Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Virtumonde? [RESOLVED]

Started by Azrael1415 , Mar 29 2008 11:56 PM

This topic is locked

#1
Azrael1415

Posted 29 March 2008 - 11:56 PM

Member

Member
15 posts

Picked up on LimeWire (which is now uninstalled.) AdAware, Spybot, AVG and SpySweeper can detect Virtumonde, but can't remove it. I keep opening and closing explorer.exe, also, anytime I run RunDLL32.exe or iexplore.exe, it opens a 2nd instance. Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:08 AM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Azrael\My Documents\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Azrael/My%20Documents/Important%20Documents/Home%20Page/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {D38F5394-D4AE-4982-ABF5-5734B516012B} - C:\WINDOWS\system32\urqQhefG.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198802631296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1193548030030
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS4\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: ??
?C?D C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: awttuutr - awttuutr.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8724 bytes

Thanks.

#2
BHowett

Posted 30 March 2008 - 05:55 PM

OT Moderator

Moderator
4,649 posts

Hello and welcome to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

The fixes may take several attempts and my replies may take some time but stick with it, and we will be sure to get you sorted.

NOTE: I am still in training so I have to let the experts check the content of my fixes before I post them. This may take a little longer but the fixes will be verified and correct.

I will post your first set of instructions shortly.

#3
Azrael1415

Posted 30 March 2008 - 09:06 PM

Member

Topic Starter
Member
15 posts

Thank you.

I would like to update that, the issue with RunDLL32.exe and iexplore.exe running extra instances has gone away, but Virtumonde still detects and never deletes and something is still closing and (sometimes) opening explorer.exe. Also, it's only doing the explorer.exe thing on my user login, it does not do it on my wifes (Username: Crystal). If that helps at all.

Updated log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:15 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Azrael/My%20Documents/Important%20Documents/Home%20Page/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-507921405-436374069-682003330-1011\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Crystal')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - S-1-5-21-507921405-436374069-682003330-1011 Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe (User 'Crystal')
O4 - S-1-5-21-507921405-436374069-682003330-1011 User Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe (User 'Crystal')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198802631296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1193548030030
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS4\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: ??
?C?D C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8359 bytes

Thanks again!

Edited by Azrael1415, 30 March 2008 - 09:09 PM.

#4
BHowett

Posted 31 March 2008 - 07:02 AM

OT Moderator

Moderator
4,649 posts

Hello Azrael1415,

I think you might of learned your lesson with limewire, but I will give you the standard warning anyway because you are showing BitComet in your log.

P2P Warning!

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur . Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation.

Please decide if you want to keep using P2P so I can put it in my next speech of you don't want to keep it.
===============================================

Anti-Virus

Looking over your log, it seems you don't have any evidence of an Anti-Virus software. Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer. An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Some very good and easy-to-use free A/V programs are:

It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

===============================================

Download Firewall

I don't see any firewall in your HijackThis log, so I assume you use windows firewall.

It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Three good ones that are freeware to boot are:

Tutorial about Firewalls can be found here

===============================================

Now that we got that out of the way lets get started with the cleaning process

ComboFix

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

#5
Azrael1415

Posted 31 March 2008 - 08:57 AM

Member

Topic Starter
Member
15 posts

ComboFix.txt:

ComboFix 08-03-30.3 - Azrael 2008-03-31 8:44:13.1 - NTFSx86

Running from: C:\Documents and Settings\Azrael\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Crystal\Application Data\Install.dat
C:\Program Files\Common Files\stem32~1
C:\WINDOWS\system32\aqVreo18
C:\WINDOWS\system32\GfehQqru.ini
C:\WINDOWS\system32\GfehQqru.ini2
C:\WINDOWS\system32\ghPrCcfe.ini
C:\WINDOWS\system32\ghPrCcfe.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\QqrYbccf.ini
C:\WINDOWS\system32\QqrYbccf.ini2
C:\WINDOWS\system32\wnsapisv.exe
C:\WINDOWS\system32\xwwHRXyb.ini
C:\WINDOWS\system32\xwwHRXyb.ini2

----- BITS: Possible infected sites -----

hxxp://lp2.patch.station.sony.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETDOWN
-------\Service_NETDown

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-31 01:36 . 2008-03-31 01:36 <DIR> d-------- C:\Documents and Settings\Crystal\Application Data\Lavasoft
2008-03-31 01:18 . 2006-02-28 06:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-03-31 01:16 . 2006-02-28 06:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-03-31 01:15 . 2004-05-12 23:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-03-31 01:12 . 2008-03-31 01:12 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-03-31 01:11 . 2008-03-31 01:11 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-03-31 01:11 . 2008-03-31 01:11 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-03-31 01:11 . 2008-03-31 01:11 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-03-31 01:11 . 2008-03-31 01:11 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-03-31 01:11 . 2008-03-31 01:11 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-03-31 01:10 . 2006-02-28 06:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-03-31 01:09 . 2006-02-28 06:00 214,528 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe
2008-03-31 01:09 . 2006-02-28 06:00 86,016 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe
2008-03-31 01:09 . 2006-02-28 06:00 32,768 --a--c--- C:\WINDOWS\system32\dllcache\icwdl.dll
2008-03-31 01:09 . 2006-02-28 06:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe
2008-03-31 01:06 . 2006-02-28 06:00 7,680 --a--c--- C:\WINDOWS\system32\dllcache\migregdb.exe
2008-03-30 16:19 . 2006-03-20 16:33 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-03-30 13:03 . 2008-03-30 13:03 <DIR> d-------- C:\Program Files\Namco Bandai
2008-03-30 09:56 . 2008-03-30 16:31 <DIR> d--h----- C:\WHM
2008-03-29 23:52 . 2008-03-29 23:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-29 22:09 . 2008-03-29 22:09 <DIR> d-------- C:\Program Files\AskSBar
2008-03-29 22:08 . 2008-03-29 22:50 164 --a------ C:\install.dat
2008-03-29 21:23 . 2008-03-29 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-29 17:04 . 2008-03-29 17:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-29 17:03 . 2008-03-29 16:56 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-29 17:03 . 2008-03-29 17:03 2,544 --a------ C:\WINDOWS\unins000.dat
2008-03-29 16:59 . 2008-03-29 16:59 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-03-29 16:42 . 2008-03-29 16:42 196,678 --a------ C:\WINDOWS\system32\lcntskdn.exe
2008-03-29 16:42 . 2008-03-29 16:42 907 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-03-29 16:41 . 2008-03-29 17:48 <DIR> d-------- C:\WINDOWS\system32\xTmp
2008-03-29 16:41 . 2008-03-29 19:09 <DIR> d-------- C:\WINDOWS\system32\winz1
2008-03-29 16:41 . 2008-03-29 16:41 <DIR> d-------- C:\WINDOWS\system32\IDME
2008-03-29 16:41 . 2008-03-29 19:09 <DIR> d-------- C:\WINDOWS\system32\bz3
2008-03-29 16:41 . 2008-03-29 23:17 <DIR> d--hs---- C:\WINDOWS\QnJhbmRvbiBOZXdidXJn
2008-03-29 16:41 . 2008-03-29 16:41 39,883 --a------ C:\WINDOWS\system32\targetedbanner-uninst.exe
2008-03-26 08:13 . 2008-03-26 08:13 <DIR> d-------- C:\Program Files\Flagship Studios
2008-03-25 23:28 . 2008-03-25 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-25 23:12 . 2008-03-25 23:12 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-25 20:40 . 2006-02-28 06:00 359,040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
2008-03-24 08:29 . 2008-03-05 14:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-03-24 08:29 . 2008-03-05 14:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-24 08:29 . 2008-03-05 15:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-03-24 08:29 . 2008-02-05 22:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-03-24 08:29 . 2008-03-05 15:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-03-24 08:29 . 2008-03-05 15:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-23 09:23 . 2008-03-23 09:23 <DIR> d-------- C:\Program Files\PopCap Games
2008-03-23 09:23 . 2008-03-24 22:07 39 --a------ C:\WINDOWS\popcinfot.dat
2008-03-23 09:23 . 2008-03-23 09:23 0 --a------ C:\WINDOWS\popcreg.dat
2008-03-21 22:21 . 2008-03-23 19:52 3,145,784 --a------ C:\WINDOWS\war.bmp
2008-03-13 17:06 . 2008-03-13 17:06 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-03-11 07:18 . 2008-03-11 21:27 <DIR> d-------- C:\Documents and Settings\Azrael\Application Data\.clue-by-4.org
2008-03-07 09:17 . 2008-03-07 09:17 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-03-06 20:42 . 2008-03-06 20:42 <DIR> d-------- C:\Program Files\Common Files\Viewpoint
2008-03-06 14:21 . 2008-03-06 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-05 21:54 . 2008-03-05 21:54 <DIR> d-------- C:\Program Files\Google
2008-03-04 08:23 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-02-29 01:01 . 2008-02-29 01:01 <DIR> d-------- C:\Documents and Settings\Azrael\Application Data\RTPlayer
2008-02-29 00:50 . 2008-03-24 07:58 <DIR> d-------- C:\Program Files\Tunebite
2008-02-22 07:39 . 2008-02-22 07:39 <DIR> d-------- C:\Program Files\iPod
2008-02-17 23:15 . 2008-02-17 23:15 <DIR> d-------- C:\Documents and Settings\Azrael\Application Data\Realtime Soft
2008-02-17 12:38 . 2008-02-17 12:38 8 --a------ C:\WINDOWS\system32\nvModes.dat
2008-02-11 17:51 . 2008-02-22 21:26 24,064 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-02-10 11:42 . 2008-02-10 11:42 2,359,350 --a------ C:\WINDOWS\tw.bmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 06:32 --------- d-----w C:\Program Files\Trillian
2008-03-30 22:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-30 14:45 --------- d-----w C:\Program Files\Steam
2008-03-29 23:14 --------- d-----w C:\Documents and Settings\Azrael\Application Data\LimeWire
2008-03-29 23:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 18:19 --------- d-----w C:\Program Files\SmartFTP Client
2008-03-28 06:01 --------- d-----w C:\Program Files\Xfire
2008-03-26 05:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-17 22:04 --------- d-----w C:\Documents and Settings\Azrael\Application Data\Xfire
2008-03-12 03:27 --------- d-----w C:\Documents and Settings\Azrael\Application Data\.clue-by-4.org
2008-03-05 14:33 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-03 21:49 --------- d-----w C:\Documents and Settings\Azrael\Application Data\tunebite
2008-02-22 13:39 --------- d-----w C:\Program Files\iTunes
2008-02-22 13:38 --------- d-----w C:\Program Files\QuickTime
2008-02-11 21:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 04:42 22,328 ----a-w C:\Documents and Settings\Azrael\Application Data\PnkBstrK.sys
2007-11-21 04:58 11,976 ----a-w C:\Program Files\install.log
2007-04-18 02:19 25,464 ----a-w C:\Documents and Settings\Azrael\Application Data\GDIPFONTCACHEV1.DAT
2007-03-19 22:14 25,464 ----a-w C:\Documents and Settings\Crystal\Application Data\GDIPFONTCACHEV1.DAT
2006-03-31 02:53 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1B6D3BE-03C5-4C9E-935B-EA8C40CA1CC8}]
C:\WINDOWS\system32\urqQhefG.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [ ]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-05 21:54 29744]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2006-02-28 06:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttuutr]
awttuutr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=??
?C?D C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EA_RESTART_001.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EA_RESTART_001.lnk
backup=C:\WINDOWS\pss\EA_RESTART_001.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EA_RESTART_002.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EA_RESTART_002.lnk
backup=C:\WINDOWS\pss\EA_RESTART_002.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^Kirby Alarm.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\Kirby Alarm.lnk
backup=C:\WINDOWS\pss\Kirby Alarm.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^Screenza.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\Screenza.lnk
backup=C:\WINDOWS\pss\Screenza.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=C:\WINDOWS\pss\TrueAssistant.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=C:\WINDOWS\pss\Yahoo! Widgets.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atiupdate]
C:\WINDOWS\System32\msshed32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 16:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\desktop]
C:\WINDOWS\System32\idemlog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
C:\Program Files\ESPNRunTime\DIGServices.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmfnj.exe]
C:\WINDOWS\System32\dmfnj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmgzs.exe]
C:\WINDOWS\System32\dmgzs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmhwv.exe]
C:\WINDOWS\System32\dmhwv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmkdf.exe]
C:\WINDOWS\System32\dmkdf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmqgq.exe]
C:\WINDOWS\System32\dmqgq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmrvd.exe]
C:\WINDOWS\System32\dmrvd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmzxz.exe]
C:\WINDOWS\System32\dmzxz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
C:\WINDOWS\System32\dxdllreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
C:\Program Files\Electronic Arts\EA Downloader\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ElbyCheckElbyCDFL]
C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\g]eeV]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\g]eeV\mWhjlnspB]
--a------ 2008-03-29 16:42 196678 C:\WINDOWS\system32\lcntskdn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hgqhp.exe]
C:\WINDOWS\System32\hgqhp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hipi7qth]
C:\WINDOWS\System32\hipi7qth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2004-06-03 00:50 204800 C:\Program Files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a------ 2001-11-29 01:00 28672 C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSA Shellu]
C:\Documents and Settings\Azrael\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
--a------ 2002-01-28 11:48 885760 C:\WINDOWS\system32\LXSUPMON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Oamc]
C:\WINDOWS\System32\WNSXS~1\winspool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PostSetupCheck]
--a------ 2006-02-28 06:00 33280 C:\WINDOWS\System32\Rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegPowerClean]
C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1188.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SchedulingAgent]
--a------ 2004-08-04 01:56 12288 C:\WINDOWS\system32\mstinit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
C:\PROGRA~1\Sygate\SPF\smc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 10:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-27 23:01 1271032 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 15:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheLionCluster]
C:\Program Files\The Lion\skinkers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThrustTSR]
C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
C:\Program Files\Tunebite\tunebite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnSpyPC]
C:\Program Files\UnSpyPC\UnSpyPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
C:\Program Files\VVSN\VVSN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a------ 2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XemiComputers Scheduler]
C:\Program Files\XemiComputers\Smooth Program Scheduler\Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ywl]
C:\Program Files\Common Files\??stem32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{69-95-59-96-DW}]
c:\windows\system32\rwwnw64d.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12087:TCP"= 12087:TCP:BitComet 12087 TCP
"12087:UDP"= 12087:UDP:BitComet 12087 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 15:31:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 08:49:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2008-03-31 8:53:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-31 14:53:41
Pre-Run: 10,087,710,720 bytes free
Post-Run: 10,024,964,096 bytes free
.
2007-10-28 08:37:29 --- E O F ---

