:58 AM, on 29/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Documents and Settings\All Users\Application Data\kdoxyfex\inyrcfuj.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\LozWare\Lozdodge\LDG_Manager.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ofwrurip.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\QUT VPN Client\cvpnd.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\LozWare\Lozdodge\LDG_Service.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Nick\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Nic.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - C:\Program Files\PC-Antispyware\IeExtension.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {70A6BA03-F8E7-42D6-A023-2D34CD6643C9} - C:\WINDOWS\system32\awtqnnnn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ContextAdvisor - {87E68009-29A8-D669-F7C2-B31D08635C50} - C:\Program Files\ContextAdvisor\ContextAdvisor-1.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} - C:\WINDOWS\system32\rqRHaxYO.dll
O2 - BHO: (no name) - {B7EA0C59-1858-423F-B900-EE21B86042A6} - (no file)
O2 - BHO: (no name) - {C748BBB6-D4F5-435E-A5A5-3197BEFB2C7D} - (no file)
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Tpscrex] C:\Program Files\MSTpscre\Tpscrex.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [pdfw] C:\Program Files\Amic Utilities\PDF Writer Pro\pdfwload.exe
O4 - HKLM\..\Run: [Lozdodge] C:\Program Files\LozWare\Lozdodge\LDG_Manager.exe HIDE
O4 - HKLM\..\Run: [PC-Antispyware] "C:\Program Files\PC-Antispyware\PC-Antispyware.exe" hide
O4 - HKLM\..\Run: [MbarInstall] C:\DOCUME~1\Nick\LOCALS~1\Temp\tem242.tmp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [wvqojfqn] C:\WINDOWS\system32\ofwrurip.exe
O4 - HKCU\..\Run: [xfzsklvq] C:\WINDOWS\system32\crizqfit.exe
O4 - HKLM\..\Policies\Explorer\Run: [jWK1q1eUkS] C:\Documents and Settings\All Users\Application Data\kdoxyfex\inyrcfuj.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: QUT Secure Access Service Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: rqRHaxYO - C:\WINDOWS\SYSTEM32\rqRHaxYO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\QUT VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Parallels DHCP Service for Virtual NIC (PRLDHCP) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Workstation\PRLDHCP.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 10260 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BootScreen - c:\windows\\systemroot\system32\drivers\vidstub.sys (file missing)
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R2 hypervisor (Parallels Hypervisor) - c:\windows\system32\drivers\hypervisor.sys
R2 pvs (Parallels Kernel Driver) - c:\windows\system32\drivers\pvs.sys <Not Verified; Parallels Software International, Inc.; Parallels Workstation 2.2>
R2 pvsnet (Parallels Network Driver) - c:\windows\system32\drivers\pvsnet.sys <Not Verified; Parallels Software International, Inc.; Parallels Workstation 2.2>
R2 pvspth (Parallels Passthrough Driver) - c:\windows\system32\drivers\pvspth.sys <Not Verified; Parallels Software International, Inc.; Parallels Workstation 2.2>
R2 pvsum (Parallels USB Manager) - c:\windows\system32\drivers\pvsum.sys <Not Verified; Parallels Software International, Inc.; Parallels Workstation 2.2>
R3 PVSVNIC (Parallels Virtual NIC Driver) - c:\windows\system32\drivers\pvsvnic.sys <Not Verified; Parallels Software International, Inc.; Parallels Workstation 2.2>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 SAVAdminService (Sophos Anti-Virus status reporter) - "c:\program files\sophos\sophos anti-virus\savadminservice.exe" <Not Verified; Sophos Plc; Sophos Anti-Virus>
R2 SAVService (Sophos Anti-Virus) - "c:\program files\sophos\sophos anti-virus\savservice.exe" <Not Verified; Sophos Plc; Sophos Anti-Virus>
R2 Sophos AutoUpdate Service - "c:\program files\sophos\autoupdate\alsvc.exe" <Not Verified; Sophos Plc; Sophos AutoUpdate>

S2 PRLDHCP (Parallels DHCP Service for Virtual NIC) - c:\program files\parallels\parallels workstation\prldhcp.exe <Not Verified; Parallels Software International, Inc.; Parallels Workstation 2.2>
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CVirtA


-- Scheduled Tasks -------------------------------------------------------------

2008-03-29 11:21:08 446 --a------ C:\WINDOWS\Tasks\XoftSpySE 2.job
2008-03-29 10:21:00 390 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1203553245.job
2008-03-29 03:00:00 360 --a------ C:\WINDOWS\Tasks\XoftSpySE.job
2008-03-26 19:50:13 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-03-23 15:40:28 304 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job