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:41 AM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Azrael/My%20Documents/Important%20Documents/Home%20Page/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {D1B6D3BE-03C5-4C9E-935B-EA8C40CA1CC8} - C:\WINDOWS\system32\urqQhefG.dll (file missing)
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-507921405-436374069-682003330-1010\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198802631296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1193548030030
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS4\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS5\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: ??
?C?D C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: awttuutr - awttuutr.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8881 bytes

#6
BHowett

Posted 01 April 2008 - 08:44 PM

OT Moderator

Moderator
4,649 posts

Hello Azrael1415,

Sorry for the delay I got a little tied up at work ……

Fix with HijackThis

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {D1B6D3BE-03C5-4C9E-935B-EA8C40CA1CC8} - C:\WINDOWS\system32\urqQhefG.dll (file missing)
O20 - Winlogon Notify: awttuutr - awttuutr.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

===============================================

Stop processes with Task Manager

Press Control+Alt+Del to enter the Task Manager.
Click on the Processes tab and end the following processes (if present):

devldr32.exe

Exit the Task Manager when finished.
===============================================

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\lcntskdn.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\xTmp
C:\WINDOWS\system32\winz1
C:\WINDOWS\system32\IDME
C:\WINDOWS\system32\bz3
C:\WINDOWS\QnJhbmRvbiBOZXdidXJn
C:\WINDOWS\system32\targetedbanner-uninst.exe   
C:\WINDOWS\popcinfot.dat
C:\WINDOWS\popcreg.dat
C:\WINDOWS\System32\idemlog.exe
C:\WINDOWS\System32\dmfnj.exe
C:\WINDOWS\System32\dmgzs.exe
C:\WINDOWS\System32\dmhwv.exe
C:\WINDOWS\System32\dmkdf.exe
C:\WINDOWS\System32\dmqgq.exe
C:\WINDOWS\System32\dmrvd.exe
C:\WINDOWS\System32\dmzxz.exe
C:\WINDOWS\System32\hgqhp.exe
C:\WINDOWS\System32\hipi7qth.exe
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\urqQhefG.dll
C:\WINDOWS\system32\lcntskdn.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\System32\WNSXS~1\winspool.exe
C:\WINDOWS\mrofinu1188.exe

Folder::
C:\Program Files\Winferno\RegistryPowerCleaner
c:\program files\steam
C:\Program Files\UnSpyPC
C:\Program Files\VVSN

Driver::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttuutr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\desktop]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmfnj.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmgzs.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmhwv.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmkdf.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmqgq.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmrvd.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmzxz.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hgqhp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hipi7qth]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnSpyPC]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{69-95-59-96-DW}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1B6D3BE-03C5-4C9E-935B-EA8C40CA1CC8}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\g]eeV]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\g]eeV\mWhjlnspB]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

Also please let me know how your system is running.

#7
Azrael1415

Posted 01 April 2008 - 10:08 PM

Member

Topic Starter
Member
15 posts

Well, even before we did this, the symptoms stopped (explorer closing and restarting). However, RunDLL32.exe was still always running. Other than that it's ran ok. Running good now. Question though: how come ComboFix deleted Steam and all my Steam games? Were they infected some how? Not a big deal, I can re-install all of them, just curious. Here's the logs:

ComboFix.txt:

ComboFix 08-03-30.3 - Azrael 2008-04-01 21:55:14.2 - NTFSx86

Running from: C:\Documents and Settings\Azrael\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Azrael\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\steam
c:\program files\steam\appcache\0_app.pkv
c:\program files\steam\appcache\10_app.pkv
c:\program files\steam\appcache\100_app.pkv
c:\program files\steam\appcache\10000_app.pkv
c:\program files\steam\appcache\1001_app.pkv
c:\program files\steam\appcache\10010_app.pkv
c:\program files\steam\appcache\1002_app.pkv
c:\program files\steam\appcache\1003_app.pkv
c:\program files\steam\appcache\10050_app.pkv
c:\program files\steam\appcache\10400_app.pkv
c:\program files\steam\appcache\10410_app.pkv
c:\program files\steam\appcache\10420_app.pkv
c:\program files\steam\appcache\10430_app.pkv
c:\program files\steam\appcache\10440_app.pkv
c:\program files\steam\appcache\10460_app.pkv
c:\program files\steam\appcache\10480_app.pkv
c:\program files\steam\appcache\10700_app.pkv
c:\program files\steam\appcache\11000_app.pkv
c:\program files\steam\appcache\11200_app.pkv
c:\program files\steam\appcache\11210_app.pkv
c:\program files\steam\appcache\11220_app.pkv
c:\program files\steam\appcache\11420_app.pkv
c:\program files\steam\appcache\11450_app.pkv
c:\program files\steam\appcache\11460_app.pkv
c:\program files\steam\appcache\11470_app.pkv
c:\program files\steam\appcache\120_app.pkv
c:\program files\steam\appcache\1200_app.pkv
c:\program files\steam\appcache\1210_app.pkv
c:\program files\steam\appcache\12100_app.pkv
c:\program files\steam\appcache\12110_app.pkv
c:\program files\steam\appcache\12120_app.pkv
c:\program files\steam\appcache\12130_app.pkv
c:\program files\steam\appcache\12140_app.pkv
c:\program files\steam\appcache\12150_app.pkv
c:\program files\steam\appcache\12160_app.pkv
c:\program files\steam\appcache\12170_app.pkv
c:\program files\steam\appcache\12180_app.pkv
c:\program files\steam\appcache\12190_app.pkv
c:\program files\steam\appcache\1220_app.pkv
c:\program files\steam\appcache\12300_app.pkv
c:\program files\steam\appcache\12310_app.pkv
c:\program files\steam\appcache\12330_app.pkv
c:\program files\steam\appcache\12500_app.pkv
c:\program files\steam\appcache\12510_app.pkv
c:\program files\steam\appcache\12520_app.pkv
c:\program files\steam\appcache\12530_app.pkv
c:\program files\steam\appcache\12900_app.pkv
c:\program files\steam\appcache\12910_app.pkv
c:\program files\steam\appcache\130_app.pkv
c:\program files\steam\appcache\1300_app.pkv
c:\program files\steam\appcache\13000_app.pkv
c:\program files\steam\appcache\13010_app.pkv
c:\program files\steam\appcache\1306_app.pkv
c:\program files\steam\appcache\1309_app.pkv
c:\program files\steam\appcache\1313_app.pkv
c:\program files\steam\appcache\13200_app.pkv
c:\program files\steam\appcache\13210_app.pkv
c:\program files\steam\appcache\13230_app.pkv
c:\program files\steam\appcache\13240_app.pkv
c:\program files\steam\appcache\13250_app.pkv
c:\program files\steam\appcache\1500_app.pkv
c:\program files\steam\appcache\1502_app.pkv
c:\program files\steam\appcache\1504_app.pkv
c:\program files\steam\appcache\1510_app.pkv
c:\program files\steam\appcache\1520_app.pkv
c:\program files\steam\appcache\1522_app.pkv
c:\program files\steam\appcache\1600_app.pkv
c:\program files\steam\appcache\1610_app.pkv
c:\program files\steam\appcache\1620_app.pkv
c:\program files\steam\appcache\1630_app.pkv
c:\program files\steam\appcache\1640_app.pkv
c:\program files\steam\appcache\1670_app.pkv
c:\program files\steam\appcache\1690_app.pkv
c:\program files\steam\appcache\1700_app.pkv
c:\program files\steam\appcache\1710_app.pkv
c:\program files\steam\appcache\1900_app.pkv
c:\program files\steam\appcache\1920_app.pkv
c:\program files\steam\appcache\20_app.pkv
c:\program files\steam\appcache\205_app.pkv
c:\program files\steam\appcache\210_app.pkv
c:\program files\steam\appcache\2100_app.pkv
c:\program files\steam\appcache\211_app.pkv
c:\program files\steam\appcache\2110_app.pkv
c:\program files\steam\appcache\2120_app.pkv
c:\program files\steam\appcache\215_app.pkv
c:\program files\steam\appcache\219_app.pkv
c:\program files\steam\appcache\220_app.pkv
c:\program files\steam\appcache\2200_app.pkv
c:\program files\steam\appcache\2270_app.pkv
c:\program files\steam\appcache\2280_app.pkv
c:\program files\steam\appcache\2290_app.pkv
c:\program files\steam\appcache\2300_app.pkv
c:\program files\steam\appcache\2310_app.pkv
c:\program files\steam\appcache\2320_app.pkv
c:\program files\steam\appcache\2330_app.pkv
c:\program files\steam\appcache\2340_app.pkv
c:\program files\steam\appcache\2350_app.pkv
c:\program files\steam\appcache\2360_app.pkv
c:\program files\steam\appcache\2370_app.pkv
c:\program files\steam\appcache\2390_app.pkv
c:\program files\steam\appcache\240_app.pkv
c:\program files\steam\appcache\2400_app.pkv
c:\program files\steam\appcache\2410_app.pkv
c:\program files\steam\appcache\2413_app.pkv
c:\program files\steam\appcache\2420_app.pkv
c:\program files\steam\appcache\2500_app.pkv
c:\program files\steam\appcache\2510_app.pkv
c:\program files\steam\appcache\2520_app.pkv
c:\program files\steam\appcache\2530_app.pkv
c:\program files\steam\appcache\2535_app.pkv
c:\program files\steam\appcache\2540_app.pkv
c:\program files\steam\appcache\2560_app.pkv
c:\program files\steam\appcache\2570_app.pkv
c:\program files\steam\appcache\2580_app.pkv
c:\program files\steam\appcache\2590_app.pkv
c:\program files\steam\appcache\260_app.pkv
c:\program files\steam\appcache\2600_app.pkv
c:\program files\steam\appcache\2610_app.pkv
c:\program files\steam\appcache\2620_app.pkv
c:\program files\steam\appcache\2625_app.pkv
c:\program files\steam\appcache\2630_app.pkv
c:\program files\steam\appcache\2640_app.pkv
c:\program files\steam\appcache\2680_app.pkv
c:\program files\steam\appcache\2690_app.pkv
c:\program files\steam\appcache\2700_app.pkv
c:\program files\steam\appcache\2710_app.pkv
c:\program files\steam\appcache\2720_app.pkv
c:\program files\steam\appcache\2730_app.pkv
c:\program files\steam\appcache\2780_app.pkv
c:\program files\steam\appcache\2790_app.pkv
c:\program files\steam\appcache\280_app.pkv
c:\program files\steam\appcache\2800_app.pkv
c:\program files\steam\appcache\2810_app.pkv
c:\program files\steam\appcache\2900_app.pkv
c:\program files\steam\appcache\2910_app.pkv
c:\program files\steam\appcache\2920_app.pkv
c:\program files\steam\appcache\2930_app.pkv
c:\program files\steam\appcache\2990_app.pkv
c:\program files\steam\appcache\30_app.pkv
c:\program files\steam\appcache\300_app.pkv
c:\program files\steam\appcache\3000_app.pkv
c:\program files\steam\appcache\3010_app.pkv
c:\program files\steam\appcache\302_app.pkv
c:\program files\steam\appcache\3020_app.pkv
c:\program files\steam\appcache\304_app.pkv
c:\program files\steam\appcache\320_app.pkv
c:\program files\steam\appcache\3200_app.pkv
c:\program files\steam\appcache\3210_app.pkv
c:\program files\steam\appcache\3220_app.pkv
c:\program files\steam\appcache\3230_app.pkv
c:\program files\steam\appcache\3260_app.pkv
c:\program files\steam\appcache\3270_app.pkv
c:\program files\steam\appcache\3280_app.pkv
c:\program files\steam\appcache\3300_app.pkv
c:\program files\steam\appcache\3302_app.pkv
c:\program files\steam\appcache\3310_app.pkv
c:\program files\steam\appcache\3312_app.pkv
c:\program files\steam\appcache\3320_app.pkv
c:\program files\steam\appcache\3322_app.pkv
c:\program files\steam\appcache\3330_app.pkv
c:\program files\steam\appcache\3332_app.pkv
c:\program files\steam\appcache\3340_app.pkv
c:\program files\steam\appcache\3342_app.pkv
c:\program files\steam\appcache\3350_app.pkv
c:\program files\steam\appcache\3352_app.pkv
c:\program files\steam\appcache\3360_app.pkv
c:\program files\steam\appcache\3362_app.pkv
c:\program files\steam\appcache\3370_app.pkv
c:\program files\steam\appcache\3372_app.pkv
c:\program files\steam\appcache\3380_app.pkv
c:\program files\steam\appcache\3382_app.pkv
c:\program files\steam\appcache\3390_app.pkv
c:\program files\steam\appcache\340_app.pkv
c:\program files\steam\appcache\3400_app.pkv
c:\program files\steam\appcache\3402_app.pkv
c:\program files\steam\appcache\3410_app.pkv
c:\program files\steam\appcache\3412_app.pkv
c:\program files\steam\appcache\3420_app.pkv
c:\program files\steam\appcache\3422_app.pkv
c:\program files\steam\appcache\3430_app.pkv
c:\program files\steam\appcache\3432_app.pkv
c:\program files\steam\appcache\3440_app.pkv
c:\program files\steam\appcache\3442_app.pkv
c:\program files\steam\appcache\3450_app.pkv
c:\program files\steam\appcache\3452_app.pkv
c:\program files\steam\appcache\3460_app.pkv
c:\program files\steam\appcache\3462_app.pkv
c:\program files\steam\appcache\3470_app.pkv
c:\program files\steam\appcache\3472_app.pkv
c:\program files\steam\appcache\3480_app.pkv
c:\program files\steam\appcache\3482_app.pkv
c:\program files\steam\appcache\3483_app.pkv
c:\program files\steam\appcache\3490_app.pkv
c:\program files\steam\appcache\3492_app.pkv
c:\program files\steam\appcache\3500_app.pkv
c:\program files\steam\appcache\3502_app.pkv
c:\program files\steam\appcache\3510_app.pkv
c:\program files\steam\appcache\3512_app.pkv
c:\program files\steam\appcache\360_app.pkv
c:\program files\steam\appcache\380_app.pkv
c:\program files\steam\appcache\3800_app.pkv
c:\program files\steam\appcache\3810_app.pkv
c:\program files\steam\appcache\3820_app.pkv
c:\program files\steam\appcache\3830_app.pkv
c:\program files\steam\appcache\3840_app.pkv
c:\program files\steam\appcache\3850_app.pkv
c:\program files\steam\appcache\3900_app.pkv
c:\program files\steam\appcache\3910_app.pkv
c:\program files\steam\appcache\3920_app.pkv
c:\program files\steam\appcache\3960_app.pkv
c:\program files\steam\appcache\3970_app.pkv
c:\program files\steam\appcache\3980_app.pkv
c:\program files\steam\appcache\3990_app.pkv
c:\program files\steam\appcache\40_app.pkv
c:\program files\steam\appcache\400_app.pkv
c:\program files\steam\appcache\4000_app.pkv
c:\program files\steam\appcache\410_app.pkv
c:\program files\steam\appcache\4100_app.pkv
c:\program files\steam\appcache\4102_app.pkv
c:\program files\steam\appcache\420_app.pkv
c:\program files\steam\appcache\4200_app.pkv
c:\program files\steam\appcache\4230_app.pkv
c:\program files\steam\appcache\4260_app.pkv
c:\program files\steam\appcache\4290_app.pkv
c:\program files\steam\appcache\4300_app.pkv
c:\program files\steam\appcache\4310_app.pkv
c:\program files\steam\appcache\440_app.pkv
c:\program files\steam\appcache\4400_app.pkv
c:\program files\steam\appcache\4410_app.pkv
c:\program files\steam\appcache\4420_app.pkv
c:\program files\steam\appcache\4440_app.pkv
c:\program files\steam\appcache\4500_app.pkv
c:\program files\steam\appcache\4520_app.pkv
c:\program files\steam\appcache\4530_app.pkv
c:\program files\steam\appcache\4540_app.pkv
c:\program files\steam\appcache\4550_app.pkv
c:\program files\steam\appcache\4560_app.pkv
c:\program files\steam\appcache\4570_app.pkv
c:\program files\steam\appcache\4580_app.pkv
c:\program files\steam\appcache\4590_app.pkv
c:\program files\steam\appcache\4600_app.pkv
c:\program files\steam\appcache\4610_app.pkv
c:\program files\steam\appcache\4700_app.pkv
c:\program files\steam\appcache\4710_app.pkv
c:\program files\steam\appcache\4730_app.pkv
c:\program files\steam\appcache\4740_app.pkv
c:\program files\steam\appcache\4760_app.pkv
c:\program files\steam\appcache\4770_app.pkv
c:\program files\steam\appcache\4780_app.pkv
c:\program files\steam\appcache\4790_app.pkv
c:\program files\steam\appcache\4800_app.pkv
c:\program files\steam\appcache\4810_app.pkv
c:\program files\steam\appcache\4820_app.pkv
c:\program files\steam\appcache\4830_app.pkv
c:\program files\steam\appcache\4900_app.pkv
c:\program files\steam\appcache\4910_app.pkv
c:\program files\steam\appcache\5_app.pkv
c:\program files\steam\appcache\50_app.pkv
c:\program files\steam\appcache\5000_app.pkv
c:\program files\steam\appcache\5001_app.pkv
c:\program files\steam\appcache\5002_app.pkv
c:\program files\steam\appcache\5003_app.pkv
c:\program files\steam\appcache\5008_app.pkv
c:\program files\steam\appcache\5009_app.pkv
c:\program files\steam\appcache\5010_app.pkv
c:\program files\steam\appcache\5011_app.pkv
c:\program files\steam\appcache\5012_app.pkv
c:\program files\steam\appcache\5013_app.pkv
c:\program files\steam\appcache\5014_app.pkv
c:\program files\steam\appcache\5015_app.pkv
c:\program files\steam\appcache\5016_app.pkv
c:\program files\steam\appcache\5017_app.pkv
c:\program files\steam\appcache\5019_app.pkv
c:\program files\steam\appcache\5020_app.pkv
c:\program files\steam\appcache\5023_app.pkv
c:\program files\steam\appcache\5028_app.pkv
c:\program files\steam\appcache\60_app.pkv
c:\program files\steam\appcache\6100_app.pkv
c:\program files\steam\appcache\6110_app.pkv
c:\program files\steam\appcache\6200_app.pkv
c:\program files\steam\appcache\6210_app.pkv
c:\program files\steam\appcache\6220_app.pkv
c:\program files\steam\appcache\6230_app.pkv
c:\program files\steam\appcache\6250_app.pkv
c:\program files\steam\appcache\6260_app.pkv
c:\program files\steam\appcache\6270_app.pkv
c:\program files\steam\appcache\6290_app.pkv
c:\program files\steam\appcache\6300_app.pkv
c:\program files\steam\appcache\6310_app.pkv
c:\program files\steam\appcache\6320_app.pkv
c:\program files\steam\appcache\6400_app.pkv
c:\program files\steam\appcache\6410_app.pkv
c:\program files\steam\appcache\6420_app.pkv
c:\program files\steam\appcache\6510_app.pkv
c:\program files\steam\appcache\6530_app.pkv
c:\program files\steam\appcache\6550_app.pkv
c:\program files\steam\appcache\6570_app.pkv
c:\program files\steam\appcache\6580_app.pkv
c:\program files\steam\appcache\6600_app.pkv
c:\program files\steam\appcache\6610_app.pkv
c:\program files\steam\appcache\6800_app.pkv
c:\program files\steam\appcache\6810_app.pkv
c:\program files\steam\appcache\6820_app.pkv
c:\program files\steam\appcache\6830_app.pkv
c:\program files\steam\appcache\6840_app.pkv
c:\program files\steam\appcache\6850_app.pkv
c:\program files\steam\appcache\6860_app.pkv
c:\program files\steam\appcache\6870_app.pkv
c:\program files\steam\appcache\6880_app.pkv
c:\program files\steam\appcache\6900_app.pkv