-- Files created between 2008-02-29 and 2008-03-29 -----------------------------

2008-03-29 11:30:32 0 d-------- C:\Program Files\Trend Micro
2008-03-29 11:24:56 110592 --a------ C:\WINDOWS\system32\crizqfit.exe
2008-03-29 11:14:15 2892 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-29 11:12:32 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-29 11:12:32 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-29 11:12:32 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-29 11:12:32 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-29 11:12:32 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-29 11:12:32 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-29 11:12:32 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-29 10:04:44 0 d-------- C:\Documents and Settings\Nick\Application Data\PC-Antispyware
2008-03-29 10:03:32 0 d-------- C:\Program Files\PC-Antispyware
2008-03-29 09:13:39 10034 --ahs---- C:\WINDOWS\system32\nnnnqtwa.ini2
2008-03-29 09:11:48 268288 --a------ C:\WINDOWS\system32\awtqnnnn.dll
2008-03-29 09:03:58 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-03-29 09:03:58 4096 --a------ C:\WINDOWS\system32winlogonpc.exe
2008-03-29 09:03:58 4096 --a------ C:\WINDOWS\system32hoproxy.dll
2008-03-29 09:03:58 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-03-29 09:03:58 81920 --a------ C:\WINDOWS\dwltqnmx.exe
2008-03-29 09:03:57 4096 --a------ C:\WINDOWS\system32taack.exe
2008-03-29 09:03:57 4096 --a------ C:\WINDOWS\system32taack.dat
2008-03-29 09:03:57 4096 --a------ C:\WINDOWS\system32sncntr.exe
2008-03-29 09:03:57 4096 --a------ C:\WINDOWS\system32mwin32.exe
2008-03-29 09:03:57 4096 --a------ C:\WINDOWS\system32hxiwlgpm.exe
2008-03-29 09:03:57 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-03-29 09:03:57 4096 --a------ C:\WINDOWS\a.bat
2008-03-29 09:03:57 0 d-------- C:\Documents and Settings\Nick\Desktopvirii
2008-03-29 09:03:56 4096 --a------ C:\WINDOWS\system32ssurf022.dll
2008-03-29 09:03:56 4096 --a------ C:\WINDOWS\system32psoft1.exe
2008-03-29 09:03:56 4096 --a------ C:\WINDOWS\system32psof1.exe
2008-03-29 09:03:56 4096 --a------ C:\WINDOWS\system32ps1.exe
2008-03-29 09:03:56 4096 --a------ C:\WINDOWS\system32msnbho.dll
2008-03-29 09:03:56 4096 --a------ C:\WINDOWS\system32medup020.dll
2008-03-29 09:03:56 4096 --a------ C:\WINDOWS\system32medup012.dll
2008-03-29 09:03:56 4096 --a------ C:\WINDOWS\system32bsva-egihsg52.exe
2008-03-29 09:03:56 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-03-29 09:03:55 4096 --a------ C:\WINDOWS\system32temp#01.exe
2008-03-29 09:03:55 0 d-------- C:\WINDOWS\system32smp
2008-03-29 09:03:55 4096 --a------ C:\WINDOWS\system32netode.exe
2008-03-29 09:03:55 4096 --a------ C:\WINDOWS\system32mtr2.exe
2008-03-29 09:03:55 4096 --a------ C:\WINDOWS\system32msgp.exe
2008-03-29 09:03:55 4096 --a------ C:\WINDOWS\system32h@tkeysh@@k.dll
2008-03-29 09:03:54 4096 --a------ C:\WINDOWS\system32dpcproxy.exe
2008-03-29 09:03:51 4096 --a------ C:\WINDOWS\system32ssvchost.exe
2008-03-29 09:03:51 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-03-29 09:03:51 4096 --a------ C:\WINDOWS\system32regm64.dll
2008-03-29 09:03:51 4096 --a------ C:\WINDOWS\system32regc64.dll
2008-03-29 09:03:50 4096 --a------ C:\WINDOWS\system32vcatchpi.dll
2008-03-29 09:03:50 4096 --a------ C:\WINDOWS\system32thun32.dll
2008-03-29 09:03:50 4096 --a------ C:\WINDOWS\system32thun.dll
2008-03-29 09:03:50 4096 --a------ C:\WINDOWS\system32Rundl1.exe
2008-03-29 09:03:50 4096 --a------ C:\WINDOWS\system32newsd32.exe
2008-03-29 09:03:50 4096 --a------ C:\WINDOWS\system32msvchost.exe
2008-03-29 09:03:50 4096 --a------ C:\WINDOWS\system32emesx.dll
2008-03-29 09:03:50 4096 --a------ C:\WINDOWS\system32anticipator.dll
2008-03-29 09:03:50 4096 --a------ C:\WINDOWS\system32akttzn.exe
2008-03-29 09:03:50 4096 --a------ C:\Documents and Settings\Nick\DesktopFWebdEditor.exe
2008-03-29 09:03:50 4096 --a------ C:\Documents and Settings\Nick\Desktopfwebd.exe
2008-03-29 09:03:50 4096 --a------ C:\Documents and Settings\Nick\Desktopfilemanagerclient.exe
2008-03-29 09:03:49 4096 --a------ C:\WINDOWS\winsystem.exe
2008-03-29 09:03:49 4096 --a------ C:\WINDOWS\system32WINWGPX.EXE
2008-03-29 09:03:49 4096 --a------ C:\WINDOWS\system32winsystem.exe
2008-03-29 09:03:49 4096 --a------ C:\WINDOWS\system32vbsys2.dll
2008-03-29 09:03:49 4096 --a------ C:\WINDOWS\system32sysreq.exe
2008-03-29 09:03:49 4096 --a------ C:\WINDOWS\system32mssecu.exe
2008-03-29 09:03:49 4096 --a------ C:\WINDOWS\system32bdn.com
2008-03-29 09:03:49 4096 --a------ C:\WINDOWS\system32awtoolb.dll
2008-03-29 09:03:49 4096 --a------ C:\WINDOWS\mssecu.exe
2008-03-29 09:03:49 4096 --a------ C:\WINDOWS\bdn.com
2008-03-29 09:03:36 40448 --a------ C:\WINDOWS\system32\byXQKeFw.dll
2008-03-29 09:03:20 110592 --a------ C:\WINDOWS\system32\ofwrurip.exe
2008-03-29 09:03:20 0 d-------- C:\Documents and Settings\All Users\Application Data\kdoxyfex
2008-03-29 09:03:12 40448 --a------ C:\WINDOWS\system32\rqRHaxYO.dll
2008-03-29 08:37:55 0 d-------- C:\Program Files\Navman
2008-03-28 15:44:33 0 d-------- C:\Documents and Settings\Guest\Application Data\Macromedia
2008-03-28 15:44:32 0 d-------- C:\Documents and Settings\Guest\Application Data\Adobe
2008-03-28 07:52:59 0 d-------- C:\Documents and Settings\Guest\Application Data\Talkback
2008-03-28 07:49:07 0 d-------- C:\Documents and Settings\Guest\Application Data\Mozilla
2008-03-28 07:48:30 0 d-------- C:\Documents and Settings\Guest\Application Data\Logitech
2008-03-28 07:48:05 0 d-------- C:\Documents and Settings\Guest\Application Data\Share-to-Web Upload Folder
2008-03-28 07:47:32 0 d-------- C:\Documents and Settings\Guest\Application Data\Identities
2008-03-28 07:47:11 0 d--h----- C:\Documents and Settings\Guest\Templates
2008-03-28 07:47:11 0 dr------- C:\Documents and Settings\Guest\Start Menu
2008-03-28 07:47:11 0 dr-h----- C:\Documents and Settings\Guest\SendTo
2008-03-28 07:47:11 0 dr-h----- C:\Documents and Settings\Guest\Recent
2008-03-28 07:47:11 0 d--h----- C:\Documents and Settings\Guest\PrintHood
2008-03-28 07:47:11 0 d--h----- C:\Documents and Settings\Guest\NetHood
2008-03-28 07:47:11 0 dr------- C:\Documents and Settings\Guest\My Documents
2008-03-28 07:47:11 0 d--h----- C:\Documents and Settings\Guest\Local Settings
2008-03-28 07:47:11 0 dr------- C:\Documents and Settings\Guest\Favorites
2008-03-28 07:47:11 0 d-------- C:\Documents and Settings\Guest\Desktop
2008-03-28 07:47:11 0 d--hs---- C:\Documents and Settings\Guest\Cookies
2008-03-28 07:47:11 0 dr-h----- C:\Documents and Settings\Guest\Application Data
2008-03-28 07:47:11 0 d---s---- C:\Documents and Settings\Guest\Application Data\Microsoft
2008-03-28 07:47:10 786432 --ah----- C:\Documents and Settings\Guest\NTUSER.DAT
2008-03-26 19:15:27 0 d-------- C:\Program Files\LozWare
2008-03-23 10:23:08 0 d-------- C:\Program Files\Common Files\Cisco Systems
2008-03-23 10:22:59 15872 --a------ C:\WINDOWS\system32\sophosboottasks.exe <Not Verified; Sophos Plc; Sophos Anti-Virus>
2008-03-23 10:22:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Sophos
2008-03-23 10:21:30 0 d-------- C:\Program Files\Sophos
2008-03-22 13:48:12 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-03-22 13:45:07 0 d-------- C:\Documents and Settings\Nick\Application Data\InstallShield Installation Information
2008-03-22 13:44:58 0 d-------- C:\Program Files\2K Games
2008-03-22 13:43:20 0 d-------- C:\Documents and Settings\Nick\Application Data\InstallShield
2008-03-21 13:42:17 0 d-------- C:\Program Files\Incomplete
2008-03-16 16:18:43 0 d-------- C:\Documents and Settings\Nick\Application Data\Google
2008-03-15 13:07:07 12310 --a------ C:\WINDOWS\system32\drivers\pvsnet.sys <Not Verified; Parallels Software International, Inc.; Parallels Workstation 2.2>
2008-03-15 13:06:47 8320 --a------ C:\WINDOWS\system32\drivers\PvsUM.sys <Not Verified; Parallels Software International, Inc.; Parallels Workstation 2.2>
2008-03-15 13:06:47 13344 --a------ C:\WINDOWS\system32\drivers\pvspth.sys <Not Verified; Parallels Software International, Inc.; Parallels Workstation 2.2>
2008-03-15 13:06:47 28800 --a------ C:\WINDOWS\system32\drivers\pvs.sys <Not Verified; Parallels Software International, Inc.; Parallels Workstation 2.2>
2008-03-15 13:06:47 51712 --a------ C:\WINDOWS\system32\drivers\hypervisor.sys
2008-03-15 13:06:46 22752 --a------ C:\WINDOWS\system32\drivers\pvsusb.sys <Not Verified; Parallels Software International, Inc.; Parallels Workstation 2.2>
2008-03-15 13:04:44 0 d-------- C:\Program Files\Parallels
2008-03-15 13:03:43 4412 --a------ C:\WINDOWS\system32\drivers\pvsvnic.sys <Not Verified; Parallels Software International, Inc.; Parallels Workstation 2.2>
2008-03-10 18:35:04 48 --a------ C:\Documents and Settings\Nick\test.bat
2008-03-06 17:39:52 118784 --a------ C:\WINDOWS\GREUninstall.exe
2008-03-02 12:09:18 9235 --a------ C:\WINDOWS\mozver.dat


-- Find3M Report ---------------------------------------------------------------

2008-03-29 11:23:34 0 d-------- C:\Documents and Settings\Nick\Application Data\Hamachi
2008-03-29 10:02:22 0 d-------- C:\Program Files\ContextAdvisor
2008-03-29 08:37:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-25 16:02:23 0 d-------- C:\Program Files\Java
2008-03-23 10:23:08 0 d-------- C:\Program Files\Common Files
2008-03-21 13:53:35 0 d-------- C:\Documents and Settings\Nick\Application Data\LimeWire
2008-03-21 13:42:17 0 d-------- C:\Program Files\LimeWire
2008-03-19 15:45:39 0 d-------- C:\Documents and Settings\Nick\Application Data\Azureus
2008-03-16 16:18:43 0 d-------- C:\Program Files\Google
2008-03-14 17:05:30 0 d-------- C:\Program Files\Azureus
2008-03-10 16:57:45 1683634 --a------ C:\WINDOWS\system32\version69ie7fix.dll
2008-03-09 09:00:50 0 d-------- C:\Program Files\Mozilla Sunbird
2008-03-06 17:41:50 0 d-------- C:\Documents and Settings\Nick\Application Data\Mozilla
2008-03-06 17:40:57 335 --a------ C:\WINDOWS\nsreg.dat
2008-02-29 16:35:37 0 d-------- C:\Documents and Settings\Nick\Application Data\Real
2008-02-27 16:35:51 0 d-------- C:\Program Files\Windows Live
2008-02-27 12:21:21 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-27 11:28:14 0 d-------- C:\Program Files\CaraQ
2008-02-27 06:57:13 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-24 12:55:22 2546 --a------ C:\WINDOWS\unins000.dat
2008-02-24 12:40:36 691545 --a------ C:\WINDOWS\unins000.exe
2008-02-24 11:00:52 0 d-------- C:\Documents and Settings\Nick\Application Data\Adobe
2008-02-23 18:40:52 0 d-------- C:\Program Files\FBrowserAdvisor
2008-02-22 18:19:22 0 d-------- C:\Program Files\Docudesk
2008-02-22 17:44:26 0 d-------- C:\Program Files\Amic Utilities
2008-02-22 09:51:50 0 d-------- C:\Documents and Settings\Nick\Application Data\Share-to-Web Upload Folder
2008-02-21 12:02:06 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-21 10:18:24 0 d-------- C:\Program Files\ReadIris
2008-02-21 09:56:31 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-02-21 09:54:58 0 d-------- C:\Program Files\Hewlett-Packard
2008-02-15 18:01:01 0 d-------- C:\Program Files\Rhinoceros 4.0
2008-02-07 17:06:57 0 d-------- C:\Program Files\MSTpscre


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10F0C2A9-8E38-43e3-204D-45524C494E20}]
29/03/2008 10:04 AM 176128 --a------ C:\Program Files\PC-Antispyware\IeExtension.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70A6BA03-F8E7-42D6-A023-2D34CD6643C9}]
29/03/2008 09:11 AM 268288 --a------ C:\WINDOWS\system32\awtqnnnn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87E68009-29A8-D669-F7C2-B31D08635C50}]
31/12/2007 06:48 AM 1019904 --a------ C:\Program Files\ContextAdvisor\ContextAdvisor-1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}]
29/03/2008 09:03 AM 40448 --a------ C:\WINDOWS\system32\rqRHaxYO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7EA0C59-1858-423F-B900-EE21B86042A6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C748BBB6-D4F5-435E-A5A5-3197BEFB2C7D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [24/02/2004 09:10 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 AM]
"MediaLifeService"="C:\Program Files\Logitech\MediaLife\MediaLifeService.exe" [12/05/2005 09:23 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [14/11/2007 11:43 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [15/11/2007 01:11 PM]
"Tpscrex"="C:\Program Files\MSTpscre\Tpscrex.exe" []
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [11/04/2002 04:19 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 10:16 PM]
"pdfw"="C:\Program Files\Amic Utilities\PDF Writer Pro\pdfwload.exe" []
"Lozdodge"="C:\Program Files\LozWare\Lozdodge\LDG_Manager.exe" [26/03/2008 07:15 PM]
"PC-Antispyware"="C:\Program Files\PC-Antispyware\PC-Antispyware.exe" [29/03/2008 10:04 AM]
"MbarInstall"="C:\DOCUME~1\Nick\LOCALS~1\Temp\tem242.tmp.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43 AM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [19/09/2007 12:16 AM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [16/11/2006 07:04 PM]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [01/11/2007 07:18 PM]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 10:00 PM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM]
"wvqojfqn"="C:\WINDOWS\system32\ofwrurip.exe" [29/03/2008 09:03 AM]
"xfzsklvq"="C:\WINDOWS\system32\crizqfit.exe" [29/03/2008 11:24 AM]

C:\Documents and Settings\Nick\Start Menu\Programs\Startup\
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [15/11/2007 4:43:19 PM]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [19/04/2007 1:49:52 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2/08/2007 11:45:14 PM]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [27/06/2002 1:20:58 AM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [1/11/2007 7:18:05 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [29/10/2007 5:43:21 PM]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [27/06/2002 1:21:30 AM]
QUT Secure Access Service Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [27/11/2007 8:59:11 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"jWK1q1eUkS"=C:\Documents and Settings\All Users\Application Data\kdoxyfex\inyrcfuj.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\PROGRA~1\Qualcomm\Eudora\EuShlExt.dll [17/08/2006 02:57 PM 86016]
"{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}"= C:\WINDOWS\system32\rqRHaxYO.dll [29/03/2008 09:03 AM 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHaxYO]
rqRHaxYO.dll 29/03/2008 09:03 AM 40448 C:\WINDOWS\system32\rqRHaxYO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtqnnnn

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TalkAndWrite"=C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run




-- Hosts -----------------------------------------------------------------------

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

8027 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-03-29 11:32:03 ------------

Edited by Nic_van_Dessel, 28 March 2008 - 07:53 PM.

  • 0

Advertisements

#2
Nic_van_Dessel
Posted 28 March 2008 - 07:53 PM

Nic_van_Dessel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.40GHz
Percentage of Memory in Use: 72%
Physical Memory (total/avail): 510.8 MiB / 138.81 MiB
Pagefile Memory (total/avail): 1247.11 MiB / 836.25 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.73 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 232.88 GiB total, 146.06 GiB free.
D: is CDROM (CDFS)
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Fixed (NTFS) - 74.52 GiB total, 74.45 GiB free.

\\.\PHYSICALDRIVE0 - HDT722525DLAT80 - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:

\\.\PHYSICALDRIVE1 - WDC WD800BB-88JHC0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Sophos Anti-Virus v () Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Counter Strike 1.6 Reloaded\\hl.exe"="C:\\Program Files\\Counter Strike 1.6 Reloaded\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\UT2004\\System\\UT2004.exe"="C:\\UT2004\\System\\UT2004.exe:*:Enabled:UT2004"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Documents and Settings\\Nick\\My Documents\\Warcraft III\\Warcraft III.exe"="C:\\Documents and Settings\\Nick\\My Documents\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Battlefield\\BF1942Demo.exe"="C:\\Battlefield\\BF1942Demo.exe:*:Enabled:BF1942Demo"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"G:\\Games\\Fullscreen\\Counter-Strike 1.6\\hl.exe"="G:\\Games\\Fullscreen\\Counter-Strike 1.6\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Ubisoft\\Gearbox Software\\BrothersInArmsEiB\\System\\EiB.exe"="C:\\Program Files\\Ubisoft\\Gearbox Software\\BrothersInArmsEiB\\System\\EiB.exe:*:Enabled:Brothers In Arms Earned In Blood"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"="C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe:*:Enabled:Sid Meier's Railroads!"
"C:\\Program Files\\LozWare\\Lozdodge\\LDG_Service.exe"="C:\\Program Files\\LozWare\\Lozdodge\\LDG_Service.exe:*:Enabled:Lozdodge Server Application"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Nick\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NIC--DESKTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Nick
LOGONSERVER=\\NIC--DESKTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Nick\LOCALS~1\Temp
TMP=C:\DOCUME~1\Nick\LOCALS~1\Temp
USERDOMAIN=NIC--DESKTOP
USERNAME=Nic
USERPROFILE=C:\Documents and Settings\Nick
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Nick (admin)
Maria (admin)
Diana
Guest (new local, guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\NuNInst.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Premiere Pro CS3 Preview --> C:\Program Files\Common Files\Adobe\Installers\5fc5c4705cf4304a3307aa35297d204\Setup.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Setup --> MsiExec.exe /I{F770C5F1-812A-4147-AB8C-700113387F1F}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
Brothers In Arms EiB --> C:\Program Files\Ubisoft\Gearbox Software\BrothersInArmsEiB\System\Setup.exe uninstall "BrothersInArmsEiB"
Build A Lot Free Trial --> "C:\Program Files\BuildALot_at\unins000.exe"
Canon PIXMA iP5000 --> C:\WINDOWS\system32\CNMCP6d.exe "-PRINTERNAMECanon PIXMA iP5000" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP5000 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP5000 Installer\Inst2\cnmi0409.dll"
CaraQ --> "C:\Program Files\CaraQ\unins000.exe"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Cisco Systems VPN Client 4.8.01.0300 --> MsiExec.exe /X{D25122BC-A60E-4663-B602-B01718F12044}
ContextAdvisor --> C:\Program Files\ContextAdvisor\uninstall.exe
Counter Strike 1.6 Reloaded --> C:\WINDOWS\Counter Strike 1.6 Reloaded Uninstaller.exe
deskPDF 2.5 Professional Edition --> "C:\Program Files\Docudesk\deskPDF\unins000.exe"
EndNote X Volume License Edition --> MsiExec.exe /I{FE4BD9BD-4A26-4F39-B12C-19336204B102}
Eudora --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8D7802FF-5BDF-4394-8A03-5BA4AD9F48AB}\setup.exe" -l0x9
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly
Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9 -removeonly
Hamachi 1.0.2.3 --> C:\Program Files\Hamachi\uninstall.exe
HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet --> C:\Program Files\Hewlett-Packard\Digital Imaging\AiODriver\Drivers\Uninst\enu\hposcr01.exe -forcereboot -datfile hposcr01.dat
HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet --> MsiExec.exe /X{82DFB852-9594-4668-9C66-28BB6E94BCB2}
HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet Drivers --> MsiExec.exe /X{ED93995E-8BF2-480F-8EA4-7D29E29A7052}
hp psc 2100 series --> rundll32 hpzcon05.dll,VendorJettison hp psc 2100 series
HyperCam 2 --> "C:\Program Files\HyCam2\UnHyCam2.exe"
iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LimeWire 4.14.0 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 1.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\SETUP.exe" -l0x9 UNINSTALL -removeonly
Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9 -removeonly
MediaLife --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{362BFFCD-8274-11D8-97C8-000129760CBE}\setup.exe" -uninstall
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote 2003 --> MsiExec.exe /I{90A10409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 8.0 Support DLLs --> MsiExec.exe /X{342F5437-C87D-4BB5-89B9-B23E16C6A395}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Sunbird (0.7) --> C:\Program Files\Mozilla Sunbird\uninstall\uninst.exe
Mozilla Thunderbird (2.0.0.6) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
Navman NavDesk 2008 --> C:\Program Files\InstallShield Installation Information\{9C8732C3-32DE-4569-9E90-30040D76DABC}\Setup.exe -runfromtemp -l0x0009 -removeonly
Nero 7 Ultra Edition --> MsiExec.exe /I{235BBFC6-D863-4066-A01A-3BD504C31033}
Parallels Workstation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ECEBA21C-8607-40A7-AB90-9E929AA6CB20}\setup.exe" -l0x9 -removeonly
PC-Antispyware --> C:\Program Files\PC-Antispyware\Uninstall.exe
PCI SoftV92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F30&SUBSYS_205514F1\HXFSetup.exe -U -IPSCRCTR5K.inf
QuickTime --> MsiExec.exe /I{9763E36A-08E9-4228-BBCE-12989A4EB1A8}
QUT SAS 4.8.1 (Cisco VPN Client 4.8.01.300) --> "C:\WINDOWS\system32\QUTCACHE\QUTSAS481\UNINSTAL.EXE" "C:\WINDOWS\system32\QUTCACHE\QUTSAS481\qutsas481-installer.log" "QUTSAS 4.8.1 Uninstall"
Readiris 7.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9BFFB382-0B2C-11D6-AB3E-000102B0F79A}\setup.exe" -l0x9
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhinoceros 4.0 Evaluation --> MsiExec.exe /I{761EC7CE-E646-4A8C-95DA-A24C6CDACF3F}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Sibelius Scorch --> MsiExec.exe /I{51C65CD6-A344-41B5-81E2-3CCAC8024F68}
Sid Meier's Railroads! --> C:\Documents and Settings\Nick\Application Data\InstallShield Installation Information\{EE3FBD3C-782E-4A90-9507-0ECFE1FECCE4}\setup.exe -runfromtemp -l0x0009 -removeonly
Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sophos Anti-Virus --> MsiExec.exe /X{09C6BF52-6DBA-4A97-9939-B6C24E4738BF}
Sophos AutoUpdate --> MsiExec.exe /X{15C418EB-7675-42BE-B2B3-281952DA014D}
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
TreeSize Professional 4.0.2 --> "C:\Program Files\JAM Software\TreeSize Professional\unins000.exe"
VideoLAN VLC media player 0.8.6b --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->
XoftSpySE --> C:\Program Files\XoftSpySE\uninstall.exe
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type188 / Warning
Event Submitted/Written: 03/29/2008 11:31:20 AM
Event ID/Source: 16 / Sophos Anti-Virus
Event Description:
File "C:\WINDOWS\system32\version69ie7fix.dll" belongs to potentially unwanted application 'Mirar' (of type Adware).

Event Record #/Type187 / Warning
Event Submitted/Written: 03/29/2008 11:31:19 AM
Event ID/Source: 16 / Sophos Anti-Virus
Event Description:
File "C:\WINDOWS\system32\version69ie7fix.dll" belongs to potentially unwanted application 'Mirar' (of type Adware).

Event Record #/Type180 / Warning
Event Submitted/Written: 03/29/2008 10:56:10 AM
Event ID/Source: 16 / Sophos Anti-Virus
Event Description:
File "C:\Documents and Settings\Nick\My Documents\Program Downloads\PLAY_MP3.exe" belongs to potentially unwanted application 'PlayMP3z Installer' (of type Adware).

Event Record #/Type179 / Warning
Event Submitted/Written: 03/29/2008 10:56:09 AM
Event ID/Source: 16 / Sophos Anti-Virus
Event Description:
File "C:\Documents and Settings\Nick\My Documents\Program Downloads\PLAY_MP3(2).exe" belongs to potentially unwanted application 'PlayMP3z Installer' (of type Adware).

Event Record #/Type178 / Warning
Event Submitted/Written: 03/29/2008 10:49:29 AM
Event ID/Source: 32 / Sophos Anti-Virus
Event Description:
File "C:\Documents and Settings\Nick\Local Settings\Temp\Rar$EX01.125\pdtrain.exe" belongs to virus 'Mal/EncPk-BA'.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type20392 / Error
Event Submitted/Written: 03/29/2008 11:28:01 AM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort1, did not respond within the timeout period.

Event Record #/Type20388 / Error
Event Submitted/Written: 03/29/2008 11:24:57 AM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort1, did not respond within the timeout period.

Event Record #/Type20341 / Warning
Event Submitted/Written: 03/29/2008 11:21:47 AM / 03/29/2008 11:21:48 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 000123456789. The IP address being used is 169.254.166.46.