c:\program files\steam\appcache\6910_app.pkv
c:\program files\steam\appcache\6920_app.pkv
c:\program files\steam\appcache\6930_app.pkv
c:\program files\steam\appcache\6940_app.pkv
c:\program files\steam\appcache\6950_app.pkv
c:\program files\steam\appcache\6980_app.pkv
c:\program files\steam\appcache\7_app.pkv
c:\program files\steam\appcache\70_app.pkv
c:\program files\steam\appcache\7000_app.pkv
c:\program files\steam\appcache\7010_app.pkv
c:\program files\steam\appcache\7020_app.pkv
c:\program files\steam\appcache\7030_app.pkv
c:\program files\steam\appcache\7050_app.pkv
c:\program files\steam\appcache\7060_app.pkv
c:\program files\steam\appcache\7080_app.pkv
c:\program files\steam\appcache\7110_app.pkv
c:\program files\steam\appcache\7200_app.pkv
c:\program files\steam\appcache\7210_app.pkv
c:\program files\steam\appcache\7220_app.pkv
c:\program files\steam\appcache\7230_app.pkv
c:\program files\steam\appcache\7250_app.pkv
c:\program files\steam\appcache\7260_app.pkv
c:\program files\steam\appcache\7280_app.pkv
c:\program files\steam\appcache\7290_app.pkv
c:\program files\steam\appcache\7400_app.pkv
c:\program files\steam\appcache\7410_app.pkv
c:\program files\steam\appcache\7420_app.pkv
c:\program files\steam\appcache\7430_app.pkv
c:\program files\steam\appcache\7500_app.pkv
c:\program files\steam\appcache\7600_app.pkv
c:\program files\steam\appcache\7610_app.pkv
c:\program files\steam\appcache\7620_app.pkv
c:\program files\steam\appcache\7630_app.pkv
c:\program files\steam\appcache\7650_app.pkv
c:\program files\steam\appcache\7670_app.pkv
c:\program files\steam\appcache\7710_app.pkv
c:\program files\steam\appcache\7800_app.pkv
c:\program files\steam\appcache\7810_app.pkv
c:\program files\steam\appcache\7820_app.pkv
c:\program files\steam\appcache\7900_app.pkv
c:\program files\steam\appcache\7910_app.pkv
c:\program files\steam\appcache\7920_app.pkv
c:\program files\steam\appcache\7940_app.pkv
c:\program files\steam\appcache\80_app.pkv
c:\program files\steam\appcache\8000_app.pkv
c:\program files\steam\appcache\8010_app.pkv
c:\program files\steam\appcache\8030_app.pkv
c:\program files\steam\appcache\8040_app.pkv
c:\program files\steam\appcache\8060_app.pkv
c:\program files\steam\appcache\8080_app.pkv
c:\program files\steam\appcache\8090_app.pkv
c:\program files\steam\appcache\8100_app.pkv
c:\program files\steam\appcache\8200_app.pkv
c:\program files\steam\appcache\8210_app.pkv
c:\program files\steam\appcache\8220_app.pkv
c:\program files\steam\appcache\8230_app.pkv
c:\program files\steam\appcache\8240_app.pkv
c:\program files\steam\appcache\8250_app.pkv
c:\program files\steam\appcache\8400_app.pkv
c:\program files\steam\appcache\8500_app.pkv
c:\program files\steam\appcache\8510_app.pkv
c:\program files\steam\appcache\8600_app.pkv
c:\program files\steam\appcache\8620_app.pkv
c:\program files\steam\appcache\8630_app.pkv
c:\program files\steam\appcache\8800_app.pkv
c:\program files\steam\appcache\8820_app.pkv
c:\program files\steam\appcache\900_app.pkv
c:\program files\steam\appcache\9000_app.pkv
c:\program files\steam\appcache\901_app.pkv
c:\program files\steam\appcache\9010_app.pkv
c:\program files\steam\appcache\902_app.pkv
c:\program files\steam\appcache\903_app.pkv
c:\program files\steam\appcache\9030_app.pkv
c:\program files\steam\appcache\904_app.pkv
c:\program files\steam\appcache\9040_app.pkv
c:\program files\steam\appcache\905_app.pkv
c:\program files\steam\appcache\9050_app.pkv
c:\program files\steam\appcache\906_app.pkv
c:\program files\steam\appcache\9060_app.pkv
c:\program files\steam\appcache\907_app.pkv
c:\program files\steam\appcache\9070_app.pkv
c:\program files\steam\appcache\908_app.pkv
c:\program files\steam\appcache\9080_app.pkv
c:\program files\steam\appcache\909_app.pkv
c:\program files\steam\appcache\9090_app.pkv
c:\program files\steam\appcache\9100_app.pkv
c:\program files\steam\appcache\912_app.pkv
c:\program files\steam\appcache\9120_app.pkv
c:\program files\steam\appcache\913_app.pkv
c:\program files\steam\appcache\9130_app.pkv
c:\program files\steam\appcache\914_app.pkv
c:\program files\steam\appcache\915_app.pkv
c:\program files\steam\appcache\916_app.pkv
c:\program files\steam\appcache\9160_app.pkv
c:\program files\steam\appcache\917_app.pkv
c:\program files\steam\appcache\918_app.pkv
c:\program files\steam\appcache\9180_app.pkv
c:\program files\steam\appcache\919_app.pkv
c:\program files\steam\appcache\92_app.pkv
c:\program files\steam\appcache\920_app.pkv
c:\program files\steam\appcache\921_app.pkv
c:\program files\steam\appcache\922_app.pkv
c:\program files\steam\appcache\923_app.pkv
c:\program files\steam\appcache\924_app.pkv
c:\program files\steam\appcache\925_app.pkv
c:\program files\steam\appcache\926_app.pkv
c:\program files\steam\appcache\927_app.pkv
c:\program files\steam\appcache\928_app.pkv
c:\program files\steam\appcache\929_app.pkv
c:\program files\steam\appcache\930_app.pkv
c:\program files\steam\appcache\9300_app.pkv
c:\program files\steam\appcache\931_app.pkv
c:\program files\steam\appcache\932_app.pkv
c:\program files\steam\appcache\9320_app.pkv
c:\program files\steam\appcache\933_app.pkv
c:\program files\steam\appcache\9330_app.pkv
c:\program files\steam\appcache\934_app.pkv
c:\program files\steam\appcache\9340_app.pkv
c:\program files\steam\appcache\935_app.pkv
c:\program files\steam\appcache\936_app.pkv
c:\program files\steam\appcache\937_app.pkv
c:\program files\steam\appcache\938_app.pkv
c:\program files\steam\appcache\939_app.pkv
c:\program files\steam\appcache\940_app.pkv
c:\program files\steam\appcache\9400_app.pkv
c:\program files\steam\appcache\941_app.pkv
c:\program files\steam\appcache\942_app.pkv
c:\program files\steam\appcache\943_app.pkv
c:\program files\steam\appcache\944_app.pkv
c:\program files\steam\appcache\9440_app.pkv
c:\program files\steam\appcache\945_app.pkv
c:\program files\steam\appcache\9450_app.pkv
c:\program files\steam\appcache\946_app.pkv
c:\program files\steam\appcache\9460_app.pkv
c:\program files\steam\appcache\947_app.pkv
c:\program files\steam\appcache\948_app.pkv
c:\program files\steam\appcache\949_app.pkv
c:\program files\steam\appcache\950_app.pkv
c:\program files\steam\appcache\9500_app.pkv
c:\program files\steam\appcache\951_app.pkv
c:\program files\steam\appcache\9510_app.pkv
c:\program files\steam\appcache\953_app.pkv
c:\program files\steam\appcache\954_app.pkv
c:\program files\steam\appcache\955_app.pkv
c:\program files\steam\appcache\956_app.pkv
c:\program files\steam\appcache\957_app.pkv
c:\program files\steam\appcache\958_app.pkv
c:\program files\steam\appcache\959_app.pkv
c:\program files\steam\appcache\960_app.pkv
c:\program files\steam\appcache\961_app.pkv
c:\program files\steam\appcache\962_app.pkv
c:\program files\steam\appcache\963_app.pkv
c:\program files\steam\appcache\964_app.pkv
c:\program files\steam\appcache\965_app.pkv
c:\program files\steam\appcache\966_app.pkv
c:\program files\steam\appcache\967_app.pkv
c:\program files\steam\appcache\968_app.pkv
c:\program files\steam\appcache\969_app.pkv
c:\program files\steam\appcache\970_app.pkv
c:\program files\steam\appcache\971_app.pkv
c:\program files\steam\appcache\9710_app.pkv
c:\program files\steam\appcache\972_app.pkv
c:\program files\steam\appcache\973_app.pkv
c:\program files\steam\appcache\9730_app.pkv
c:\program files\steam\appcache\974_app.pkv
c:\program files\steam\appcache\9740_app.pkv
c:\program files\steam\appcache\975_app.pkv
c:\program files\steam\appcache\976_app.pkv
c:\program files\steam\appcache\9760_app.pkv
c:\program files\steam\appcache\977_app.pkv
c:\program files\steam\appcache\978_app.pkv
c:\program files\steam\appcache\979_app.pkv
c:\program files\steam\appcache\980_app.pkv
c:\program files\steam\appcache\9800_app.pkv
c:\program files\steam\appcache\981_app.pkv
c:\program files\steam\appcache\982_app.pkv
c:\program files\steam\appcache\983_app.pkv
c:\program files\steam\appcache\984_app.pkv
c:\program files\steam\appcache\985_app.pkv
c:\program files\steam\appcache\986_app.pkv
c:\program files\steam\appcache\987_app.pkv
c:\program files\steam\appcache\988_app.pkv
c:\program files\steam\appcache\989_app.pkv
c:\program files\steam\appcache\990_app.pkv
c:\program files\steam\appcache\991_app.pkv
c:\program files\steam\appcache\992_app.pkv
c:\program files\steam\appcache\994_app.pkv
c:\program files\steam\appcache\995_app.pkv
c:\program files\steam\appcache\996_app.pkv
c:\program files\steam\appcache\997_app.pkv
c:\program files\steam\appcache\998_app.pkv
c:\program files\steam\appcache\999_app.pkv
c:\program files\steam\appcache\imagecache.dat
c:\program files\steam\appcache\stats\UserGameStatsSchema_12900.vdf
c:\program files\steam\appcache\stats\UserGameStatsSchema_400.vdf
c:\program files\steam\appcache\stats\UserGameStatsSchema_440.vdf
c:\program files\steam\AppUpdateStats.blob
c:\program files\steam\bin\FileSystem_Steam.dll
c:\program files\steam\bin\friendsUI.dll
c:\program files\steam\bin\mss32_s.dll
c:\program files\steam\bin\nattypeprobe.dll
c:\program files\steam\bin\p2pcore.dll
c:\program files\steam\bin\p2pvoice.dll
c:\program files\steam\bin\ServerBrowser.dll
c:\program files\steam\bin\SteamService.dll
c:\program files\steam\bin\SteamService.exe
c:\program files\steam\bin\vaudio_speex.dll
c:\program files\steam\bin\vgui2.dll
c:\program files\steam\ClientRegistry.blob
c:\program files\steam\config\coplay_76561197965907014.vdf
c:\program files\steam\config\dialogconfig.vdf
c:\program files\steam\config\dialogconfigoverlay.vdf
c:\program files\steam\config\dialogconfigoverlay_1016x741.vdf
c:\program files\steam\config\dialogconfigoverlay_1024x768.vdf
c:\program files\steam\config\dialogconfigoverlay_1280x1024.vdf
c:\program files\steam\config\dialogconfigoverlay_565x434.vdf
c:\program files\steam\config\dialogconfigoverlay_792x573.vdf
c:\program files\steam\config\dialogconfigoverlay_800x600.vdf
c:\program files\steam\config\ingamedialogconfig.vdf
c:\program files\steam\config\masterservers.vdf
c:\program files\steam\config\serverbrowser.vdf
c:\program files\steam\config\shortcuts.vdf
c:\program files\steam\config\SteamAppData.vdf
c:\program files\steam\CSERHelper.dll
c:\program files\steam\dbghelp.dll
c:\program files\steam\friends\friend_online.wav
c:\program files\steam\friends\message.wav
c:\program files\steam\GameOverlayRenderer.dll
c:\program files\steam\GameOverlayRenderer.dll.log
c:\program files\steam\GameOverlayUI.exe
c:\program files\steam\GameOverlayUI.exe.log
c:\program files\steam\Graphics\avatar_32blank.tga
c:\program files\steam\Graphics\avatar_64blank.tga
c:\program files\steam\Graphics\avatarBorderInGame.tga
c:\program files\steam\Graphics\avatarBorderOffline.tga
c:\program files\steam\Graphics\avatarBorderOnline.tga
c:\program files\steam\Graphics\btnDefBottom.tga
c:\program files\steam\Graphics\btnDefBottomLeft.tga
c:\program files\steam\Graphics\btnDefBottomRight.tga
c:\program files\steam\Graphics\btnDefLeft.tga
c:\program files\steam\Graphics\btnDefRight.tga
c:\program files\steam\Graphics\btnDefTop.tga
c:\program files\steam\Graphics\btnDefTopLeft.tga
c:\program files\steam\Graphics\btnDefTopRight.tga
c:\program files\steam\Graphics\btnDisBottom.tga
c:\program files\steam\Graphics\btnDisBottomLeft.tga
c:\program files\steam\Graphics\btnDisBottomRight.tga
c:\program files\steam\Graphics\btnDisLeft.tga
c:\program files\steam\Graphics\btnDisRight.tga
c:\program files\steam\Graphics\btnDisTop.tga
c:\program files\steam\Graphics\btnDisTopLeft.tga
c:\program files\steam\Graphics\btnDisTopRight.tga
c:\program files\steam\Graphics\btnOvrOffBottom.tga
c:\program files\steam\Graphics\btnOvrOffBottomLeft.tga
c:\program files\steam\Graphics\btnOvrOffBottomRight.tga
c:\program files\steam\Graphics\btnOvrOffLeft.tga
c:\program files\steam\Graphics\btnOvrOffRight.tga
c:\program files\steam\Graphics\btnOvrOffTop.tga
c:\program files\steam\Graphics\btnOvrOffTopLeft.tga
c:\program files\steam\Graphics\btnOvrOffTopRight.tga
c:\program files\steam\Graphics\btnOvrOnBottom.tga
c:\program files\steam\Graphics\btnOvrOnBottomLeft.tga
c:\program files\steam\Graphics\btnOvrOnBottomRight.tga
c:\program files\steam\Graphics\btnOvrOnLeft.tga
c:\program files\steam\Graphics\btnOvrOnRight.tga
c:\program files\steam\Graphics\btnOvrOnTop.tga
c:\program files\steam\Graphics\btnOvrOnTopLeft.tga
c:\program files\steam\Graphics\btnOvrOnTopRight.tga
c:\program files\steam\Graphics\btnSelBottom.tga
c:\program files\steam\Graphics\btnSelBottomLeft.tga
c:\program files\steam\Graphics\btnSelBottomRight.tga
c:\program files\steam\Graphics\btnSelLeft.tga
c:\program files\steam\Graphics\btnSelRight.tga
c:\program files\steam\Graphics\btnSelTop.tga
c:\program files\steam\Graphics\btnSelTopLeft.tga
c:\program files\steam\Graphics\btnSelTopRight.tga
c:\program files\steam\Graphics\btnStdBottom.tga
c:\program files\steam\Graphics\btnStdBottomLeft.tga
c:\program files\steam\Graphics\btnStdBottomRight.tga
c:\program files\steam\Graphics\btnStdLeft.tga
c:\program files\steam\Graphics\btnStdRight.tga
c:\program files\steam\Graphics\btnStdTop.tga
c:\program files\steam\Graphics\btnStdTopLeft.tga
c:\program files\steam\Graphics\btnStdTopRight.tga
c:\program files\steam\Graphics\chkSelDis.tga
c:\program files\steam\Graphics\chkSelDown.tga
c:\program files\steam\Graphics\chkSelFocus.tga
c:\program files\steam\Graphics\chkSelStd.tga
c:\program files\steam\Graphics\chkUnselDis.tga
c:\program files\steam\Graphics\chkUnselFocus.tga
c:\program files\steam\Graphics\chkUnselStd.tga
c:\program files\steam\Graphics\creditcard_back.tga
c:\program files\steam\Graphics\creditcard_back_amex.tga
c:\program files\steam\Graphics\FriendsListSlantBG.tga
c:\program files\steam\Graphics\FriendsPanelLeftBG.tga
c:\program files\steam\Graphics\FriendsPanelLeftBG_Down.tga
c:\program files\steam\Graphics\FriendsPanelLeftBG_Over.tga
c:\program files\steam\Graphics\FriendsPanelRightBG.tga
c:\program files\steam\Graphics\gift_wizard_friends.tga
c:\program files\steam\Graphics\gift_wizard_heart.tga
c:\program files\steam\Graphics\icon_addFriend.tga
c:\program files\steam\Graphics\icon_button_back.tga
c:\program files\steam\Graphics\icon_button_back_disabled.tga
c:\program files\steam\Graphics\icon_button_back_down.tga
c:\program files\steam\Graphics\icon_button_back_over.tga
c:\program files\steam\Graphics\icon_button_forward.tga
c:\program files\steam\Graphics\icon_button_forward_disabled.tga
c:\program files\steam\Graphics\icon_button_forward_down.tga
c:\program files\steam\Graphics\icon_button_forward_over.tga
c:\program files\steam\Graphics\icon_button_friends.tga
c:\program files\steam\Graphics\icon_button_friends_mousedown.tga
c:\program files\steam\Graphics\icon_button_friends_mouseover.tga
c:\program files\steam\Graphics\icon_button_home.tga
c:\program files\steam\Graphics\icon_button_home_down.tga
c:\program files\steam\Graphics\icon_button_home_over.tga
c:\program files\steam\Graphics\icon_button_news.tga
c:\program files\steam\Graphics\icon_button_news_mousedown.tga
c:\program files\steam\Graphics\icon_button_news_mouseover.tga
c:\program files\steam\Graphics\icon_button_reload.tga
c:\program files\steam\Graphics\icon_button_reload_down.tga
c:\program files\steam\Graphics\icon_button_reload_over.tga
c:\program files\steam\Graphics\icon_button_servers.tga
c:\program files\steam\Graphics\icon_button_servers_mousedown.tga
c:\program files\steam\Graphics\icon_button_servers_mouseover.tga
c:\program files\steam\Graphics\icon_button_settings.tga
c:\program files\steam\Graphics\icon_button_settings_mousedown.tga
c:\program files\steam\Graphics\icon_button_settings_mouseover.tga
c:\program files\steam\Graphics\icon_button_stop.tga
c:\program files\steam\Graphics\icon_button_stop_down.tga
c:\program files\steam\Graphics\icon_button_stop_over.tga
c:\program files\steam\Graphics\icon_button_support.tga
c:\program files\steam\Graphics\icon_button_support_mousedown.tga
c:\program files\steam\Graphics\icon_button_support_mouseover.tga
c:\program files\steam\Graphics\icon_collapse.tga
c:\program files\steam\Graphics\icon_collapse_friends.tga
c:\program files\steam\Graphics\icon_collapse_over.tga
c:\program files\steam\Graphics\icon_expand.tga
c:\program files\steam\Graphics\icon_expand_friends.tga
c:\program files\steam\Graphics\icon_expand_over.tga
c:\program files\steam\Graphics\icon_info_sm.tga
c:\program files\steam\Graphics\icon_meterOff.tga
c:\program files\steam\Graphics\icon_meterOn.tga
c:\program files\steam\Graphics\icon_officerStar.tga
c:\program files\steam\Graphics\loop_1.tga
c:\program files\steam\Graphics\loop_2.tga
c:\program files\steam\Graphics\loop_3.tga
c:\program files\steam\Graphics\loop_4.tga
c:\program files\steam\Graphics\loop_5.tga
c:\program files\steam\Graphics\loop_6.tga
c:\program files\steam\Graphics\loop_7.tga
c:\program files\steam\Graphics\loop_8.tga
c:\program files\steam\Graphics\mini_expand.tga
c:\program files\steam\Graphics\mini_expand_mouseover.tga
c:\program files\steam\Graphics\mini_shrink.tga
c:\program files\steam\Graphics\mini_shrink_mouseover.tga
c:\program files\steam\Graphics\mnuSepCenter.tga
c:\program files\steam\Graphics\mnuSepLeft.tga
c:\program files\steam\Graphics\mnuSepRight.tga
c:\program files\steam\Graphics\radSelDis.tga
c:\program files\steam\Graphics\radSelDown.tga
c:\program files\steam\Graphics\radSelFocus.tga
c:\program files\steam\Graphics\radSelStd.tga
c:\program files\steam\Graphics\radUnselDis.tga
c:\program files\steam\Graphics\radUnselFocus.tga
c:\program files\steam\Graphics\radUnselStd.tga
c:\program files\steam\Graphics\rampDown_1.tga
c:\program files\steam\Graphics\rampDown_2.tga
c:\program files\steam\Graphics\rampDown_3.tga
c:\program files\steam\Graphics\rampDown_4.tga
c:\program files\steam\Graphics\rampUp_1.tga
c:\program files\steam\Graphics\rampUp_2.tga
c:\program files\steam\Graphics\rampUp_3.tga
c:\program files\steam\Graphics\rampUp_4.tga
c:\program files\steam\Graphics\resizer.tga
c:\program files\steam\Graphics\scrBottom.tga
c:\program files\steam\Graphics\scrBottomLeft.tga
c:\program files\steam\Graphics\scrBottomRight.tga
c:\program files\steam\Graphics\scrEnds.tga
c:\program files\steam\Graphics\scrLeft.tga
c:\program files\steam\Graphics\scrRight.tga
c:\program files\steam\Graphics\scrTop.tga
c:\program files\steam\Graphics\scrTopLeft.tga
c:\program files\steam\Graphics\scrTopRight.tga
c:\program files\steam\Graphics\shadowBottom.tga
c:\program files\steam\Graphics\shadowslantTop.tga
c:\program files\steam\Graphics\shadowTop.tga
c:\program files\steam\Graphics\simBottom.tga
c:\program files\steam\Graphics\simTop.tga
c:\program files\steam\Graphics\tabSquareBottomLeft.tga
c:\program files\steam\Graphics\tabSquareBottomRight.tga
c:\program files\steam\Graphics\tabSquareTopLeft.tga
c:\program files\steam\Graphics\tabSquareTopRight.tga
c:\program files\steam\Graphics\tabStdBottom.tga
c:\program files\steam\Graphics\tabStdBottomLeft.tga
c:\program files\steam\Graphics\tabStdBottomRight.tga
c:\program files\steam\Graphics\tabStdLeft.TGA
c:\program files\steam\Graphics\tabStdRight.TGA
c:\program files\steam\Graphics\tabStdTop.TGA
c:\program files\steam\Graphics\tabStdTopLeft.tga
c:\program files\steam\Graphics\tabStdTopRight.tga
c:\program files\steam\INSTALL.LOG
c:\program files\steam\logs\connection_log.txt
c:\program files\steam\mss32_s.dll
c:\program files\steam\Public\Account.html
c:\program files\steam\Public\c1.tga
c:\program files\steam\Public\c10.tga
c:\program files\steam\Public\c11.tga
c:\program files\steam\Public\c12.tga
c:\program files\steam\Public\c13.tga
c:\program files\steam\Public\c14.tga
c:\program files\steam\Public\c15.tga
c:\program files\steam\Public\c16.tga
c:\program files\steam\Public\c17.tga
c:\program files\steam\Public\c18.tga
c:\program files\steam\Public\c19.tga
c:\program files\steam\Public\c2.tga
c:\program files\steam\Public\c20.tga
c:\program files\steam\Public\c3.tga
c:\program files\steam\Public\c4.tga
c:\program files\steam\Public\c5.tga
c:\program files\steam\Public\c6.tga
c:\program files\steam\Public\c7.tga
c:\program files\steam\Public\c8.tga
c:\program files\steam\Public\c9.tga
c:\program files\steam\Public\ConnectionIssuesDialog.res
c:\program files\steam\Public\ErrorSteamAlreadyRunningDialog.res
c:\program files\steam\Public\P2PDetailPage.res
c:\program files\steam\Public\P2PDownloadDialog.res
c:\program files\steam\Public\P2PFilesPage.res
c:\program files\steam\Public\P2PGlobalOptions_Colors.res
c:\program files\steam\Public\P2PGlobalOptions_Files.res
c:\program files\steam\Public\P2PGlobalOptions_Interface.res
c:\program files\steam\Public\P2PGlobalOptions_Torrents.res
c:\program files\steam\Public\P2PGlobalOptions_Transfer.res
c:\program files\steam\Public\P2PGlobalOptionsDialog.res
c:\program files\steam\Public\P2PMetaDataPage.res
c:\program files\steam\Public\P2POptionsPage.res
c:\program files\steam\Public\P2PPeersPage.res
c:\program files\steam\Public\P2PSimplePage.res
c:\program files\steam\Public\RefreshLoginDialog.res
c:\program files\steam\Public\ssa_english.htm
c:\program files\steam\Public\ssa_french.htm
c:\program files\steam\Public\ssa_german.htm
c:\program files\steam\Public\ssa_italian.htm
c:\program files\steam\Public\ssa_russian.htm
c:\program files\steam\Public\ssa_spanish.htm
c:\program files\steam\Public\ssasubpanel.res
c:\program files\steam\Public\steam_logo.tga
c:\program files\steam\Public\steam_offline.ico
c:\program files\steam\Public\steam_offline.tga
c:\program files\steam\Public\steam_tray.ico
c:\program files\steam\Public\steam_tray.tga
c:\program files\steam\Public\steam_updating.ico
c:\program files\steam\Public\steam_updating.tga
c:\program files\steam\Public\steam_welcome_large.tga
c:\program files\steam\Public\steam_welcome_tooltray.tga
c:\program files\steam\Public\steam_working_large.tga
c:\program files\steam\Public\steam_working1.tga
c:\program files\steam\Public\SteamCacheWorkDialog.res
c:\program files\steam\Public\SteamLoginDialog.res
c:\program files\steam\Public\steamui_danish.txt
c:\program files\steam\Public\steamui_dutch.txt
c:\program files\steam\Public\steamui_english.txt
c:\program files\steam\Public\steamui_finnish.txt
c:\program files\steam\Public\steamui_french.txt
c:\program files\steam\Public\steamui_german.txt
c:\program files\steam\Public\steamui_italian.txt
c:\program files\steam\Public\steamui_japanese.txt
c:\program files\steam\Public\steamui_korean.txt
c:\program files\steam\Public\steamui_koreana.txt
c:\program files\steam\Public\steamui_norwegian.txt
c:\program files\steam\Public\steamui_polish.txt
c:\program files\steam\Public\steamui_portuguese.txt
c:\program files\steam\Public\steamui_russian.txt
c:\program files\steam\Public\steamui_schinese.txt
c:\program files\steam\Public\steamui_spanish.txt
c:\program files\steam\Public\steamui_swedish.txt
c:\program files\steam\Public\steamui_tchinese.txt
c:\program files\steam\Public\steamui_thai.txt
c:\program files\steam\Public\SubForgotPasswordAccountName.res
c:\program files\steam\Public\SubForgotPasswordCDKey.res
c:\program files\steam\Public\SubForgotPasswordEmailAddress.res
c:\program files\steam\Public\SubForgotPasswordIncorrect.res
c:\program files\steam\Public\SubForgotPasswordOther.res
c:\program files\steam\Public\SubForgotPasswordQuestion.res
c:\program files\steam\Public\SubForgotPasswordQuestionEmail.res
c:\program files\steam\Public\SubForgotPasswordResetType.res
c:\program files\steam\Public\SubForgotPasswordSentEmail.res
c:\program files\steam\Public\SubForgotPasswordSetNewPassword.res
c:\program files\steam\Public\SubForgotPasswordSuccess.res
c:\program files\steam\Public\SubForgotPasswordUserName.res
c:\program files\steam\Public\subpanelchoosedefaultcachedir.res
c:\program files\steam\Public\SubPanelWelcomeCreateNewAccount.res
c:\program files\steam\Public\SubPanelWelcomeCreateNewAccountAccountName.res
c:\program files\steam\Public\SubPanelWelcomeCreateNewAccountEmail.res
c:\program files\steam\Public\SubPanelWelcomeCreateNewAccountEmailAlreadyUsed.res
c:\program files\steam\Public\SubPanelWelcomeCreateNewAccountFinished.res
c:\program files\steam\Public\SubPanelWelcomeCreateNewAccountMultiple.res
c:\program files\steam\Public\SubPanelWelcomeCreateNewAccountNameCollision.res
c:\program files\steam\Public\SubPanelWelcomeCreateNewAccountNames.res
c:\program files\steam\Public\SubPanelWelcomeCreateNewAccountPassword.res
c:\program files\steam\Public\SubPanelWelcomeCreateNewAccountPrintDetails.res
c:\program files\steam\Public\SubPanelWelcomeCreateNewAccountSecretQuestion.res
c:\program files\steam\Public\SubPanelWelcomeCreatingAccount.res
c:\program files\steam\Public\SubPanelWelcomeIntro.res
c:\program files\steam\Public\SubPanelWelcomeIntro_RetailInstall.res
c:\program files\steam\Public\SubPanelWelcomeRetailIntro.res
c:\program files\steam\Public\SupportQueryProgress.res
c:\program files\steam\Public\url_list.txt
c:\program files\steam\Public\UseOfflineFSMode.res
c:\program files\steam\Public\UseOfflineMode.res
c:\program files\steam\Public\UseOfflineModeChosen.res
c:\program files\steam\Public\VACBanDialog.res
c:\program files\steam\Public\WelcomeAccountCreateProgress.res
c:\program files\steam\resource\battery_border.tga
c:\program files\steam\resource\battery_bright.tga
c:\program files\steam\resource\battery_dim.tga
c:\program files\steam\resource\borders\Bottom.tga
c:\program files\steam\resource\borders\BottomLeft.tga
c:\program files\steam\resource\borders\BottomRight.tga
c:\program files\steam\resource\borders\check copy.tga
c:\program files\steam\resource\borders\check.tga
c:\program files\steam\resource\borders\check_disabled.tga
c:\program files\steam\resource\borders\check_disabled_selected.tga
c:\program files\steam\resource\borders\check_mousedown.tga
c:\program files\steam\resource\borders\check_selected.tga
c:\program files\steam\resource\borders\combo_b.TGA
c:\program files\steam\resource\borders\combo_bl.TGA
c:\program files\steam\resource\borders\combo_br.TGA
c:\program files\steam\resource\borders\combo_disabled_b.tga
c:\program files\steam\resource\borders\combo_disabled_bl.tga
c:\program files\steam\resource\borders\combo_disabled_br.tga
c:\program files\steam\resource\borders\combo_disabled_l.tga
c:\program files\steam\resource\borders\combo_disabled_r.tga
c:\program files\steam\resource\borders\combo_disabled_t.tga
c:\program files\steam\resource\borders\combo_disabled_tl.tga
c:\program files\steam\resource\borders\combo_disabled_tr.tga
c:\program files\steam\resource\borders\combo_l.TGA
c:\program files\steam\resource\borders\combo_r.TGA
c:\program files\steam\resource\borders\combo_t.TGA
c:\program files\steam\resource\borders\combo_tl.TGA
c:\program files\steam\resource\borders\combo_tr.TGA
c:\program files\steam\resource\borders\CountdownBG.tga
c:\program files\steam\resource\borders\default_b.tga
c:\program files\steam\resource\borders\default_bl.tga
c:\program files\steam\resource\borders\default_br.tga
c:\program files\steam\resource\borders\default_l.tga
c:\program files\steam\resource\borders\default_outside_b.tga
c:\program files\steam\resource\borders\default_outside_l.tga
c:\program files\steam\resource\borders\default_outside_r.tga
c:\program files\steam\resource\borders\default_outside_t.tga
c:\program files\steam\resource\borders\default_r.TGA
c:\program files\steam\resource\borders\default_t.tga
c:\program files\steam\resource\borders\default_tl.tga
c:\program files\steam\resource\borders\default_tr.tga
c:\program files\steam\resource\borders\disabled_b.TGA
c:\program files\steam\resource\borders\disabled_bl.TGA
c:\program files\steam\resource\borders\disabled_br.TGA
c:\program files\steam\resource\borders\disabled_l.TGA
c:\program files\steam\resource\borders\disabled_r.TGA
c:\program files\steam\resource\borders\disabled_t.TGA
c:\program files\steam\resource\borders\disabled_tl.TGA
c:\program files\steam\resource\borders\disabled_tr.TGA
c:\program files\steam\resource\borders\icon_button_friends_mousedown.tga
c:\program files\steam\resource\borders\icon_button_friends_mouseover.tga
c:\program files\steam\resource\borders\icon_button_news_mousedown.tga
c:\program files\steam\resource\borders\icon_button_news_mouseover.tga
c:\program files\steam\resource\borders\icon_button_servers_mousedown.tga
c:\program files\steam\resource\borders\icon_button_servers_mouseover.tga
c:&#