Event Record #/Type20337 / Error
Event Submitted/Written: 03/29/2008 11:19:22 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type20336 / Error
Event Submitted/Written: 03/29/2008 11:17:29 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}



-- End of Deckard's System Scanner: finished at 2008-03-29 11:32:03 ------------





please help
  • 0

#3
kahdah
Posted 02 April 2008 - 11:33 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Nic_van_Dessel

Welcome to G2Go. :)
=====================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#4
Nic_van_Dessel
Posted 10 April 2008 - 01:49 AM

Nic_van_Dessel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts

Double click combofix.exe and follow the prompts.



combo fix is not opening? :)
  • 0

#5
kahdah
Posted 10 April 2008 - 03:27 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\crizqfit.exe
C:\WINDOWS\system32\nnnnqtwa.ini2
C:\WINDOWS\system32\awtqnnnn.dll
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\dwltqnmx.exe
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\a.bat
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32akttzn.exe
C:\Documents and Settings\Nick\DesktopFWebdEditor.exe
C:\Documents and Settings\Nick\Desktopfwebd.exe
C:\Documents and Settings\Nick\Desktopfilemanagerclient.exe
C:\WINDOWS\winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\mssecu.exe
C:\WINDOWS\bdn.com
C:\WINDOWS\system32\byXQKeFw.dll
C:\WINDOWS\system32\ofwrurip.exe
C:\WINDOWS\system32\rqRHaxYO.dll
C:\DOCUME~1\Nick\LOCALS~1\Temp\tem242.tmp.exe
C:\WINDOWS\system32\ofwrurip.exe
C:\WINDOWS\system32\crizqfit.exe
C:\Documents and Settings\Nick\My Documents\Program Downloads\PLAY_MP3.exe
C:\WINDOWS\system32\version69ie7fix.dll
C:\Documents and Settings\Nick\Local Settings\Temp\Rar$EX01.125\pdtrain.exe

Folders to delete::
C:\Documents and Settings\Nick\Application Data\PC-Antispyware
C:\Program Files\PC-Antispyware
C:\Documents and Settings\Nick\Desktopvirii
C:\WINDOWS\system32smp
C:\Documents and Settings\All Users\Application Data\kdoxyfex

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10F0C2A9-8E38-43e3-204D-45524C494E20}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70A6BA03-F8E7-42D6-A023-2D34CD6643C9}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B7EA0C59-1858-423F-B900-EE21B86042A6}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C748BBB6-D4F5-435E-A5A5-3197BEFB2C7D}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHaxYO

Registry values to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | PC-Antispyware
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | MbarInstall
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | wvqojfqn
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | xfzsklvq
HKLM\software\microsoft\windows\currentversion\policies\explorer\Run | jWK1q1eUkS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {94BC3D1D-22E9-4744-8ED1-3E08A3B74078}



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .
  • 0

#6
Nic_van_Dessel
Posted 10 April 2008 - 04:27 PM

Nic_van_Dessel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Fri Apr 11 08:16:38 2008

08:16:10: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|wvqojfqn"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
08:16:26: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|xfzsklvq"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\crizqfit.exe" deleted successfully.
File "C:\WINDOWS\system32\nnnnqtwa.ini2" deleted successfully.
File "C:\WINDOWS\system32\awtqnnnn.dll" deleted successfully.
File "C:\WINDOWS\userconfig9x.dll" deleted successfully.
File "C:\WINDOWS\system32winlogonpc.exe" deleted successfully.
File "C:\WINDOWS\system32hoproxy.dll" deleted successfully.
File "C:\WINDOWS\FVProtect.exe" deleted successfully.
File "C:\WINDOWS\dwltqnmx.exe" deleted successfully.
File "C:\WINDOWS\system32taack.exe" deleted successfully.
File "C:\WINDOWS\system32taack.dat" deleted successfully.
File "C:\WINDOWS\system32sncntr.exe" deleted successfully.
File "C:\WINDOWS\system32mwin32.exe" deleted successfully.
File "C:\WINDOWS\system32hxiwlgpm.exe" deleted successfully.
File "C:\WINDOWS\system32hxiwlgpm.dat" deleted successfully.
File "C:\WINDOWS\a.bat" deleted successfully.
File "C:\WINDOWS\system32ssurf022.dll" deleted successfully.
File "C:\WINDOWS\system32psoft1.exe" deleted successfully.
File "C:\WINDOWS\system32psof1.exe" deleted successfully.
File "C:\WINDOWS\system32ps1.exe" deleted successfully.
File "C:\WINDOWS\system32msnbho.dll" deleted successfully.
File "C:\WINDOWS\system32medup020.dll" deleted successfully.
File "C:\WINDOWS\system32medup012.dll" deleted successfully.
File "C:\WINDOWS\system32bsva-egihsg52.exe" deleted successfully.
File "C:\WINDOWS\iTunesMusic.exe" deleted successfully.
File "C:\WINDOWS\system32temp#01.exe" deleted successfully.
File "C:\WINDOWS\system32netode.exe" deleted successfully.
File "C:\WINDOWS\system32mtr2.exe" deleted successfully.
File "C:\WINDOWS\system32msgp.exe" deleted successfully.
File "C:\WINDOWS\system32h@tkeysh@@k.dll" deleted successfully.
File "C:\WINDOWS\system32dpcproxy.exe" deleted successfully.
File "C:\WINDOWS\system32ssvchost.exe" deleted successfully.
File "C:\WINDOWS\system32ssvchost.com" deleted successfully.
File "C:\WINDOWS\system32regm64.dll" deleted successfully.
File "C:\WINDOWS\system32regc64.dll" deleted successfully.
File "C:\WINDOWS\system32vcatchpi.dll" deleted successfully.
File "C:\WINDOWS\system32thun32.dll" deleted successfully.
File "C:\WINDOWS\system32thun.dll" deleted successfully.
File "C:\WINDOWS\system32Rundl1.exe" deleted successfully.
File "C:\WINDOWS\system32newsd32.exe" deleted successfully.
File "C:\WINDOWS\system32msvchost.exe" deleted successfully.
File "C:\WINDOWS\system32emesx.dll" deleted successfully.
File "C:\WINDOWS\system32anticipator.dll" deleted successfully.
File "C:\WINDOWS\system32akttzn.exe" deleted successfully.
File "C:\Documents and Settings\Nick\DesktopFWebdEditor.exe" deleted successfully.
File "C:\Documents and Settings\Nick\Desktopfwebd.exe" deleted successfully.
File "C:\Documents and Settings\Nick\Desktopfilemanagerclient.exe" deleted successfully.
File "C:\WINDOWS\winsystem.exe" deleted successfully.
File "C:\WINDOWS\system32WINWGPX.EXE" deleted successfully.
File "C:\WINDOWS\system32winsystem.exe" deleted successfully.
File "C:\WINDOWS\system32vbsys2.dll" deleted successfully.
File "C:\WINDOWS\system32sysreq.exe" deleted successfully.
File "C:\WINDOWS\system32mssecu.exe" deleted successfully.
File "C:\WINDOWS\system32bdn.com" deleted successfully.
File "C:\WINDOWS\system32awtoolb.dll" deleted successfully.
File "C:\WINDOWS\mssecu.exe" deleted successfully.
File "C:\WINDOWS\bdn.com" deleted successfully.
File "C:\WINDOWS\system32\byXQKeFw.dll" deleted successfully.
File "C:\WINDOWS\system32\ofwrurip.exe" deleted successfully.
File "C:\WINDOWS\system32\rqRHaxYO.dll" deleted successfully.

Error: file "C:\DOCUME~1\Nick\LOCALS~1\Temp\tem242.tmp.exe" not found!
Deletion of file "C:\DOCUME~1\Nick\LOCALS~1\Temp\tem242.tmp.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\ofwrurip.exe" not found!
Deletion of file "C:\WINDOWS\system32\ofwrurip.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\crizqfit.exe" not found!
Deletion of file "C:\WINDOWS\system32\crizqfit.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Documents and Settings\Nick\My Documents\Program Downloads\PLAY_MP3.exe" deleted successfully.
File "C:\WINDOWS\system32\version69ie7fix.dll" deleted successfully.