#8
Azrael1415

Posted 01 April 2008 - 10:11 PM

Member

Topic Starter
Member
15 posts

Ran out of room: here's rest of ComboFix and HijackThis:

ComboFix.txt (pt 2 - w/o the rest of my Steam files 'cause they're making it hard to post)

.
((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-03-31 01:36 . 2008-03-31 01:36 <DIR> d-------- C:\Documents and Settings\Crystal\Application Data\Lavasoft
2008-03-31 01:18 . 2006-02-28 06:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-03-31 01:16 . 2006-02-28 06:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-03-31 01:15 . 2004-05-12 23:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-03-31 01:12 . 2008-03-31 01:12 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-03-31 01:11 . 2008-03-31 01:11 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-03-31 01:11 . 2008-03-31 01:11 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-03-31 01:11 . 2008-03-31 01:11 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-03-31 01:11 . 2008-03-31 01:11 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-03-31 01:11 . 2008-03-31 01:11 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-03-31 01:10 . 2006-02-28 06:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-03-31 01:09 . 2006-02-28 06:00 214,528 --a--c--- C:\WINDOWS\system32\dllcache\icwconn1.exe
2008-03-31 01:09 . 2006-02-28 06:00 86,016 --a--c--- C:\WINDOWS\system32\dllcache\icwconn2.exe
2008-03-31 01:09 . 2006-02-28 06:00 32,768 --a--c--- C:\WINDOWS\system32\dllcache\icwdl.dll
2008-03-31 01:09 . 2006-02-28 06:00 20,480 --a--c--- C:\WINDOWS\system32\dllcache\inetwiz.exe
2008-03-31 01:06 . 2006-02-28 06:00 7,680 --a--c--- C:\WINDOWS\system32\dllcache\migregdb.exe
2008-03-30 16:19 . 2006-03-20 16:33 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-03-30 13:03 . 2008-03-30 13:03 <DIR> d-------- C:\Program Files\Namco Bandai
2008-03-30 09:56 . 2008-03-30 16:31 <DIR> d--h----- C:\WHM
2008-03-29 23:52 . 2008-03-29 23:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-29 22:08 . 2008-03-29 22:50 164 --a------ C:\install.dat
2008-03-29 21:23 . 2008-03-29 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-29 17:04 . 2008-03-29 17:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-29 17:03 . 2008-03-29 16:56 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-29 17:03 . 2008-03-29 17:03 2,544 --a------ C:\WINDOWS\unins000.dat
2008-03-29 16:59 . 2008-03-29 16:59 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-03-29 16:42 . 2008-03-29 16:42 196,678 --a------ C:\WINDOWS\system32\lcntskdn.exe
2008-03-29 16:42 . 2008-03-29 16:42 907 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-03-29 16:41 . 2008-03-29 17:48 <DIR> d-------- C:\WINDOWS\system32\xTmp
2008-03-29 16:41 . 2008-03-29 19:09 <DIR> d-------- C:\WINDOWS\system32\winz1
2008-03-29 16:41 . 2008-03-29 16:41 <DIR> d-------- C:\WINDOWS\system32\IDME
2008-03-29 16:41 . 2008-03-29 19:09 <DIR> d-------- C:\WINDOWS\system32\bz3
2008-03-29 16:41 . 2008-03-29 23:17 <DIR> d--hs---- C:\WINDOWS\QnJhbmRvbiBOZXdidXJn
2008-03-29 16:41 . 2008-03-29 16:41 39,883 --a------ C:\WINDOWS\system32\targetedbanner-uninst.exe
2008-03-26 08:13 . 2008-03-26 08:13 <DIR> d-------- C:\Program Files\Flagship Studios
2008-03-25 23:28 . 2008-03-25 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-25 23:12 . 2008-03-25 23:12 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-25 20:40 . 2006-02-28 06:00 359,040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
2008-03-24 08:29 . 2008-03-05 14:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-03-24 08:29 . 2008-03-05 14:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-24 08:29 . 2008-03-05 15:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-03-24 08:29 . 2008-02-05 22:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-03-24 08:29 . 2008-03-05 15:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-03-24 08:29 . 2008-03-05 15:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-23 09:23 . 2008-03-23 09:23 <DIR> d-------- C:\Program Files\PopCap Games
2008-03-23 09:23 . 2008-03-24 22:07 39 --a------ C:\WINDOWS\popcinfot.dat
2008-03-23 09:23 . 2008-03-23 09:23 0 --a------ C:\WINDOWS\popcreg.dat
2008-03-21 22:21 . 2008-03-23 19:52 3,145,784 --a------ C:\WINDOWS\war.bmp
2008-03-13 17:06 . 2008-03-13 17:06 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-03-11 07:18 . 2008-03-11 21:27 <DIR> d-------- C:\Documents and Settings\Azrael\Application Data\.clue-by-4.org
2008-03-07 09:17 . 2008-03-07 09:17 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-03-06 20:42 . 2008-03-06 20:42 <DIR> d-------- C:\Program Files\Common Files\Viewpoint
2008-03-06 14:21 . 2008-03-06 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-05 21:54 . 2008-03-05 21:54 <DIR> d-------- C:\Program Files\Google
2008-03-04 08:23 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 03:47 --------- d-----w C:\Program Files\Trillian
2008-04-02 03:47 --------- d-----w C:\Documents and Settings\Azrael\Application Data\Xfire
2008-03-30 22:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 23:14 --------- d-----w C:\Documents and Settings\Azrael\Application Data\LimeWire
2008-03-29 23:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 18:19 --------- d-----w C:\Program Files\SmartFTP Client
2008-03-28 06:01 --------- d-----w C:\Program Files\Xfire
2008-03-26 05:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-24 13:58 --------- d-----w C:\Program Files\Tunebite
2008-03-12 03:27 --------- d-----w C:\Documents and Settings\Azrael\Application Data\.clue-by-4.org
2008-03-05 14:33 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-05 14:32 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-03-03 21:49 --------- d-----w C:\Documents and Settings\Azrael\Application Data\tunebite
2008-02-29 07:01 --------- d-----w C:\Documents and Settings\Azrael\Application Data\RTPlayer
2008-02-22 13:39 --------- d-----w C:\Program Files\iTunes
2008-02-22 13:39 --------- d-----w C:\Program Files\iPod
2008-02-22 13:38 --------- d-----w C:\Program Files\QuickTime
2008-02-18 05:15 --------- d-----w C:\Documents and Settings\Azrael\Application Data\Realtime Soft
2008-02-11 21:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-16 04:01 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-01-08 04:42 22,328 ----a-w C:\Documents and Settings\Azrael\Application Data\PnkBstrK.sys
2007-11-21 04:58 11,976 ----a-w C:\Program Files\install.log
2007-04-18 02:19 25,464 ----a-w C:\Documents and Settings\Azrael\Application Data\GDIPFONTCACHEV1.DAT
2007-03-19 22:14 25,464 ----a-w C:\Documents and Settings\Crystal\Application Data\GDIPFONTCACHEV1.DAT
2006-03-31 02:53 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-31_ 8.53.30.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-02-28 12:00:00 61,440 ----a-w C:\WINDOWS\system32\admparse.dll
+ 2007-08-14 00:39:20 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
- 2006-02-28 12:00:00 99,840 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-08-14 00:39:00 123,904 ----a-w C:\WINDOWS\system32\advpack.dll
- 2006-02-28 12:00:00 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2006-09-23 19:12:50 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
- 2006-02-28 12:00:00 35,328 ----a-w C:\WINDOWS\system32\corpol.dll
+ 2007-08-14 00:42:54 17,408 ----a-w C:\WINDOWS\system32\corpol.dll
- 2006-02-28 12:00:00 61,440 -c--a-w C:\WINDOWS\system32\dllcache\admparse.dll
+ 2007-08-14 00:39:20 71,680 -c--a-w C:\WINDOWS\system32\dllcache\admparse.dll
- 2006-02-28 12:00:00 99,840 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2007-08-14 00:39:00 123,904 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2006-02-28 12:00:00 1,022,976 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2006-09-23 19:12:50 1,022,976 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2006-02-28 12:00:00 35,328 -c--a-w C:\WINDOWS\system32\dllcache\corpol.dll
+ 2007-08-14 00:42:54 17,408 -c--a-w C:\WINDOWS\system32\dllcache\corpol.dll
- 2005-01-28 19:44:28 28,672 -c--a-w C:\WINDOWS\system32\dllcache\custsat.dll
+ 2007-08-14 00:54:10 33,792 -c--a-w C:\WINDOWS\system32\dllcache\custsat.dll
- 2006-02-28 12:00:00 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2007-08-14 00:35:46 346,624 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2006-02-28 12:00:00 201,728 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-08-14 00:35:38 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2006-02-28 12:00:00 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-08-14 00:54:10 131,584 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2006-02-28 12:00:00 38,912 -c--a-w C:\WINDOWS\system32\dllcache\hmmapi.dll
+ 2007-08-14 00:18:02 60,416 -c--a-w C:\WINDOWS\system32\dllcache\hmmapi.dll
- 2006-02-28 12:00:00 34,304 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2007-08-14 00:39:06 54,784 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2006-02-28 12:00:00 139,264 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2007-08-14 00:39:26 152,064 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2006-02-28 12:00:00 216,576 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2007-08-14 00:39:54 229,376 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2006-02-28 12:00:00 221,184 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2007-08-13 23:56:54 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2006-02-28 12:00:00 323,584 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2007-08-14 00:39:50 382,976 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2006-02-28 12:00:00 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-08-14 00:44:02 69,120 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2006-02-28 12:00:00 81,920 -c--a-w C:\WINDOWS\system32\dllcache\ieencode.dll
+ 2007-08-14 00:45:18 78,336 -c--a-w C:\WINDOWS\system32\dllcache\ieencode.dll
- 2006-02-28 12:00:00 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2007-08-14 00:54:10 191,488 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2006-02-28 12:00:00 48,640 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2007-08-14 00:39:10 43,008 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2006-02-28 12:00:00 62,976 -c--a-w C:\WINDOWS\system32\dllcache\iesetup.dll
+ 2007-08-14 00:39:12 55,296 -c--a-w C:\WINDOWS\system32\dllcache\iesetup.dll
- 2006-02-28 12:00:00 93,184 -cs-a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2007-08-14 00:43:56 622,080 -cs-a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2006-02-28 12:00:00 35,840 -c--a-w C:\WINDOWS\system32\dllcache\imgutil.dll
+ 2007-08-14 00:36:06 36,352 -c--a-w C:\WINDOWS\system32\dllcache\imgutil.dll
- 2006-02-28 12:00:00 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2007-08-14 00:39:02 92,672 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2006-02-28 12:00:00 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-08-14 00:38:04 491,520 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2006-02-28 12:00:00 15,872 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-08-14 00:54:10 27,136 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2006-02-28 12:00:00 22,016 -c--a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
+ 2007-08-14 00:44:18 40,960 -c--a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
- 2006-02-28 12:00:00 29,184 -c--a-w C:\WINDOWS\system32\dllcache\mshta.exe
+ 2007-08-14 00:32:30 45,568 -c--a-w C:\WINDOWS\system32\dllcache\mshta.exe
- 2006-02-28 12:00:00 3,049,472 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-08-14 00:54:12 3,578,368 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2006-02-28 12:00:00 448,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-08-14 00:54:10 475,648 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2006-02-28 12:00:00 56,832 -c--a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
+ 2007-08-14 00:01:12 48,128 -c--a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
- 2006-02-28 12:00:00 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
+ 2007-08-14 00:54:10 156,160 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
- 2006-02-28 12:00:00 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-08-14 00:44:26 192,000 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2006-02-28 12:00:00 530,432 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-08-14 00:54:10 670,720 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2006-02-28 12:00:00 96,256 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-08-14 00:44:06 101,376 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2006-02-28 12:00:00 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2007-08-14 00:36:12 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2006-02-28 12:00:00 1,492,480 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2006-09-23 19:12:50 1,497,088 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2006-02-28 12:00:00 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2006-09-23 19:12:50 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2006-02-28 12:00:00 37,888 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2007-08-14 00:44:30 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2006-02-28 12:00:00 612,352 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-08-14 00:54:10 1,162,240 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2006-02-28 12:00:00 417,792 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2007-08-14 00:54:10 413,696 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2006-02-28 12:00:00 848,384 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2007-08-14 00:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
- 2006-02-28 12:00:00 276,480 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2007-08-14 00:54:10 231,424 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2006-02-28 12:00:00 656,384 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-08-14 00:54:10 818,688 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-02-28 12:00:00 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2007-08-14 00:35:46 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2006-02-28 12:00:00 201,728 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-08-14 00:35:38 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2006-02-28 12:00:00 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-08-14 00:54:10 131,584 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2006-02-28 12:00:00 34,304 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2007-08-14 00:39:06 54,784 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2006-02-28 12:00:00 139,264 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2007-08-14 00:39:26 152,064 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2006-02-28 12:00:00 216,576 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2007-08-14 00:39:54 229,376 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2006-02-28 12:00:00 221,184 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2007-08-13 23:56:54 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2006-02-28 12:00:00 323,584 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2007-08-14 00:39:50 382,976 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2006-02-28 12:00:00 81,920 ----a-w C:\WINDOWS\system32\ieencode.dll
+ 2007-08-14 00:45:18 78,336 ----a-w C:\WINDOWS\system32\ieencode.dll
- 2006-02-28 12:00:00 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2007-08-14 00:54:10 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2006-02-28 12:00:00 48,640 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2007-08-14 00:39:10 43,008 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2006-02-28 12:00:00 62,976 ----a-w C:\WINDOWS\system32\iesetup.dll
+ 2007-08-14 00:39:12 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
- 2006-02-28 12:00:00 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
+ 2007-08-14 00:36:06 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
- 2006-02-28 12:00:00 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2007-08-14 00:39:02 92,672 ----a-w C:\WINDOWS\system32\inseng.dll
- 2006-02-28 12:00:00 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-08-14 00:38:04 491,520 ----a-w C:\WINDOWS\system32\jscript.dll
- 2006-02-28 12:00:00 15,872 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-08-14 00:54:10 27,136 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2006-02-28 12:00:00 22,016 ----a-w C:\WINDOWS\system32\licmgr10.dll
+ 2007-08-14 00:44:18 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
- 2006-02-28 12:00:00 29,184 ----a-w C:\WINDOWS\system32\mshta.exe
+ 2007-08-14 00:32:30 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
- 2006-02-28 12:00:00 3,049,472 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-08-14 00:54:12 3,578,368 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2006-02-28 12:00:00 448,512 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-08-14 00:54:10 475,648 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2006-02-28 12:00:00 56,832 ----a-w C:\WINDOWS\system32\mshtmler.dll
+ 2007-08-14 00:01:12 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
- 2006-02-28 12:00:00 146,432 ----a-w C:\WINDOWS\system32\msls31.dll
+ 2007-08-14 00:54:10 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
- 2006-02-28 12:00:00 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-08-14 00:44:26 192,000 ----a-w C:\WINDOWS\system32\msrating.dll
- 2006-02-28 12:00:00 530,432 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-08-14 00:54:10 670,720 ----a-w C:\WINDOWS\system32\mstime.dll
- 2006-02-28 12:00:00 96,256 ----a-w C:\WINDOWS\system32\occache.dll
+ 2007-08-14 00:44:06 101,376 ----a-w C:\WINDOWS\system32\occache.dll
- 2006-02-28 12:00:00 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2007-08-14 00:36:12 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2006-02-28 12:00:00 1,492,480 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2006-09-23 19:12:50 1,497,088 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2006-02-28 12:00:00 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2006-09-23 19:12:50 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2006-02-28 12:00:00 37,888 ----a-w C:\WINDOWS\system32\url.dll
+ 2007-08-14 00:44:30 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2006-02-28 12:00:00 612,352 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-08-14 00:54:10 1,162,240 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2006-02-28 12:00:00 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2007-08-14 00:54:10 413,696 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2006-02-28 12:00:00 276,480 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-08-14 00:54:10 231,424 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2006-02-28 12:00:00 656,384 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-08-14 00:54:10 818,688 ----a-w C:\WINDOWS\system32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [ ]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-05 21:54 29744]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2006-02-28 06:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=??
?C?D C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EA_RESTART_001.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EA_RESTART_001.lnk
backup=C:\WINDOWS\pss\EA_RESTART_001.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EA_RESTART_002.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EA_RESTART_002.lnk
backup=C:\WINDOWS\pss\EA_RESTART_002.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^Kirby Alarm.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\Kirby Alarm.lnk
backup=C:\WINDOWS\pss\Kirby Alarm.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^Screenza.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\Screenza.lnk
backup=C:\WINDOWS\pss\Screenza.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=C:\WINDOWS\pss\TrueAssistant.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=C:\WINDOWS\pss\Yahoo! Widgets.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atiupdate]
C:\WINDOWS\System32\msshed32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 16:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
C:\Program Files\D-Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
C:\Program Files\ESPNRunTime\DIGServices.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
C:\WINDOWS\System32\dxdllreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
C:\Program Files\Electronic Arts\EA Downloader\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ElbyCheckElbyCDFL]
C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2004-06-03 00:50 204800 C:\Program Files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a------ 2001-11-29 01:00 28672 C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSA Shellu]
C:\Documents and Settings\Azrael\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
--a------ 2002-01-28 11:48 885760 C:\WINDOWS\system32\LXSUPMON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Oamc]
C:\WINDOWS\System32\WNSXS~1\winspool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PostSetupCheck]
--a------ 2006-02-28 06:00 33280 C:\WINDOWS\System32\Rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegPowerClean]
C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1188.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SchedulingAgent]
--a------ 2004-08-04 01:56 12288 C:\WINDOWS\system32\mstinit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
C:\PROGRA~1\Sygate\SPF\smc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 10:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 15:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheLionCluster]
C:\Program Files\The Lion\skinkers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThrustTSR]
C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
C:\Program Files\Tunebite\tunebite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a------ 2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XemiComputers Scheduler]
C:\Program Files\XemiComputers\Smooth Program Scheduler\Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ywl]
C:\Program Files\Common Files\??stem32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12087:TCP"= 12087:TCP:BitComet 12087 TCP
"12087:UDP"= 12087:UDP:BitComet 12087 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 16:31:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 22:02:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-01 22:03:08
ComboFix-quarantined-files.txt 2008-04-02 04:03:00
ComboFix2.txt 2008-03-31 14:53:44
Pre-Run: 12,074,467,328 bytes free
Post-Run: 11,789,979,648 bytes free
.
2007-10-28 08:37:29 --- E O F ---

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:01 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Azrael/My%20Documents/Important%20Documents/Home%20Page/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-507921405-436374069-682003330-1010\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198802631296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1193548030030
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS4\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS5\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: ??
?C?D C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8290 bytes

Thanks!

#9
BHowett

Posted 01 April 2008 - 11:12 PM

OT Moderator

Moderator
4,649 posts

Hello Azrael1415,

Sorry about the games looks like steam.exe was showing as infected, and when the folder was deleted it took out the games as well.

Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log

===============================================

ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===============================================

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

===============================================

Needed in next reply:

FixWareout (report.txt)

Malwarebytes log

Fresh HJT log.

#10
Azrael1415

Posted 01 April 2008 - 11:34 PM

Member

Topic Starter
Member
15 posts

Everything is running well. I never really noticed a performance hit before today anyway. Still no issues with explorer.exe closing and reopening; however, RunDLL32.exe is constantly running in the background. Before the malware issue I would only ever see it running whenever it was loading a DLL and then it would close, but not now. I ran Spybot to see if it still saw Virtumonde and it does not.

#11
BHowett

Posted 02 April 2008 - 06:57 AM

OT Moderator

Moderator
4,649 posts

Hello Azrael1415,

Virtumonde was taken out on the first run of combofix so we are good with that

, however the log showed other infections as well so that’s what were working on now.

Rundll32.exe is an important process of your windows operating system. The process rundll32.exe executes dll files and puts their libraries into your system's memory. The process runs from your system directory C:\windows\system32. If it executes or runs from a different location it is most likely a virus or trojan horse. Looking at your log it appears to be running from C:\Program Files\Common Files\??stem32\rundll32.exe

Also the registry value for your Antivirus is showing that your antivirus is off and not running…. That’s why it’s not showing in your HiJackThis log and I asked you to download one. There are several worms and viruses that disable Windows security features.

Don’t worry we can fix these things but right now I am just running a few tools trying to get a better look at what’s going on. So please follow the above instructions

#12
Azrael1415

Posted 03 April 2008 - 08:03 PM

Member

Topic Starter
Member
15 posts

FixWareOut:

Username "Azrael" - 04/03/2008 19:38:21 [Fixwareout edited 9/01/2007]~~~~~ Prerun checkSuccessfully flushed the DNS Resolver Cache.System was rebooted successfully.  ~~~~~ Postrun check HKLM\SOFTWARE\~\Winlogon\ "System"="" ....HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "smpsc"  Value deleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "xgrsc"  Value deleted HKCR\CLSID\{E299870C-CB1A-4B52-85F0-B660E17C3FBC}\_h\4 Deleted.HKCR\CLSID\{F65FD0A4-2E32-4341-B2C6-583D78787C3B}\_h\4 Deleted.....~~~~~ Misc files. C:\WINDOWS\RDT.INI DeletedC:\WINDOWS\System32\winctrl16.exe DeletedC:\WINDOWS\System32\winctrl32.exe DeletedC:\WINDOWS\System32\winctrl64.exe Deleted....~~~~~ Checking for older varients.....~~~~~ Current runs (hklm hkcu "run" Keys Only)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup""ISUSPM"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -scheduler""NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup""nwiz"="nwiz.exe /install""NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit""SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui""AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run\AdobeUpdater]....Hosts file was reset, If you use a custom hosts file please replace it...~~~~~ End report ~~~~~

Malwarebytes log:

Database version _linenums:589'>Malwarebytes' Anti-Malware 1.10Database version: 589Scan type: Quick ScanObjects scanned: 35694Time elapsed: 4 minute(s), 3 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 3Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\Typelib\{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)

HJT log:

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:49:30 PM, on 4/3/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5730.0013)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Azrael/My%20Documents/Important%20Documents/Home%20Page/index.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -schedulerO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startguiO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')O4 - HKUS\S-1-5-21-507921405-436374069-682003330-1010\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htmO8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htmO8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dllO9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - [url="http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab"]http://downloadcenter.samsung.com/content/...trolLite_EN.cab[/url]O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url="http://go.microsoft.com/fwlink/?linkid=39204"]http://go.microsoft.com/fwlink/?linkid=39204[/url]O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - [url="http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab"]http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab[/url]O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - [url="http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab"]http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab[/url]O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - [url="http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab"]http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab[/url]O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - [url="http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab"]http://disney.go.com/pirates/online/testAc...OnlineGames.cab[/url]O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [url="http://photos.walmart.com/WalmartActivia.cab"]http://photos.walmart.com/WalmartActivia.cab[/url]O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - [url="http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab"]http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab[/url]O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - [url="http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab"]http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab[/url]O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198802631296"]http://www.update.microsoft.com/windowsupd...b?1198802631296[/url]O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url="http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193548030030"]http://www.update.microsoft.com/microsoftu...b?1193548030030[/url]O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - [url="http://launch.gamespyarcade.com/software/launch/alaunch.cab"]http://launch.gamespyarcade.com/software/launch/alaunch.cab[/url]O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - [url="http://offers.e-centives.com/cif/download/bin/actxcab.cab"]http://offers.e-centives.com/cif/download/bin/actxcab.cab[/url]O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [url="http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab"]http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab[/url]O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - [url="http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab"]http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS2\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS3\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS4\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS5\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222 O20 - AppInit_DLLs: ???C?D  C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLLO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe--End of file - 9242 bytes

#13
BHowett

Posted 03 April 2008 - 10:33 PM

OT Moderator

Moderator
4,649 posts

Hi Azrael1415 ,

Good news that seemed to clean up a lot, and I can see your antivirus and firewall are now working and showing in your log

. We are almost done, so stick with it, just a few more things to check out .

Fix with HijackThis

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Azrael/My%20Documents/Important%20Documents/Home%20Page/index.html
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

===============================================

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

===============================================

Please go HERE to run Panda's TotalScan

Select the bubble for Full scan
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
Then the scan will begin
When the scan completes, click the Save button on the right of Scan details
Save it to a convenient location. Post the contents of the TotalScan report

===============================================

In your next reply I need the Deckard's System Scanner contents of main.txt and extra.txt, and the contents of the TotalScan report.

#14
Azrael1415

Posted 04 April 2008 - 08:11 AM

Member

Topic Starter
Member
15 posts

DSS Main:

Deckard's System Scanner v20071014.68
Run by Azrael on 2008-04-03 23:33:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Azrael.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:41 PM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Azrael\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Azrael.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-507921405-436374069-682003330-1010\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198802631296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1193548030030
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS4\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS5\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: ??
?C?D C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 8676 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080401-215352-296 O20 - Winlogon Notify: awttuutr - awttuutr.dll (file missing)
backup-20080401-215352-317 O2 - BHO: (no name) - {D1B6D3BE-03C5-4C9E-935B-EA8C40CA1CC8} - C:\WINDOWS\system32\urqQhefG.dll (file missing)
backup-20080403-233247-131 O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
backup-20080403-233247-277 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Azrael/My%20Documents/Important%20Documents/Home%20Page/index.html

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

1 mupp - system32\drivers\mupp.sys (file missing)
1 prodrv06 (StarForce Protection Environment Driver v6) - c:\windows\system32\drivers\prodrv06.sys <Not Verified; Protection Technology; StarForce Protection System>
0 prohlp02 (StarForce Protection Helper Driver v2) - c:\windows\system32\drivers\prohlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
3 rtl8029 (Realtek RTL8029(AS)-based PCI Ethernet Adapter NT Driver) - system32\drivers\rtl8029.sys (file missing)
0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
0 sfhlp01 (StarForce Protection Helper Driver) - c:\windows\system32\drivers\sfhlp01.sys <Not Verified; Protection Technology; StarForce Protection System>
0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
3 SRTSP - system32\drivers\srtsp.sys (file missing)
3 SRTSPL - system32\drivers\srtspl.sys (file missing)
1 SRTSPX - system32\drivers\srtspx.sys (file missing)
3 tbhsd (Tunebite High-Speed Dubbing) - c:\windows\system32\drivers\tbhsd.sys <Not Verified; RapidSolution Software AG; Tunebite High-Speed Dubbing>
0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
3 UltraMonMirror - system32\drivers\ultramonmirror.sys (file missing)
1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
3 xbreader (MaxDrive XBox Driver (xbreader.sys)) - c:\windows\system32\drivers\xbreader.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

3 Apple Mobile Device - c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
4 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - c:\program files\bonjour\mdnsresponder.exe (file missing)
3 FLEXnet Licensing Service - c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe
3 GoogleDesktopManager-022208-143751 (Google Desktop Manager 5.7.802.22438) - c:\program files\google\google desktop search\googledesktop.exe
4 ISPwdSvc (Symantec IS Password Validation) - c:\program files\norton antivirus\ispwdsvc.exe (file missing)
4 UserAccess7 (SecuROM User Access Service (V7)) - c:\windows\system32\uaservice7.exe
3 usprserv (User Privilege Service) - c:\windows\system32\svchost.exe

-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Scheduled Tasks -------------------------------------------------------------

2008-04-01 10:31:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-03-03 and 2008-04-03 -----------------------------

2008-04-03 21:00:39 0 d-------- C:\Documents and Settings\Crystal\Application Data\AVG7
2008-04-03 19:43:16 0 d-------- C:\Documents and Settings\Azrael\Application Data\Malwarebytes
2008-04-03 19:43:12 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-03 19:43:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-03 18:48:03 0 d-------- C:\Documents and Settings\Azrael\Application Data\AVG7
2008-04-03 18:47:42 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-03 18:47:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-03 18:39:07 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2008-04-03 18:39:07 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2008-04-03 18:39:01 0 d-------- C:\Program Files\Sygate
2008-04-02 08:14:31 0 d-------- C:\Documents and Settings\Azrael\VASSAL
2008-03-31 08:43:44 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-31 08:43:44 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-31 08:43:44 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-31 08:43:44 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-31 01:36:36 0 d-------- C:\Documents and Settings\Crystal\Application Data\Lavasoft
2008-03-31 01:21:07 0 d-------- C:\WINDOWS\Prefetch
2008-03-30 13:03:21 0 d-------- C:\Program Files\Namco Bandai
2008-03-30 09:56:40 0 d--h----- C:\WHM
2008-03-29 23:52:03 0 d-------- C:\Program Files\Trend Micro
2008-03-29 22:08:29 164 --a------ C:\install.dat
2008-03-29 21:23:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-29 17:03:58 691545 --a------ C:\WINDOWS\unins000.exe
2008-03-29 17:03:58 2544 --a------ C:\WINDOWS\unins000.dat
2008-03-29 16:59:14 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2008-03-29 16:42:07 907 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-03-29 16:42:02 196678 --a------ C:\WINDOWS\system32\lcntskdn.exe
2008-03-29 16:41:56 0 d--hs---- C:\WINDOWS\QnJhbmRvbiBOZXdidXJn
2008-03-29 16:41:54 39883 --a------ C:\WINDOWS\system32\targetedbanner-uninst.exe
2008-03-29 16:41:51 0 d-------- C:\WINDOWS\system32\xTmp
2008-03-29 16:41:51 0 d-------- C:\WINDOWS\system32\winz1
2008-03-29 16:41:51 0 d-------- C:\WINDOWS\system32\IDME
2008-03-29 16:41:51 0 d-------- C:\WINDOWS\system32\bz3
2008-03-27 22:12:26 0 dr-h----- C:\Documents and Settings\Azrael\Recent
2008-03-26 08:13:23 0 d-------- C:\Program Files\Flagship Studios
2008-03-25 23:28:45 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-25 23:12:58 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-23 09:23:44 0 --a------ C:\WINDOWS\popcreg.dat
2008-03-23 09:23:44 39 --a------ C:\WINDOWS\popcinfot.dat
2008-03-23 09:23:44 0 d-------- C:\Program Files\PopCap Games
2008-03-11 07:18:16 0 d-------- C:\Documents and Settings\Azrael\Application Data\.clue-by-4.org
2008-03-07 09:17:13 0 d-------- C:\Program Files\NVIDIA Corporation
2008-03-06 20:42:31 0 d-------- C:\Program Files\Common Files\Viewpoint
2008-03-06 14:21:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-05 21:54:43 0 d-------- C:\Program Files\Google
2008-03-04 08:23:55 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>