Error: could not open file "C:\Documents and Settings\Nick\Local Settings\Temp\Rar$EX01.125\pdtrain.exe"
Deletion of file "C:\Documents and Settings\Nick\Local Settings\Temp\Rar$EX01.125\pdtrain.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: file "Folders to delete::" not found!
Deletion of file "Folders to delete::" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: "C:\Documents and Settings\Nick\Application Data\PC-Antispyware" is a folder, not a file!
Deletion of file "C:\Documents and Settings\Nick\Application Data\PC-Antispyware" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\Program Files\PC-Antispyware" is a folder, not a file!
Deletion of file "C:\Program Files\PC-Antispyware" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\Documents and Settings\Nick\Desktopvirii" is a folder, not a file!
Deletion of file "C:\Documents and Settings\Nick\Desktopvirii" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\WINDOWS\system32smp" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32smp" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\Documents and Settings\All Users\Application Data\kdoxyfex" is a folder, not a file!
Deletion of file "C:\Documents and Settings\All Users\Application Data\kdoxyfex" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10F0C2A9-8E38-43e3-204D-45524C494E20}" deleted successfully.

Error: registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70A6BA03-F8E7-42D6-A023-2D34CD6643C9}" not found!
Deletion of registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70A6BA03-F8E7-42D6-A023-2D34CD6643C9}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}" not found!
Deletion of registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B7EA0C59-1858-423F-B900-EE21B86042A6}" deleted successfully.
Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C748BBB6-D4F5-435E-A5A5-3197BEFB2C7D}" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHaxYO" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHaxYO" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|PC-Antispyware" deleted successfully.
Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MbarInstall" deleted successfully.
Registry value "HKLM\software\microsoft\windows\currentversion\policies\explorer\Run|jWK1q1eUkS" deleted successfully.

Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:59 AM, on 11/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\LozWare\Lozdodge\LDG_Manager.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\PC-Cleaner\PC-Cleaner.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\LozWare\Lozdodge\LDG_Service.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0BC4A41E-7D83-4A0B-8EB1-5F8783DF75BA} - C:\WINDOWS\system32\awtqnnnn.dll (file missing)
O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - C:\Program Files\PC-Antispyware\IeExtension.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ContextAdvisor - {87E68009-29A8-D669-F7C2-B31D08635C50} - C:\Program Files\ContextAdvisor\ContextAdvisor-1.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} - (no file)
O2 - BHO: (no name) - {A48355CA-3169-46C2-A80F-E67275359E6A} - (no file)
O2 - BHO: (no name) - {B7EA0C59-1858-423F-B900-EE21B86042A6} - (no file)
O2 - BHO: (no name) - {BF2294FD-807B-461F-825D-C2EAD9612C5D} - (no file)
O2 - BHO: (no name) - {C748BBB6-D4F5-435E-A5A5-3197BEFB2C7D} - (no file)
O2 - BHO: (no name) - {D6E1503B-8EBF-45E4-9611-771117AF6BD8} - (no file)
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Tpscrex] C:\Program Files\MSTpscre\Tpscrex.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [pdfw] C:\Program Files\Amic Utilities\PDF Writer Pro\pdfwload.exe
O4 - HKLM\..\Run: [Lozdodge] C:\Program Files\LozWare\Lozdodge\LDG_Manager.exe HIDE
O4 - HKLM\..\Run: [6844a283] rundll32.exe "C:\WINDOWS\system32\sprwnssl.dll",b
O4 - HKLM\..\Run: [MbarInstall] C:\DOCUME~1\Nick\LOCALS~1\Temp\tem242.tmp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [wvqojfqn] C:\WINDOWS\system32\ofwrurip.exe
O4 - HKCU\..\Run: [xfzsklvq] C:\WINDOWS\system32\crizqfit.exe
O4 - HKCU\..\Run: [PC-Cleaner] "C:\Program Files\PC-Cleaner\PC-Cleaner.exe" hide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: QUT Secure Access Service Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ktvoiugv - C:\WINDOWS\SYSTEM32\ktvoiugv.dll
O20 - Winlogon Notify: rqRHaxYO - C:\WINDOWS\
O20 - Winlogon Notify: xwxshskb - C:\WINDOWS\SYSTEM32\xwxshskb.dll
O20 - Winlogon Notify: __c001DE5E - C:\WINDOWS\SYSTEM32\__c001DE5E.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\QUT VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Parallels DHCP Service for Virtual NIC (PRLDHCP) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Workstation\PRLDHCP.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 10599 bytes
  • 0

#7
kahdah
Posted 10 April 2008 - 06:35 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please delete your version of Combofix.

Then redownload it from one of the links below
Link 1
Link 2
Link 3

Then do the following:
Click on your START button and choose Run. Then copy/paste the entire content of the following codebox (Including the "" marks and the Symbols) into the run box.

"%userprofile%\desktop\ComboFix.exe" /KillAll


Click OK and this will start ComboFix in a special way.
When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#8
Nic_van_Dessel
Posted 10 April 2008 - 09:47 PM

Nic_van_Dessel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Posted Image

that what comes up :) except for the top at the top it says C:\Documents and Settings\Nick\desktop\ComboFix.exe

Edited by Nic_van_Dessel, 10 April 2008 - 09:48 PM.

  • 0

#9
kahdah
Posted 11 April 2008 - 02:52 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
  • 0

#10
Nic_van_Dessel
Posted 13 April 2008 - 01:22 AM

Nic_van_Dessel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
figured out that sophos anti virus stopping combo fix from doing stuff so disabled/deleted :) it and followed instructions from Post #7