-- Find3M Report ---------------------------------------------------------------

2008-04-03 23:33:06 0 d-------- C:\Documents and Settings\Azrael\Application Data\Xfire
2008-04-03 23:33:05 0 d-------- C:\Program Files\Trillian
2008-04-03 13:59:27 0 d-------- C:\Program Files\Xfire
2008-03-31 08:44:20 0 d-------- C:\Program Files\Common Files
2008-03-30 16:19:25 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-29 17:14:15 0 d-------- C:\Documents and Settings\Azrael\Application Data\LimeWire
2008-03-29 12:19:52 0 d-------- C:\Program Files\SmartFTP Client
2008-03-28 21:15:50 0 d-------- C:\Documents and Settings\Azrael\Application Data\Adobe
2008-03-25 23:24:23 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-24 07:58:32 0 d-------- C:\Program Files\Tunebite
2008-03-03 15:49:17 0 d-------- C:\Documents and Settings\Azrael\Application Data\tunebite
2008-02-29 01:01:26 0 d-------- C:\Documents and Settings\Azrael\Application Data\RTPlayer
2008-02-22 07:39:19 0 d-------- C:\Program Files\iTunes
2008-02-22 07:39:10 0 d-------- C:\Program Files\iPod
2008-02-22 07:38:17 0 d-------- C:\Program Files\QuickTime
2008-02-17 23:15:02 0 d-------- C:\Documents and Settings\Azrael\Application Data\Realtime Soft
2008-02-17 12:38:09 8 --a------ C:\WINDOWS\system32\nvModes.dat
2008-02-15 14:34:51 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-02-11 15:19:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [ ]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [03/05/2008 09:54 PM]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/2004 07:40 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/03/2008 06:47 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 06:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=??
?C?D C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EA_RESTART_001.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EA_RESTART_001.lnk
backup=C:\WINDOWS\pss\EA_RESTART_001.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EA_RESTART_002.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EA_RESTART_002.lnk
backup=C:\WINDOWS\pss\EA_RESTART_002.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^Kirby Alarm.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\Kirby Alarm.lnk
backup=C:\WINDOWS\pss\Kirby Alarm.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^Screenza.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\Screenza.lnk
backup=C:\WINDOWS\pss\Screenza.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=C:\WINDOWS\pss\TrueAssistant.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Azrael^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=C:\Documents and Settings\Azrael\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=C:\WINDOWS\pss\Yahoo! Widgets.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atiupdate]
C:\WINDOWS\System32\msshed32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Program Files\D-Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
C:\WINDOWS\System32\dxdllreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
C:\Program Files\Electronic Arts\EA Downloader\Core.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ElbyCheckElbyCDFL]
"C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process]
C:\WINDOWS\Fonts\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"C:\Program Files\Microsoft IntelliPoint\point32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSA Shellu]
C:\Documents and Settings\Azrael\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
C:\WINDOWS\system32\LXSUPMON.EXE RUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Oamc]
"C:\WINDOWS\System32\WNSXS~1\winspool.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
"C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PostSetupCheck]
"C:\WINDOWS\System32\Rundll32.exe" "C:\WINDOWS\system32\atgban.dll" DllStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegPowerClean]
"C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SchedulingAgent]
mstinit.exe /firstlogon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheLionCluster]
C:\Program Files\The Lion\skinkers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThrustTSR]
C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
C:\Program Files\Tunebite\tunebite.exe -hidden

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XemiComputers Scheduler]
C:\Program Files\XemiComputers\Smooth Program Scheduler\Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ywl]
C:\Program Files\Common Files\??stem32\rundll32.exe

-- End of Deckard's System Scanner: finished at 2008-04-03 23:35:07 ------------

DSS Extra:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 19%
Physical Memory (total/avail): 2047.29 MiB / 1642.91 MiB
Pagefile Memory (total/avail): 3939.43 MiB / 3682.39 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1947.67 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 17.56 GiB free.
D: is CDROM (No Media)

-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Azrael\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HellgateEnv=C:\Program Files\Flagship Studios\Hellgate London\
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Azrael
LOGONSERVER=\\COMPUTER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 107 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=6b01
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Azrael\LOCALS~1\Temp
TMP=C:\DOCUME~1\Azrael\LOCALS~1\Temp
ULTRAMON_LANGDIR=C:\Program Files\UltraMon\Resources\en
USERDOMAIN=COMPUTER
USERNAME=Azrael
USERPROFILE=C:\Documents and Settings\Azrael
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Azrael (admin)
Azrael (admin)
Crystal (admin)
test (new local, admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings --> MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\719d6f144d0c086a0dfa7ff76bb9ac1\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Setup --> MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup --> MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}
Adobe Setup --> MsiExec.exe /I{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Ask Toolbar --> rundll32 C:\PROGRA~1\AskSBar\bar\1.bin\AskSBar.dll,O
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
BitComet 0.91 --> C:\Program Files\BitComet\uninst.exe
Call of Duty® 4 - Modern Warfare™ 1.4 Patch --> C:\Program Files\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe -runfromtemp -l0x0409
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Hellgate: London --> MsiExec.exe /X{A2B4455D-1046-4732-BFBC-0821BEFC07BC}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
IconForge beta version 7.23 --> "C:\Program Files\IconForge7\unins000.exe"
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Lexmark Supplies Monitor --> C:\WINDOWS\system32\LXSMUNIN.EXE
Lexmark Z25-Z35 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXAXUN5C.EXE -dLexmark Z25-Z35
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office XP Standard for Students and Teachers --> MsiExec.exe /I{913D0409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual J# 2.0 Redistributable Package --> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
MSXML 4.0 --> MsiExec.exe /I{428102E6-8A39-48B9-8389-847F5A44A600}
MSXML 4.0 --> MsiExec.exe /I{54BB0384-1C33-488F-A95B-877E480D3EDC}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
N4 Utility Machine --> C:\WINDOWS\ST4UNST.EXE -n "c:\Program Files\ST4UNST.LOG"
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA Photoshop Plug-ins --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23F79416-CAD1-41BF-99A3-040F6C814AAA}\Setup.exe" -l0x9
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Peggle Deluxe 1.01 --> C:\Program Files\PopCap Games\Peggle Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Peggle Deluxe\Install.log"
Quicken 2002 Basic --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\QUICKENW\Uninst.isu" -c"C:\Program Files\QUICKENW\uninst.dll"
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SmartFTP Client --> MsiExec.exe /I{6F23C1A3-9F62-470C-BD12-B83F04E67865}
SmartFTP Client 2.5 Setup Files (remove only) --> C:\Program Files\SmartFTP Client 2.5 Setup Files\uninst-sftp.exe
SmartFTP Client 3.0 Setup Files (remove only) --> C:\Program Files\SmartFTP Client 3.0 Setup Files\uninst-sftp.exe
Sound Blaster Live! --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}\Setup.exe" -l0x9
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
TeamCGW-NSRA Trackpack 2.0 --> C:\WINDOWS\unvise32.exe C:\Program Files\EA SPORTS\NASCAR SimRacing\GameData\Tracks\uninstal.log
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
VASSAL --> C:\WINDOWS\system32\javaws.exe -uninstall "http://www.vassaleng...ws/vassal.jnlp"
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Warhammer - Mark of Chaos --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B5D76849-612B-6187-E59E-7E01335074E9}\setup.exe" -l0x9 -removeonly
Warhammer Mark of Chaos Manual Patch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{442D5880-05B4-4DC8-A038-2EDA79FAE601}\setup.exe" -l0x9 -removeonly
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_C074F64CC74B03BC354BB5DC973CCF768D5A7194\amdk8.inf
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Application Compatibility Update[Q319580] --> C:\WINDOWS\$NtUninstallQ319580$\spuninst\spuninst.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->

-- Application Event Log -------------------------------------------------------

Event Record #/Type20183 / Error
Event Submitted/Written: 03/31/2008 01:14:54 AM
Event ID/Source: 1000 / SceCli
Event Description:
Security configuration was not backed up.
Error 1208 to open database.

Event Record #/Type20182 / Error
Event Submitted/Written: 03/31/2008 01:13:34 AM
Event ID/Source: 4101 / VSS
Event Description:
Volume Shadow Copy Service error: Cannot obtain the collection 'Applications' from the COM+ catalog [0x80040154].

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type48396 / Error
Event Submitted/Written: 04/03/2008 07:39:08 PM / 04/03/2008 07:39:38 PM
Event ID/Source: 4 / sptd
Event Description:
Driver detected an internal error in its data structures for .

Event Record #/Type48391 / Error
Event Submitted/Written: 04/03/2008 07:32:49 PM / 04/03/2008 07:33:19 PM
Event ID/Source: 4 / sptd
Event Description:
Driver detected an internal error in its data structures for .

Event Record #/Type48387 / Warning
Event Submitted/Written: 04/03/2008 02:04:51 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type48386 / Warning
Event Submitted/Written: 04/02/2008 11:39:19 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type48385 / Warning
Event Submitted/Written: 04/02/2008 10:42:34 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

-- End of Deckard's System Scanner: finished at 2008-04-03 23:35:07 ------------

ActiveScan:

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-04-04 08:05:47
PROTECTIONS: 0
MALWARE: 14
SUSPECTS: 1
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Crystal\Cookies\crystal@doubleclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Azrael\Cookies\azrael@tribalfusion[1].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Azrael\Cookies\azrael@adtech[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Crystal\Cookies\crystal@advertising[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Azrael\Cookies\azrael@overture[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Azrael\Cookies\azrael@go[1].txt
00252281 Adware/Trymedia Adware No 0 Yes No C:\Documents and Settings\Azrael\My Documents\My Games\WormsArmageddon-dm[1].exe
00366244 Application/NirCmd.A HackTools No 0 Yes No C:\fixwareout\FindT\nircmd.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{7A154173-848F-4F71-A219-F4A596D9A3ED}\RP3\A0000203.EXE
02235691 Generic Malware Virus/Trojan No 0 Yes Yes C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\HGStart9USA.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{7A154173-848F-4F71-A219-F4A596D9A3ED}\RP3\A0000188.sys
02904593 Adware/Trymedia Adware No 0 Yes No C:\WHM\Warhammer_MarkOfChaos-dm.exe
02910707 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{7A154173-848F-4F71-A219-F4A596D9A3ED}\RP1\A0000023.dll
02911457 Adware/TrafficSol Adware No 0 No No C:\WINDOWS\system32\IDME\TGbn1dll.exe[■%%\atgban.dll]
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location
;===============================================================================
=================================================================================
===================
No C:\WINDOWS\system32\lcntskdn.exe
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description

#15
Azrael1415

Posted 04 April 2008 - 08:14 AM

Member

Topic Starter
Member
15 posts

;===============================================================================
=================================================================================
===================
184380 MEDIUM MS08-002
184379 MEDIUM MS08-001
182048 HIGH MS07-069
182046 HIGH MS07-067
182043 HIGH MS07-064
179553 HIGH MS07-061
176382 HIGH MS07-057
176383 HIGH MS07-058
170911 HIGH MS07-050
170907 HIGH MS07-046
170906 HIGH MS07-045
170904 HIGH MS07-043
164915 HIGH MS07-035
164913 HIGH MS07-033
164911 HIGH MS07-031
160623 HIGH MS07-027
157262 HIGH MS07-022
157261 HIGH MS07-021
157260 HIGH MS07-020
157259 HIGH MS07-019
156477 HIGH MS07-017
150253 HIGH MS07-016
150249 HIGH MS07-013
150248 HIGH MS07-012
150247 HIGH MS07-011
150243 HIGH MS07-008
150242 HIGH MS07-007
150241 MEDIUM MS07-006
145501 HIGH MS07-004
141034 HIGH MS06-076
141033 MEDIUM MS06-075
137571 HIGH MS06-070
133387 MEDIUM MS06-065
133386 MEDIUM MS06-064
133385 MEDIUM MS06-063
133379 HIGH MS06-057
129977 MEDIUM MS06-053
129976 MEDIUM MS06-052
126093 HIGH MS06-051
126092 MEDIUM MS06-050
126087 HIGH MS06-046
126086 MEDIUM MS06-045
126082 HIGH MS06-041
126081 HIGH MS06-040
123421 HIGH MS06-036
123420 HIGH MS06-035
120825 MEDIUM MS06-032
120823 MEDIUM MS06-030
120818 HIGH MS06-025
120815 HIGH MS06-022
117384 MEDIUM MS06-018
114666 HIGH MS06-015
108744 MEDIUM MS06-008
108743 MEDIUM MS06-007
108742 MEDIUM MS06-006
104567 HIGH MS06-002
104237 HIGH MS06-001
96574 HIGH MS05-053
93395 HIGH MS05-051
93394 HIGH MS05-050
93454 MEDIUM MS05-049
;===============================================================================
=================================================================================
===================

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:28 AM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Azrael/My%20Documents/Important%20Documents/Home%20Page/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-507921405-436374069-682003330-1010\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198802631296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1193548030030
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS4\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS5\Services\Tcpip\..\{08D0B052-E64E-4802-B55C-CEB9A3F47C11}: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: ??
?C?D C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 9004 bytes

BTW: this key (R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Azrael/My%20Documents/Important%20Documents/Home%20Page/index.html) is legit. I made a local HTML file that has all my most used link and stuff on it. I deleted the key per instruction, but I set right back up through IE.