ComboFix 08-04-10.7 - Nic 2008-04-13 16:24:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.146 [GMT 10:00]
Running from: C:\Documents and Settings\Nick\desktop\ComboFix.exe
Command switches used :: /KillAll
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Nick\Desktopblackbird.jpg
C:\Documents and Settings\Nick\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Nick\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Nick\Desktopfkwp1.5.exe
C:\Documents and Settings\Nick\Desktopfkwp2.0.exe
C:\Documents and Settings\Nick\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Nick\Desktopvirii
C:\Program Files\PC-Cleaner
C:\Program Files\PC-Cleaner\com\pcsd.dll
C:\Program Files\PC-Cleaner\PC-Cleaner.db
C:\Program Files\PC-Cleaner\PC-Cleaner.exe
C:\Program Files\PC-Cleaner\pccleaner.pkg
C:\Program Files\PC-Cleaner\program.info
C:\Program Files\PC-Cleaner\Uninstall.exe
C:\WINDOWS\base64.tmp
C:\WINDOWS\Fonts\acrsec.fon
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\rs.txt
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\__c001DE5E.dat
C:\WINDOWS\system32\__c0052ABF.dat
C:\WINDOWS\system32\__c005515A.dat
C:\WINDOWS\system32\__c0073804.dat
C:\WINDOWS\system32\__c00C5A49.dat
C:\WINDOWS\system32\ahwimbkd.dll
C:\WINDOWS\system32\bndqkquk.dll
C:\WINDOWS\system32\dssstpmp.dll
C:\WINDOWS\system32\hpfqwxgy.dll
C:\WINDOWS\system32\ietefitm.dll
C:\WINDOWS\system32\ixepmgxw.dll
C:\WINDOWS\system32\ktvoiugv.dll
C:\WINDOWS\system32\kuqkqdnb.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\oxpvrwdy.dll
C:\WINDOWS\system32\pfntjint.dll
C:\WINDOWS\system32\readme-net.doc
C:\WINDOWS\system32\thigkmkl.dll
C:\WINDOWS\system32\tlayxsek.dll
C:\WINDOWS\system32\vdykglul.dll
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\xwxshskb.dll
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\Web\def.htm
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-13 16:37 . 2008-04-13 16:37 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-13 16:28 . 2008-04-13 16:28 268 --ah----- C:\sqmdata15.sqm
2008-04-13 16:28 . 2008-04-13 16:28 244 --ah----- C:\sqmnoopt16.sqm
2008-04-13 16:21 . 2008-04-13 16:21 <DIR> d-------- C:\VundoFix Backups
2008-04-11 13:55 . 2008-04-11 13:55 268 --ah----- C:\sqmdata14.sqm
2008-04-11 13:55 . 2008-04-11 13:55 244 --ah----- C:\sqmnoopt15.sqm
2008-04-11 08:29 . 2008-04-11 08:29 268 --ah----- C:\sqmdata13.sqm
2008-04-11 08:29 . 2008-04-11 08:29 244 --ah----- C:\sqmnoopt14.sqm
2008-04-11 08:16 . 2008-04-11 08:16 0 --ah----- C:\sqmnoopt13.sqm
2008-04-11 08:10 . 2008-04-11 08:10 3,648 --a------ C:\WINDOWS\system32\sonbvlgy.dll
2008-04-11 08:09 . 2008-04-11 08:09 102,400 --a------ C:\WINDOWS\system32\jstkbkde.exe
2008-04-04 19:15 . 2008-04-04 19:16 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\PC-Cleaner
2008-03-30 19:03 . 2008-04-04 17:22 714 ---hs---- C:\WINDOWS\system32\lssnwrps.ini
2008-03-29 11:30 . 2008-03-29 11:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-29 11:27 . 2008-03-29 11:27 <DIR> d-------- C:\Deckard
2008-03-29 11:14 . 2008-03-29 11:14 2,892 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-29 11:12 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-29 11:12 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-29 11:12 . 2008-03-28 23:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-29 11:12 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-29 11:12 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-29 11:12 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-29 11:12 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-29 10:04 . 2008-03-29 10:06 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\PC-Antispyware
2008-03-29 10:03 . 2008-03-29 10:04 <DIR> d-------- C:\Program Files\PC-Antispyware
2008-03-29 09:11 . 2008-04-11 08:17 92,970 --ahs---- C:\WINDOWS\system32\nnnnqtwa.ini
2008-03-29 09:03 . 2008-03-29 09:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\kdoxyfex
2008-03-29 08:37 . 2008-03-29 08:37 <DIR> d-------- C:\Program Files\Navman
2008-03-28 07:52 . 2008-03-28 07:52 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Talkback
2008-03-28 07:48 . 2008-03-28 07:48 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Share-to-Web Upload Folder
2008-03-28 07:48 . 2008-03-28 07:48 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Logitech
2008-03-27 16:32 . 2008-04-13 16:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-27 16:32 . 2008-03-27 16:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-26 19:15 . 2008-03-26 19:15 <DIR> d-------- C:\Program Files\LozWare
2008-03-23 10:21 . 2008-04-13 16:20 <DIR> d-------- C:\Program Files\Sophos
2008-03-22 22:17 . 2008-03-22 22:17 268 --ah----- C:\sqmdata12.sqm
2008-03-22 22:17 . 2008-03-22 22:17 244 --ah----- C:\sqmnoopt12.sqm
2008-03-22 13:48 . 2008-03-22 13:48 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-03-22 13:45 . 2008-03-22 13:45 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\InstallShield Installation Information
2008-03-22 13:44 . 2008-03-22 13:44 <DIR> d-------- C:\Program Files\2K Games
2008-03-22 13:43 . 2008-03-22 13:43 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\InstallShield
2008-03-21 13:42 . 2008-03-21 13:42 <DIR> d-------- C:\Program Files\Incomplete
2008-03-15 13:07 . 2008-01-16 15:22 12,310 --a------ C:\WINDOWS\system32\drivers\pvsnet.sys
2008-03-15 13:06 . 2008-01-16 15:19 51,712 --a------ C:\WINDOWS\system32\drivers\hypervisor.sys
2008-03-15 13:06 . 2008-01-16 15:22 28,800 --a------ C:\WINDOWS\system32\drivers\pvs.sys
2008-03-15 13:06 . 2008-01-16 15:20 22,752 --a------ C:\WINDOWS\system32\drivers\pvsusb.sys
2008-03-15 13:06 . 2008-01-16 15:22 13,344 --a------ C:\WINDOWS\system32\drivers\pvspth.sys
2008-03-15 13:06 . 2008-01-16 15:20 8,320 --a------ C:\WINDOWS\system32\drivers\PvsUM.sys
2008-03-15 13:04 . 2008-03-15 13:04 <DIR> d-------- C:\Program Files\Parallels
2008-03-15 13:03 . 2008-01-16 15:20 4,412 --a------ C:\WINDOWS\system32\drivers\pvsvnic.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 06:27 --------- d-----w C:\Documents and Settings\Nick\Application Data\Hamachi
2008-04-10 22:11 --------- d-----w C:\Program Files\ContextAdvisor
2008-03-28 22:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-25 06:02 --------- d-----w C:\Program Files\Java
2008-03-21 03:53 --------- d-----w C:\Documents and Settings\Nick\Application Data\LimeWire
2008-03-21 03:42 --------- d-----w C:\Program Files\LimeWire
2008-03-19 05:45 --------- d-----w C:\Documents and Settings\Nick\Application Data\Azureus
2008-03-17 01:44 --------- d-----w C:\Documents and Settings\Maria\Application Data\Skype
2008-03-16 06:18 --------- d-----w C:\Program Files\Google
2008-03-14 07:05 --------- d-----w C:\Program Files\Azureus
2008-03-10 08:35 48 ----a-w C:\Documents and Settings\Nick\test.bat
2008-03-08 23:00 --------- d-----w C:\Program Files\Mozilla Sunbird
2008-03-06 07:39 118,784 ----a-w C:\WINDOWS\GREUninstall.exe
2008-02-28 05:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-27 06:35 --------- d-----w C:\Program Files\Windows Live
2008-02-27 02:21 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-27 01:28 --------- d-----w C:\Program Files\CaraQ
2008-02-26 20:57 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-26 20:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-24 03:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-24 02:40 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-23 08:40 --------- d-----w C:\Program Files\FBrowserAdvisor
2008-02-22 08:19 --------- d-----w C:\Program Files\Docudesk
2008-02-22 07:44 --------- d-----w C:\Program Files\Amic Utilities
2008-02-21 23:51 --------- d-----w C:\Documents and Settings\Nick\Application Data\Share-to-Web Upload Folder
2008-02-21 02:02 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-21 00:18 --------- d-----w C:\Program Files\ReadIris
2008-02-20 23:56 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-02-20 23:55 --------- d-----w C:\Documents and Settings\Maria\Application Data\Share-to-Web Upload Folder
2008-02-20 23:54 --------- d-----w C:\Program Files\Hewlett-Packard
2008-02-15 09:41 400 ----a-w C:\WINDOWS\system32\drivers\eaxext_231.set
2008-02-15 09:41 400 ----a-w C:\WINDOWS\system32\drivers\bcompbg748.dat
2008-02-15 08:01 --------- d-----w C:\Program Files\Rhinoceros 4.0
2008-02-15 08:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\McNeel
2007-09-28 08:57 6,275,816 ----a-w C:\Program Files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BC4A41E-7D83-4A0B-8EB1-5F8783DF75BA}]
C:\WINDOWS\system32\awtqnnnn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10F0C2A9-8E38-43e3-204D-45524C494E20}]
2008-03-29 10:04 176128 --a------ C:\Program Files\PC-Antispyware\IeExtension.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87E68009-29A8-D669-F7C2-B31D08635C50}]
2007-12-31 06:48 1019904 --a------ C:\Program Files\ContextAdvisor\ContextAdvisor-1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-19 00:16 171464]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04 139264]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-11-01 19:18 67128]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"wvqojfqn"="C:\WINDOWS\system32\ofwrurip.exe" [ ]
"xfzsklvq"="C:\WINDOWS\system32\crizqfit.exe" [ ]
"PC-Cleaner"="C:\Program Files\PC-Cleaner\PC-Cleaner.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-02-24 21:10 335872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"MediaLifeService"="C:\Program Files\Logitech\MediaLife\MediaLifeService.exe" [2005-05-12 21:23 110739]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"Tpscrex"="C:\Program Files\MSTpscre\Tpscrex.exe" [ ]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19 69632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"pdfw"="C:\Program Files\Amic Utilities\PDF Writer Pro\pdfwload.exe" [ ]
"Lozdodge"="C:\Program Files\LozWare\Lozdodge\LDG_Manager.exe" [2008-03-26 19:15 159744]
"6844a283"="C:\WINDOWS\system32\sprwnssl.dll" [ ]
"MbarInstall"="C:\DOCUME~1\Nick\LOCALS~1\Temp\tem242.tmp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360]

C:\Documents and Settings\Nick\Start Menu\Programs\Startup\
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [2007-11-15 16:43:19 622880]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 13:49:52 64864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2007-08-02 23:45:14 245760]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-27 01:20:58 323646]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-11-01 19:18:05 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-10-29 17:43:21 450560]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-06-27 01:21:30 147456]
QUT Secure Access Service Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-11-27 08:59:11 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\PROGRA~1\Qualcomm\Eudora\EuShlExt.dll [2006-08-17 14:57 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ktvoiugv]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHaxYO]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c001DE5E]
__c001DE5E.dat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2006-11-10 16:19 1051648 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2005-05-03 09:10 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-09-16 11:05 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TalkAndWrite"=C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Counter Strike 1.6 Reloaded\\hl.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Ubisoft\\Gearbox Software\\BrothersInArmsEiB\\System\\EiB.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"C:\\Program Files\\LozWare\\Lozdodge\\LDG_Service.exe"=

R2 hypervisor;Parallels Hypervisor;C:\WINDOWS\system32\drivers\hypervisor.sys [2008-01-16 15:19]
R2 pvs;Parallels Kernel Driver;C:\WINDOWS\system32\drivers\pvs.sys [2008-01-16 15:22]
R2 pvsnet;Parallels Network Driver;C:\WINDOWS\system32\DRIVERS\pvsnet.sys [2008-01-16 15:22]
R2 pvspth;Parallels Passthrough Driver;C:\WINDOWS\system32\drivers\pvspth.sys [2008-01-16 15:22]
R2 pvsum;Parallels USB Manager;C:\WINDOWS\system32\drivers\pvsum.sys [2008-01-16 15:20]
R3 PVSVNIC;Parallels Virtual NIC Driver;C:\WINDOWS\system32\DRIVERS\pvsvnic.sys [2008-01-16 15:20]
S2 PRLDHCP;Parallels DHCP Service for Virtual NIC;C:\Program Files\Parallels\Parallels Workstation\PRLDHCP.exe [2008-01-16 15:22]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-26 09:50:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-29 00:21:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1203553245.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-03-29 02:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2008-04-13 07:15:51 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-28 17:00:00 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:22, on 2008-04-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\QUT VPN Client\cvpnd.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hamachi\hamachi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0BC4A41E-7D83-4A0B-8EB1-5F8783DF75BA} - C:\WINDOWS\system32\awtqnnnn.dll (file missing)
O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - C:\Program Files\PC-Antispyware\IeExtension.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ContextAdvisor - {87E68009-29A8-D669-F7C2-B31D08635C50} - C:\Program Files\ContextAdvisor\ContextAdvisor-1.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Tpscrex] C:\Program Files\MSTpscre\Tpscrex.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [pdfw] C:\Program Files\Amic Utilities\PDF Writer Pro\pdfwload.exe
O4 - HKLM\..\Run: [Lozdodge] C:\Program Files\LozWare\Lozdodge\LDG_Manager.exe HIDE
O4 - HKLM\..\Run: [6844a283] rundll32.exe "C:\WINDOWS\system32\sprwnssl.dll",b
O4 - HKLM\..\Run: [MbarInstall] C:\DOCUME~1\Nick\LOCALS~1\Temp\tem242.tmp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [wvqojfqn] C:\WINDOWS\system32\ofwrurip.exe
O4 - HKCU\..\Run: [xfzsklvq] C:\WINDOWS\system32\crizqfit.exe
O4 - HKCU\..\Run: [PC-Cleaner] "C:\Program Files\PC-Cleaner\PC-Cleaner.exe" hide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: QUT Secure Access Service Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: rqRHaxYO - C:\WINDOWS\
O20 - Winlogon Notify: __c001DE5E - __c001DE5E.dat (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\QUT VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Parallels DHCP Service for Virtual NIC (PRLDHCP) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Workstation\PRLDHCP.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

--
End of file - 9710 bytes

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 17:16:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\QUT VPN Client\cvpnd.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-13 17:19:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-13 07:19:33
Pre-Run: 156,647,280,640 bytes free
Post-Run: 156,471,894,016 bytes free
.
2008-03-20 11:10:29 --- E O F ---

Edited by Nic_van_Dessel, 13 April 2008 - 01:24 AM.

  • 0

Advertisements

#11
kahdah
Posted 13 April 2008 - 08:22 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
  • 0

#12
Nic_van_Dessel
Posted 15 April 2008 - 12:43 AM

Nic_van_Dessel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
  • 0

#13
kahdah
Posted 15 April 2008 - 02:45 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\sqmdata15.sqm
C:\sqmnoopt16.sqm
C:\VundoFix Backups
C:\sqmdata14.sqm
C:\sqmnoopt15.sqm
C:\sqmdata13.sqm
C:\sqmnoopt14.sqm
C:\sqmnoopt13.sqm
C:\WINDOWS\system32\jstkbkde.exe
C:\Documents and Settings\Nick\Application Data\PC-Cleaner
C:\WINDOWS\system32\lssnwrps.ini
C:\Documents and Settings\Nick\Application Data\PC-Antispyware
C:\Program Files\PC-Antispyware
C:\WINDOWS\system32\nnnnqtwa.ini
C:\Documents and Settings\All Users\Application Data\kdoxyfex
C:\sqmdata12.sqm
C:\sqmnoopt12.sqm
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0BC4A41E-7D83-4A0B-8EB1-5F8783DF75BA}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10F0C2A9-8E38-43e3-204D-45524C494E20}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\wvqojfqn
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\xfzsklvq
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PC-Cleaner
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\6844a283
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MbarInstall
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ktvoiugv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHaxYO
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c001DE5E
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
============================

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#14
Nic_van_Dessel
Posted 15 April 2008 - 03:56 AM

Nic_van_Dessel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi an thanks for your extremely fast reply :) here is the contents of the OTMoveIt2 log not sure what i was/wasnt meant to do with the MBAM so didnt do anything.

Heres the log:


C:\sqmdata15.sqm moved successfully.
C:\sqmnoopt16.sqm moved successfully.
C:\VundoFix Backups moved successfully.
C:\sqmdata14.sqm moved successfully.
C:\sqmnoopt15.sqm moved successfully.
C:\sqmdata13.sqm moved successfully.
C:\sqmnoopt14.sqm moved successfully.
C:\sqmnoopt13.sqm moved successfully.
C:\WINDOWS\system32\jstkbkde.exe moved successfully.
C:\Documents and Settings\Nick\Application Data\PC-Cleaner moved successfully.
C:\WINDOWS\system32\lssnwrps.ini moved successfully.
C:\Documents and Settings\Nick\Application Data\PC-Antispyware\startup moved successfully.
C:\Documents and Settings\Nick\Application Data\PC-Antispyware\logs moved successfully.
C:\Documents and Settings\Nick\Application Data\PC-Antispyware moved successfully.
C:\Program Files\PC-Antispyware moved successfully.
C:\WINDOWS\system32\nnnnqtwa.ini moved successfully.
C:\Documents and Settings\All Users\Application Data\kdoxyfex moved successfully.
C:\sqmdata12.sqm moved successfully.
C:\sqmnoopt12.sqm moved successfully.
< HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0BC4A41E-7D83-4A0B-8EB1-5F8783DF75BA} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0BC4A41E-7D83-4A0B-8EB1-5F8783DF75BA}\\ deleted successfully.
< HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10F0C2A9-8E38-43e3-204D-45524C494E20} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10F0C2A9-8E38-43e3-204D-45524C494E20}\\ deleted successfully.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\wvqojfqn >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\wvqojfqn deleted successfully.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\xfzsklvq >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\xfzsklvq deleted successfully.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PC-Cleaner >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PC-Cleaner deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\6844a283 >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\6844a283 deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MbarInstall >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MbarInstall deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ktvoiugv >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ktvoiugv\\ not found.
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHaxYO >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRHaxYO\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c001DE5E >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c001DE5E\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04152008_195127
  • 0

#15
kahdah
Posted 15 April 2008 - 04:34 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
No problem all you need to do is download it and follow the setup instructions.
Let it run then post the log after it removes what it finds also a new Hijackthis log.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP