Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I think this could be serious[CLOSED]


  • This topic is locked This topic is locked

#1
nothotstuff

nothotstuff

    Member

  • Member
  • PipPip
  • 10 posts
Is this a SERIOUS problem?

It sounds very similar to greengum's post, I think it might be the same thing.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:19 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\darcvstu\fadulkta.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Citrus Alarm Clock\citrusac.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\bihqriho.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\valecam\SilkQuit\SilkQuit.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: qtvglped - {74E5E4E8-79DD-49AC-B64B-E74822D5F3CD} - C:\WINDOWS\qtvglped.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [412f54de] rundll32.exe "C:\WINDOWS\system32\moryfxql.dll",b
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Citrus Alarm Clock] C:\Program Files\Citrus Alarm Clock\citrusac.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [kbdxhzun] C:\WINDOWS\system32\bihqriho.exe
O4 - HKLM\..\Policies\Explorer\Run: [Vr3XYkasgZ] C:\Documents and Settings\All Users\Application Data\darcvstu\fadulkta.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SilkQuit Meter.lnk = C:\Program Files\valecam\SilkQuit\SilkQuit.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O21 - SSODL: ComponentAlrt - {c07af7e5-fa7a-425d-861e-e741a58062c9} - C:\WINDOWS\Resources\ComponentAlrt.dll
O21 - SSODL: RamSys - {52e2aa0e-1c20-49fb-b05d-65bcb245c1c9} - C:\WINDOWS\Resources\RamSys.dll
O22 - SharedTaskScheduler: exegeses - {db763ed8-100a-481b-8913-50a2f41dcdc3} - C:\WINDOWS\system32\bubbj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 7655 bytes

Edited by nothotstuff, 18 April 2008 - 04:58 PM.

  • 0

Advertisements


#2
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with. Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download SmitfraudFix (by S!Ri) to your Desktop.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following logs:
  • The contents of the Smitfraud rapport.txt
  • The contents of Combofix.txt
  • The contents of DSS main.txt
  • The contents of DSS extra.txt
Note that you may need to split the logs into two or three posts to ensure the complete logs are included.

Regards,
RatHat
  • 0

#3
nothotstuff

nothotstuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Deckard's System Scanner v20071014.68
Run by Cody's on 2008-04-19 08:41:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
95: 2008-04-19 13:41:39 UTC - RP340 - Deckard's System Scanner Restore Point
94: 2008-04-19 13:19:10 UTC - RP339 - ComboFix created restore point
93: 2008-04-18 20:34:24 UTC - RP338 - RegCure Backup
92: 2008-04-18 18:29:39 UTC - RP337 - Installed AdwareAlert
91: 2008-04-18 07:58:52 UTC - RP336 - Last known good configuration


-- First Restore Point --
1: 2008-04-18 07:55:33 UTC - RP246 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Cody's.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:41, on 2008-04-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Documents and Settings\All Users\Application Data\darcvstu\fadulkta.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\krytsjqt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Citrus Alarm Clock\citrusac.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\valecam\SilkQuit\SilkQuit.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cody's\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Cody's.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DVA Storm - {069E8B19-0EAC-45D6-A5B3-A10FF9B69F4C} - C:\WINDOWS\lgmxvpatfbo.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: DVA Storm - {F97B50CB-E441-427A-967E-0300347AD03E} - C:\WINDOWS\lgmxvpatnpa.dll
O3 - Toolbar: qtvglped - {74E5E4E8-79DD-49AC-B64B-E74822D5F3CD} - C:\WINDOWS\qtvglped.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Citrus Alarm Clock] C:\Program Files\Citrus Alarm Clock\citrusac.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [kbdxhzun] C:\WINDOWS\system32\bihqriho.exe
O4 - HKCU\..\Run: [hodddvjt] C:\WINDOWS\system32\krytsjqt.exe
O4 - HKLM\..\Policies\Explorer\Run: [Vr3XYkasgZ] C:\Documents and Settings\All Users\Application Data\darcvstu\fadulkta.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SilkQuit Meter.lnk = C:\Program Files\valecam\SilkQuit\SilkQuit.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: exegeses - {db763ed8-100a-481b-8913-50a2f41dcdc3} - C:\WINDOWS\system32\bubbj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 8368 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,71
.inf - inffile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.ini - inifile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.txt - txtfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,70


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 INO_FLPY - c:\windows\system32\drivers\ino_flpy.sys <Not Verified; Computer Associates; CA eTrust eTrust Antivirus/InoculateIT version 7.X/6.X/4.X>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 INO_FLTR - c:\windows\system32\drivers\ino_fltr.sys <Not Verified; Computer Associates; CA eTrust Antivirus/InoculateIT version 7.X/6.X>
R3 catchme - c:\combofix\catchme.sys (file missing)
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 oflpydin - c:\docume~1\admin\locals~1\temp\oflpydin.sys (file missing)
S3 XTrapD12 - c:\program files\legend of ares\xtrap\xtrapd12.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 InoRPC (eTrust Antivirus RPC Server) - "c:\program files\ca\etrust antivirus\inorpc.exe" <Not Verified; Computer Associates International, Inc.; eTrust Antivirus>
R2 InoRT (eTrust Antivirus Realtime Server) - "c:\program files\ca\etrust antivirus\inort.exe" <Not Verified; Computer Associates International, Inc.; eTrust Antivirus>
R2 InoTask (eTrust Antivirus Job Server) - "c:\program files\ca\etrust antivirus\inotask.exe" <Not Verified; Computer Associates International, Inc.; eTrust Antivirus>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-19 08:31:50 440 --a------ C:\WINDOWS\Tasks\RegCure Program Check.job
2008-04-18 02:09:30 374 --a------ C:\WINDOWS\Tasks\RegCure.job


-- Files created between 2008-03-19 and 2008-04-19 -----------------------------

2008-04-19 08:32:24 98304 --a------ C:\WINDOWS\system32\krytsjqt.exe
2008-04-19 08:27:44 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-19 08:18:06 68096 --a------ C:\WINDOWS\zip.exe
2008-04-19 08:18:06 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-19 08:18:06 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-19 08:18:06 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-19 08:18:06 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-19 08:18:06 98816 --a------ C:\WINDOWS\sed.exe
2008-04-19 08:18:06 80412 --a------ C:\WINDOWS\grep.exe
2008-04-19 08:18:06 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-18 17:31:07 0 d-------- C:\Program Files\Trend Micro
2008-04-18 15:53:43 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-04-18 14:25:39 94208 --a------ C:\WINDOWS\system32\alqlifmb.exe
2008-04-18 13:56:29 94208 --a------ C:\WINDOWS\system32\volypsxi.exe
2008-04-18 13:16:18 94208 --a------ C:\WINDOWS\system32\gnmjmtop.exe
2008-04-18 08:57:37 106496 --a------ C:\WINDOWS\system32\nuxexgzg.exe
2008-04-18 02:52:22 266240 --a------ C:\WINDOWS\lgmxvpatnpa.dll
2008-04-18 02:50:54 200704 --a------ C:\WINDOWS\qtvglped.dll
2008-04-18 02:50:52 286720 --a------ C:\WINDOWS\lgmxvpatfbo.dll
2008-04-18 02:50:12 188416 --a------ C:\WINDOWS\pmsoarbf.dll
2008-04-18 02:49:51 106496 --a------ C:\WINDOWS\system32\bihqriho.exe
2008-04-18 02:49:51 0 d-------- C:\Documents and Settings\All Users\Application Data\darcvstu
2008-04-18 02:43:53 0 d-------- C:\WINDOWS\system32\892267
2008-04-17 19:28:27 0 d-------- C:\Program Files\GameTap
2008-04-17 19:28:27 0 d-------- C:\Documents and Settings\All Users\Application Data\GameTap
2008-04-09 01:01:48 0 d-------- C:\Program Files\Immortal Defense


-- Find3M Report ---------------------------------------------------------------

2008-03-07 19:04:00 0 d-------- C:\Program Files\Windows Media Connect 2


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{069E8B19-0EAC-45D6-A5B3-A10FF9B69F4C}]
2008-04-16 03:07 286720 --a------ C:\WINDOWS\lgmxvpatfbo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F97B50CB-E441-427A-967E-0300347AD03E}]
2008-04-17 20:15 266240 --a------ C:\WINDOWS\lgmxvpatnpa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-30 13:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 18:14]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-07 11:23]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"FLMK08KB"="C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE" [2006-11-10 08:10]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"CTHelper"="CTHELPER.EXE" [2004-03-19 03:33 C:\WINDOWS\system32\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-08-18 17:25]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-03-31 12:46]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Citrus Alarm Clock"="C:\Program Files\Citrus Alarm Clock\citrusac.exe" [2001-10-21 22:50]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"kbdxhzun"="C:\WINDOWS\system32\bihqriho.exe" [2008-04-18 02:49]
"hodddvjt"="C:\WINDOWS\system32\krytsjqt.exe" [2008-04-19 08:32]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Cody's\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-06-29 18:15:10]
SilkQuit Meter.lnk - C:\Program Files\valecam\SilkQuit\SilkQuit.exe [2002-08-22 09:11:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Vr3XYkasgZ"=C:\Documents and Settings\All Users\Application Data\darcvstu\fadulkta.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{db763ed8-100a-481b-8913-50a2f41dcdc3}"= C:\WINDOWS\system32\bubbj.dll [2004-08-27 15:41 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-08-18 17:25 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
backup=C:\WINDOWS\pss\Logitech Harmony Remote V5.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
? ??? ????? ??? ???

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
? ??? ????? ??? ???

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBHC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusHeat 4.3]
"C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe" /h

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-04-19 08:42:31 ------------
  • 0

#4
nothotstuff

nothotstuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3200+
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 1023.48 MiB / 467.71 MiB
Pagefile Memory (total/avail): 2411.12 MiB / 1885.69 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.83 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 176.03 GiB total, 35.77 GiB free.
D: is Fixed (FAT32) - 10.22 GiB total, 8.2 GiB free.
E: is CDROM (No Media)
F: is CDROM (Unformatted)

\\.\PHYSICALDRIVE0 - WDC WD2000JD-55HBB0 - 186.31 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 176.07 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 10.23 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.
AntivirusOverride is set.
FirewallOverride is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Disabled:LimeWire"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32BIT\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32BIT\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32BIT\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32BIT\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Cody's\Application Data
AVENGINE=C:\PROGRA~1\CA\SHARED~1\SCANEN~1
CLASSPATH=C:\Program Files\Java\jre1.5.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=STEVE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Cody's
INOCULAN=C:\PROGRA~1\CA\ETRUST~1
LOGONSERVER=\\STEVE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\PROGRA~1\CA\ETRUST~1;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
sourcesdk=c:\program files\steam\steamapps\riddledstingray61\sourcesdk
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Cody's\LOCALS~1\Temp
TMP=C:\DOCUME~1\Cody's\LOCALS~1\Temp
USERDOMAIN=STEVE
USERNAME=Cody's
USERPROFILE=C:\Documents and Settings\Cody's
VProject=c:\program files\steam\steamapps\riddledstingray61\half-life 2\hl2
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Admin (admin)
Cody.STEVE (new local, admin)
Kim
Cody's (admin)
Jessica
Kaylee (admin)
Administrator (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBAudigy2\Program\Ctzapxx.EXE" /W /U /S
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\InstallShield Installation Information\{22EB2FA7-1BA0-4FFB-972F-353EC6ABA9D5}\setup.exe -runfromtemp -l0x0009 -removeonly
--> C:\Program Files\InstallShield Installation Information\{28B97CAB-828F-49D8-A30A-675476F9BA92}\setup.exe -runfromtemp -l0x0009/cont -removeonly
--> C:\Program Files\InstallShield Installation Information\{4E7DC12A-3597-4A94-9429-F6C6987361B1}\setup.exe -runfromtemp -l0x0009 -removeonly
--> C:\Program Files\InstallShield Installation Information\{6813C983-427E-4511-8456-E98FCAA1A125}\setup.exe -runfromtemp -l0x0009 -removeonly
--> C:\Program Files\InstallShield Installation Information\{7DADB304-AF20-48C3-A780-4B4133A08817}\setup.exe -runfromtemp -l0x0009 -removeonly
--> C:\Program Files\InstallShield Installation Information\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}\setup.exe -runfromtemp -l0x0009 -removeonly
--> C:\Program Files\InstallShield Installation Information\{ACE66099-E18E-4037-83C8-9D182E5B9FA8}\setup.exe -runfromtemp -l0x0009 -removeonly
--> C:\Program Files\InstallShield Installation Information\{B34B6E67-FCDD-4E03-8742-B5701427FAFB}\setup.exe -runfromtemp -l0x0009 -removeonly
--> C:\Program Files\InstallShield Installation Information\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}\setup.exe -runfromtemp -l0x0009 -removeonly
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1494984B-9AC5-4F16-B61A-C21D5EFCC1C4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1494984B-9AC5-4F16-B61A-C21D5EFCC1C4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{266F8C74-5DC6-4405-B79B-4EB82B2FC684}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{266F8C74-5DC6-4405-B79B-4EB82B2FC684}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD549B7B-3532-4160-80D4-3E3DD39A9AE5}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD549B7B-3532-4160-80D4-3E3DD39A9AE5}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
4Musics MP3 to WAV Converter v1.55 --> C:\PROGRA~1\4MUSIC~1\UNWISE.EXE C:\PROGRA~1\4MUSIC~1\INSTALL.LOG
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color Common Settings --> C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings --> MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{77D2A9D3-5800-43E3-B274-87841BC87DB2}
Adobe Flash CS3 --> MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash CS3 Professional --> C:\Program Files\Common Files\Adobe\Installers\c3c7fe8b09d497ab2b3fd91c9353390\Setup.exe
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}
Adobe Flash Player 9 Plugin --> MsiExec.exe /X{88D422DB-E9C7-4E16-9D80-2999F4FD6AD9}
Adobe Flash Video Encoder --> MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7646-A00000000001}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Setup --> MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup --> MsiExec.exe /I{8AE03988-8C8C-40EE-BDC7-76781BEF1B1D}
Adobe Setup --> MsiExec.exe /I{FFC1ADE3-944B-4231-894E-3903C37271D2}
Adobe Shockwave Player --> C:\WINDOWS\system32\MACROMED\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~2\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{47813E93-F2A0-484A-838E-47EC1B28D190}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
AnswerWorks 4.0 Runtime - English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Big Fish Games Client --> C:\Program Files\bfgclient\Uninstall.exe
CA eTrust Antivirus --> MsiExec.exe /X{99747F0D-D4F8-4877-9CA0-4AE96D963633}
Citrus Alarm Clock 1.0.5 --> "C:\Program Files\Citrus Alarm Clock\unins000.exe"
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\SETUP.EXE" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}\setup.exe" -l0x9 /remove
Daimonin Client 0.967 --> "C:\Program Files\daimonin\client\unins000.exe"
Digimax Master --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AEC0CEBC-0FC7-4716-8222-1C4A742719B1}\Setup.exe" -l0x9 -removeonly
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
Dragonshard --> MsiExec.exe /I{29A3B8CB-593A-4EA9-8BAB-9AEBF1C3EDFA}
Family Tree Maker 2005 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A4004E8B-6A95-4FA4-AA05-731FC6510474}\setup.exe" -l0x9
FileZilla Client 3.0.7.1 --> C:\Program Files\FileZilla FTP Client\uninstall.exe
Fraps --> "C:\Fraps\uninstall.exe"
FrostWire 4.13.1.5 BETA --> C:\Program Files\FrostWire\Uninstall.exe
GameTap --> C:\Program Files\InstallShield Installation Information\{67E158AF-8856-4337-B483-EA21930786AF}\setup.exe -runfromtemp -l0x0009 -removeonly
Garden Defense (remove only) --> "C:\Program Files\Garden Defense\Uninstall.exe"
GLIntercept 0.5 --> "C:\Program Files\GLIntercept0_5\unins000.exe"
GoldWave v5.12 --> "C:\Program Files\GoldWave\unstall.exe" "GoldWave v5.12" "C:\Program Files\GoldWave\unstall.log"
GoldWave v5.20 --> "C:\Program Files\GoldWave\unstall.exe" "GoldWave v5.20" "C:\Program Files\GoldWave\unstall.log"
Google SketchUp --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E1423608-F529-40A1-93CA-C7F396F30DF0}\setup.exe" -l0x9
GTK+ 2.8.9 runtime environment --> "C:\Program Files\Common Files\GTK\2.0\unins000.exe"
Guitar Pro 4 Demo --> MsiExec.exe /X{22C1B575-C746-46F2-80A3-EE9612AF5FAA}
Half-Life® 2 --> MsiExec.exe /I{D45EC259-4A19-4656-B588-C2C360DD18EA}
Harvest - Massive Encounter --> "C:\Program Files\Oxeye Games\Harvest\uninstall.exe"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Immortal Defense 1.0 --> C:\Program Files\Immortal Defense\uninst.exe
Install(US)2 --> C:\Program Files\InstallShield Installation Information\{8A4D41F3-3EDA-4DAC-9403-839708EA0667}\setup.exe -runfromtemp -l0x0009 -removeonly
J2SE Runtime Environment 5.0 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\setup.exe" -l0x9 UNINSTALL
Logitech Harmony Remote Software --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{D8A396DD-B7E8-4ED2-917F-BE8D5D86B196} /l1033
MediaShow 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5A9B7C0-8751-11D8-9D75-000129760D75}\setup.exe" -uninstall
Medical Vocabulary 6.0 --> C:\Program Files\Medical Vocabulary\uninst.exe
Metacafe --> C:\Program Files\Metacafe\uninstaller.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Picture It! Publishing Platinum 2001 --> MsiExec.exe /I{501FC6C0-7F99-4937-99F6-9A65A964B710}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Muiltmedia keyboard utility 1.3 --> C:\Program Files\Muiltmedia keyboard utility\1.3\uninst00.exe
My Web Search (Zwinky) --> rundll32 C:\PROGRA~1\MYWEBS~1\bar\7.bin\mwsbar.dll,O
Nero 7 Essentials --> MsiExec.exe /I{5EDB9E58-D267-4AA7-8F9D-20D5B25C1033}
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Picture Package Music Transfer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE2121C6-C94D-4A73-8EA4-6943F33EE335}\setup.exe" -l0x9 -removeonly
Power2Go 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
PowerStarter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RegCure 1.5.0.0 --> C:\Program Files\RegCure\uninst.exe
Registry Patrol v3.0 --> C:\WINDOWS\unvise32.exe C:\Program Files\RegistryPatrol3.0\uninstal.log
RGSS-RTP Standard --> MsiExec.exe /I{5A9FE525-8B8F-4701-A937-7F6745A4E9C7}
Rhapsody Player Engine --> MsiExec.exe /I{8A62A068-3FD6-495A-9F66-26FE94F32EC9}
RPGXP --> MsiExec.exe /I{9B34CAC6-738F-4A20-B428-A115C3E3474C}
S500/S600 USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{514DF7BB-D192-417C-BB60-58BF1FD34253}\Setup.exe" anything
SecondLife (remove only) --> "C:\Program Files\SecondLife\uninst.exe" /P="SecondLife"
Shockwave --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\INSTALL.LOG
SilkQuit v2.60 --> "C:\Program Files\valecam\SilkQuit\unins000.exe"
SiS 900 PCI Fast Ethernet Adapter Driver --> C:\WINDOWS\SiS\900\Uninst.exe
SnagIt 7 --> MsiExec.exe /I{4360BB46-507E-4361-8DCB-4FF9BDC9907B}
Sony Picture Utility --> C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe -runfromtemp -l0x0009 /removeonly uninstall -removeonly
Sound Blaster Audigy 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CECB9B3D-E681-4458-85F8-8D182941AF1D}\SETUP.EXE" -l0x9
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
Steam™ --> C:\PROGRA~1\STEAM\UNWISE.EXE C:\PROGRA~1\STEAM\INSTALL.LOG
StormFront --> C:\PROGRA~1\SIMU\STORMF~1\UNWISE.EXE C:\PROGRA~1\SIMU\STORMF~1\INSTALL.LOG
Stylus Studio 2007 XML Enterprise Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9947B3B6-D9ED-498E-AE06-697BA97EFA7F}\setup.exe" -uninstall
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TuneUp Utilities 2007 --> MsiExec.exe /I{C8BB4912-12D9-42AE-B571-E580D8CD1B5B}
TurboTax Deluxe 2005 --> C:\Program Files\TurboTax\Deluxe 2005\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2005\Uninstall.log" -NoGui
TurboTax Deluxe 2007 --> C:\Program Files\TurboTax\Deluxe 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2007\Uninstall.log" -NoGui
TurboTax Deluxe Deduction Maximizer 2006 --> C:\Program Files\TurboTax\Deluxe 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2006\Uninstall.log" -NoGui
TurboTax ItsDeductible 2005 --> MsiExec.exe /X{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}
TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
Unity Web Player --> C:\Program Files\Unity\WebPlayer\Uninstall.exe
VNC Free Edition 4.1.1 --> "C:\Program Files\RealVNC\VNC4\unins000.exe"
Voyage Century Online 1.30 --> "C:\Program Files\Voyage Century Online\unins000.exe"
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Wings 3D 0.98.32a --> C:\Program Files\wings3d_0.98.32a\Uninstall.exe
WinMPG VideoConvert 6.8 --> "C:\Program Files\WinMPG VideoConvert\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! SiteBuilder --> "C:\Program Files\Yahoo SiteBuilder\uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type3867 / Error
Event Submitted/Written: 04/19/2008 08:17:42 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module fcccbrlj.dll, version 0.0.0.0, fault address 0x00054ebd.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type3859 / Error
Event Submitted/Written: 04/19/2008 07:56:25 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module fcccbrlj.dll, version 0.0.0.0, fault address 0x00054ebd.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type3850 / Error
Event Submitted/Written: 04/18/2008 05:30:39 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module fcccbrlj.dll, version 0.0.0.0, fault address 0x00054ebd.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type3829 / Error
Event Submitted/Written: 04/18/2008 02:40:35 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type3804 / Warning
Event Submitted/Written: 04/18/2008 08:59:19 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type43683 / Error
Event Submitted/Written: 04/19/2008 08:30:36 AM / 04/19/2008 08:30:40 AM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type43659 / Error
Event Submitted/Written: 04/19/2008 08:09:50 AM / 04/19/2008 08:10:21 AM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type43633 / Error
Event Submitted/Written: 04/19/2008 07:39:23 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The WMDM PMSP Service service failed to start due to the following error:
%%1053

Event Record #/Type43632 / Error
Event Submitted/Written: 04/19/2008 07:39:21 AM / 04/19/2008 07:39:23 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the WMDM PMSP Service service to connect.

Event Record #/Type43631 / Error
Event Submitted/Written: 04/19/2008 07:37:54 AM / 04/19/2008 07:38:25 AM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type



-- End of Deckard's System Scanner: finished at 2008-04-19 08:42:31 ------------
  • 0

#5
nothotstuff

nothotstuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
ComboFix 08-04-18.3 - Cody's 2008-04-19 8:20:56.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.515 [GMT -5:00]
Running from: C:\Documents and Settings\Cody's\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Application Data\FunWebProducts
C:\Documents and Settings\Admin\Application Data\FunWebProducts\Data\Admin\avatar.dat
C:\Documents and Settings\Admin\Application Data\FunWebProducts\Data\Admin\register.dat
C:\Documents and Settings\Admin\Desktopblackbird.jpg
C:\Documents and Settings\Admin\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Admin\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Admin\Desktopfilemanagerclient.exe
C:\Documents and Settings\Admin\Desktopfkwp1.5.exe
C:\Documents and Settings\Admin\Desktopfkwp2.0.exe
C:\Documents and Settings\Admin\Desktopfwebd.exe
C:\Documents and Settings\Admin\DesktopFWebdEditor.exe
C:\Documents and Settings\Admin\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Admin\Desktopvirii
C:\Documents and Settings\Cody's\Application Data\FunWebProducts
C:\Documents and Settings\Cody's\Application Data\FunWebProducts\Data\Cody's\avatar.dat
C:\Documents and Settings\Cody's\Application Data\FunWebProducts\Data\Cody's\register.dat
C:\Documents and Settings\Cody's\Desktopblackbird.jpg
C:\Documents and Settings\Cody's\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Cody's\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Cody's\Desktopfilemanagerclient.exe
C:\Documents and Settings\Cody's\Desktopfkwp1.5.exe
C:\Documents and Settings\Cody's\Desktopfkwp2.0.exe
C:\Documents and Settings\Cody's\Desktopfwebd.exe
C:\Documents and Settings\Cody's\DesktopFWebdEditor.exe
C:\Documents and Settings\Cody's\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Cody's\Desktopvirii
C:\Documents and Settings\Jessica\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Jessica\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Jessica\Desktopfilemanagerclient.exe
C:\Documents and Settings\Jessica\Desktopfkwp1.5.exe
C:\Documents and Settings\Jessica\Desktopfkwp2.0.exe
C:\Documents and Settings\Jessica\Desktopfwebd.exe
C:\Documents and Settings\Jessica\DesktopFWebdEditor.exe
C:\Documents and Settings\Kaylee\Desktopblackbird.jpg
C:\Documents and Settings\Kaylee\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Kaylee\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Kaylee\Desktopfilemanagerclient.exe
C:\Documents and Settings\Kaylee\Desktopfkwp1.5.exe
C:\Documents and Settings\Kaylee\Desktopfkwp2.0.exe
C:\Documents and Settings\Kaylee\Desktopfwebd.exe
C:\Documents and Settings\Kaylee\DesktopFWebdEditor.exe
C:\Documents and Settings\Kaylee\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Kaylee\Desktopvirii
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\Inet Delivery
C:\Program Files\Inet Delivery\inetdl.exe
C:\Program Files\Inet Delivery\intdel.exe
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\cookies.ini
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\resources\ComponentAlrt.dll
C:\WINDOWS\resources\RamSys.dll
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\892267\892267.dll
C:\WINDOWS\system32\aJloWvut.ini
C:\WINDOWS\system32\aJloWvut.ini2
C:\WINDOWS\system32\byXQIcDW.dll
C:\WINDOWS\system32\fcccBRlJ.dll
C:\WINDOWS\system32\JlRBcccf.ini
C:\WINDOWS\system32\JlRBcccf.ini2
C:\WINDOWS\system32\ljJDULEW.dll
C:\WINDOWS\system32\lqxfyrom.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\moryfxql.dll
C:\WINDOWS\system32\opnlIxVo.dll
C:\WINDOWS\system32\tuvWolJa.dll
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\[email protected]@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-19 08:32 . 2008-04-19 08:32 98,304 --a------ C:\WINDOWS\system32\krytsjqt.exe
2008-04-18 17:31 . 2008-04-18 17:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-18 14:25 . 2008-04-18 14:25 94,208 --a------ C:\WINDOWS\system32\alqlifmb.exe
2008-04-18 13:56 . 2008-04-18 13:56 94,208 --a------ C:\WINDOWS\system32\volypsxi.exe
2008-04-18 13:27 . 2008-04-18 14:00 2,389,442 ---hs---- C:\WINDOWS\system32\kccqeqto.ini
2008-04-18 13:16 . 2008-04-18 13:16 94,208 --a------ C:\WINDOWS\system32\gnmjmtop.exe
2008-04-18 09:55 . 2008-04-18 13:53 1,540,789 ---hs---- C:\WINDOWS\system32\ttswgkne.ini
2008-04-18 08:57 . 2008-04-18 08:57 106,496 --a------ C:\WINDOWS\system32\nuxexgzg.exe
2008-04-18 02:52 . 2008-04-17 20:15 266,240 --a------ C:\WINDOWS\lgmxvpatnpa.dll
2008-04-18 02:50 . 2008-04-16 03:07 286,720 --a------ C:\WINDOWS\lgmxvpatfbo.dll
2008-04-18 02:50 . 2008-04-16 03:07 200,704 --a------ C:\WINDOWS\qtvglped.dll
2008-04-18 02:50 . 2008-04-17 20:15 188,416 --a------ C:\WINDOWS\pmsoarbf.dll
2008-04-18 02:49 . 2008-04-18 02:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\darcvstu
2008-04-18 02:49 . 2008-04-18 02:49 106,496 --a------ C:\WINDOWS\system32\bihqriho.exe
2008-04-18 02:43 . 2008-04-18 02:43 <DIR> d-------- C:\WINDOWS\system32\892267
2008-04-17 19:28 . 2008-04-17 19:28 <DIR> d-------- C:\Program Files\GameTap
2008-04-17 19:28 . 2008-04-17 19:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameTap
2008-04-12 17:34 . 2008-04-16 09:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-12 17:34 . 2008-04-12 17:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-09 01:01 . 2008-04-09 01:01 <DIR> d-------- C:\Program Files\Immortal Defense

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 00:04 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-05 23:03 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-09-05 23:02 104 --sh--r C:\WINDOWS\system32\253B772219.sys
.
<pre>
----a-w		   385,024 2007-07-30 20:40:02  C:\Program Files\Acclaim\2Moons\Copy of .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{069E8B19-0EAC-45D6-A5B3-A10FF9B69F4C}]
2008-04-16 03:07 286720 --a------ C:\WINDOWS\lgmxvpatfbo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F97B50CB-E441-427A-967E-0300347AD03E}]
2008-04-17 20:15 266240 --a------ C:\WINDOWS\lgmxvpatnpa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{74E5E4E8-79DD-49AC-B64B-E74822D5F3CD}"= "C:\WINDOWS\qtvglped.dll" [2008-04-16 03:07 200704]

[HKEY_CLASSES_ROOT\clsid\{74e5e4e8-79dd-49ac-b64b-e74822d5f3cd}]
[HKEY_CLASSES_ROOT\qtvglped.1]
[HKEY_CLASSES_ROOT\TypeLib\{C93DB567-3F35-408F-8DE6-2B570DB6A5A0}]
[HKEY_CLASSES_ROOT\qtvglped]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-08-18 17:25 1318912]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-03-31 12:46 1271032]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Citrus Alarm Clock"="C:\Program Files\Citrus Alarm Clock\citrusac.exe" [2001-10-21 22:50 513024]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32 94208]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"kbdxhzun"="C:\WINDOWS\system32\bihqriho.exe" [2008-04-18 02:49 106496]
"hodddvjt"="C:\WINDOWS\system32\krytsjqt.exe" [2008-04-19 08:32 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-30 13:24 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 18:14 36975]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14 504080]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-07 11:23 155648]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"FLMK08KB"="C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE" [2006-11-10 08:10 207360]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"CTHelper"="CTHELPER.EXE" [2004-03-19 03:33 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Cody.STEVE.002\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 15:32:57 147456]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Metacafe.lnk - C:\Program Files\Metacafe\MetacafeAgent.exe [2007-07-18 04:35:00 149256]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-12-24 11:58:15 368640]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 15:32:57 147456]

C:\Documents and Settings\Cody\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 15:32:57 147456]

C:\Documents and Settings\Cody's\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-06-29 18:15:10 24633]
SilkQuit Meter.lnk - C:\Program Files\valecam\SilkQuit\SilkQuit.exe [2002-08-22 09:11:07 257536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Vr3XYkasgZ"= C:\Documents and Settings\All Users\Application Data\darcvstu\fadulkta.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{db763ed8-100a-481b-8913-50a2f41dcdc3}"= C:\WINDOWS\system32\bubbj.dll [2004-08-27 15:41 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-08-18 17:25 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
backup=C:\WINDOWS\pss\Logitech Harmony Remote V5.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBHC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusHeat 4.3]
C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 Pnp680r;Silicon Image SiI 0680 Medley Raid Controller;C:\WINDOWS\system32\DRIVERS\pnp680r.sys [2002-09-03 07:50]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 05:00]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2008-04-15 06:02]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-06-30 16:01]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-04-03 17:06]
S3 oflpydin;oflpydin;C:\DOCUME~1\Admin\LOCALS~1\Temp\oflpydin.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 07:09:30 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-19 13:31:50 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 08:32:33
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\GUARD.EXE
C:\PROGRAM FILES\BONJOUR\MDNSRESPONDER.EXE
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORPC.EXE
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe
C:\Program Files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2008-04-19 8:38:16 - machine was rebooted
ComboFix2.txt 2007-05-06 05:12:16
ComboFix-quarantined-files.txt 2008-04-19 13:38:12

Pre-Run: 36,386,111,488 bytes free
Post-Run: 38,472,187,904 bytes free

308
  • 0

#6
nothotstuff

nothotstuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I was unable to get my computer to boot up in safe mode.
It locked up on the agPCPQ.sys twice in a row, then I continued through the rest of the steps successfully.

Should I try safe mode now?
  • 0

#7
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Please make sure that you do these fixes in the order laid out below:

Please uninstall the following programs:

FrostWire 4.13.1.5 BETA
LimeWire 4.16.6
My Web Search (Zwinky)

  • Go to Start then Settings, then Control Panel
  • Choose Add or Remove Programs
  • Remove all of the above
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Save this to your desktop and post the contents in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\krytsjqt.exe
C:\WINDOWS\system32\alqlifmb.exe
C:\WINDOWS\system32\volypsxi.exe
C:\WINDOWS\system32\kccqeqto.ini
C:\WINDOWS\system32\gnmjmtop.exe
C:\WINDOWS\system32\ttswgkne.ini
C:\WINDOWS\system32\nuxexgzg.exe
C:\WINDOWS\lgmxvpatnpa.dll
C:\WINDOWS\lgmxvpatfbo.dll
C:\WINDOWS\qtvglped.dll
C:\WINDOWS\pmsoarbf.dll
C:\WINDOWS\system32\bihqriho.exe

Folder::
C:\Program Files\VirusHeat 4.3
C:\PROGRA~1\MYWEBS~1

Driver::
oflpydin

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{069E8B19-0EAC-45D6-A5B3-A10FF9B69F4C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F97B50CB-E441-427A-967E-0300347AD03E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{74E5E4E8-79DD-49AC-B64B-E74822D5F3CD}"=-

[-HKEY_CLASSES_ROOT\clsid\{74e5e4e8-79dd-49ac-b64b-e74822d5f3cd}]
[-HKEY_CLASSES_ROOT\qtvglped.1]
[-HKEY_CLASSES_ROOT\TypeLib\{C93DB567-3F35-408F-8DE6-2B570DB6A5A0}]
[-HKEY_CLASSES_ROOT\qtvglped]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kbdxhzun"=-
"hodddvjt"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Vr3XYkasgZ"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{db763ed8-100a-481b-8913-50a2f41dcdc3}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusHeat 4.3]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
C:\\Program Files\\FrostWire\\FrostWire.exe"=-
"C:\\Program Files\\LimeWire\\LimeWire.exe"=-

RENV::
C:\Program Files\Acclaim\2Moons\Copy of .exe

FileLook::
C:\WINDOWS\system32\253B772219.sys

DirLook::
C:\Documents and Settings\All Users\Application Data\darcvstu
C:\WINDOWS\system32\892267


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new DSS log.

Regards,
RatHat
  • 0

#8
nothotstuff

nothotstuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
ComboFix 08-04-18.3 - Cody's 2008-04-19 13:37:24.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.480 [GMT -5:00]
Running from: C:\Documents and Settings\Cody's\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Cody's\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\lgmxvpatfbo.dll
C:\WINDOWS\lgmxvpatnpa.dll
C:\WINDOWS\pmsoarbf.dll
C:\WINDOWS\qtvglped.dll
C:\WINDOWS\system32\alqlifmb.exe
C:\WINDOWS\system32\bihqriho.exe
C:\WINDOWS\system32\gnmjmtop.exe
C:\WINDOWS\system32\kccqeqto.ini
C:\WINDOWS\system32\krytsjqt.exe
C:\WINDOWS\system32\nuxexgzg.exe
C:\WINDOWS\system32\ttswgkne.ini
C:\WINDOWS\system32\volypsxi.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\lgmxvpatfbo.dll
C:\WINDOWS\lgmxvpatnpa.dll
C:\WINDOWS\pmsoarbf.dll
C:\WINDOWS\qtvglped.dll
C:\WINDOWS\system32\alqlifmb.exe
C:\WINDOWS\system32\bihqriho.exe
C:\WINDOWS\system32\gnmjmtop.exe
C:\WINDOWS\system32\kccqeqto.ini
C:\WINDOWS\system32\krytsjqt.exe
C:\WINDOWS\system32\nuxexgzg.exe
C:\WINDOWS\system32\ttswgkne.ini
C:\WINDOWS\system32\volypsxi.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OFLPYDIN
-------\Service_oflpydin


((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-18 17:31 . 2008-04-18 17:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-18 02:49 . 2008-04-18 02:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\darcvstu
2008-04-18 02:43 . 2008-04-18 02:43 <DIR> d-------- C:\WINDOWS\system32\892267
2008-04-17 19:28 . 2008-04-17 19:28 <DIR> d-------- C:\Program Files\GameTap
2008-04-17 19:28 . 2008-04-17 19:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameTap
2008-04-12 17:34 . 2008-04-16 09:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-12 17:34 . 2008-04-12 17:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-09 01:01 . 2008-04-09 01:01 <DIR> d-------- C:\Program Files\Immortal Defense

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 00:04 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-05 23:03 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-09-05 23:02 104 --sh--r C:\WINDOWS\system32\253B772219.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

- Not a PE file.

---- Directory of C:\Documents and Settings\All Users\Application Data\darcvstu ----

2008-04-18 02:49 34304 --a------ C:\Documents and Settings\All Users\Application Data\darcvstu\fadulkta.exe

---- Directory of C:\WINDOWS\system32\892267 ----



((((((((((((((((((((((((((((( [email protected]_ 8.37.47.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-19 13:30:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-19 18:40:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-08-18 17:25 1318912]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-03-31 12:46 1271032]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Citrus Alarm Clock"="C:\Program Files\Citrus Alarm Clock\citrusac.exe" [2001-10-21 22:50 513024]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32 94208]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-30 13:24 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 18:14 36975]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14 504080]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-07 11:23 155648]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"FLMK08KB"="C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE" [2006-11-10 08:10 207360]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"CTHelper"="CTHELPER.EXE" [2004-03-19 03:33 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Metacafe.lnk - C:\Program Files\Metacafe\MetacafeAgent.exe [2007-07-18 04:35:00 149256]
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-12-24 11:58:15 368640]

C:\Documents and Settings\Cody's\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-06-29 18:15:10 24633]
SilkQuit Meter.lnk - C:\Program Files\valecam\SilkQuit\SilkQuit.exe [2002-08-22 09:11:07 257536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-08-18 17:25 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
backup=C:\WINDOWS\pss\Logitech Harmony Remote V5.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBHC]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Pnp680r;Silicon Image SiI 0680 Medley Raid Controller;C:\WINDOWS\system32\DRIVERS\pnp680r.sys [2002-09-03 07:50]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 05:00]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2008-04-15 06:02]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-06-30 16:01]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-04-03 17:06]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 07:09:30 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-04-19 18:41:54 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
.




---------------------------------------------------------------------------------------------------------------------------



Deckard's System Scanner v20071014.68
Run by Cody's on 2008-04-19 13:54:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Cody's.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:54, on 2008-04-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Citrus Alarm Clock\citrusac.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\valecam\SilkQuit\SilkQuit.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Cody's\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Cody's.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Citrus Alarm Clock] C:\Program Files\Citrus Alarm Clock\citrusac.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SilkQuit Meter.lnk = C:\Program Files\valecam\SilkQuit\SilkQuit.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 7578 bytes

-- Files created between 2008-03-19 and 2008-04-19 -----------------------------

2008-04-19 13:37:22 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-19 13:26:12 0 d-------- C:\cmdcons
2008-04-19 08:18:06 68096 --a------ C:\WINDOWS\zip.exe
2008-04-19 08:18:06 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-19 08:18:06 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-19 08:18:06 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-19 08:18:06 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-19 08:18:06 98816 --a------ C:\WINDOWS\sed.exe
2008-04-19 08:18:06 80412 --a------ C:\WINDOWS\grep.exe
2008-04-19 08:18:06 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-18 17:31:07 0 d-------- C:\Program Files\Trend Micro
2008-04-18 15:53:43 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-04-18 02:49:51 0 d-------- C:\Documents and Settings\All Users\Application Data\darcvstu
2008-04-18 02:43:53 0 d-------- C:\WINDOWS\system32\892267
2008-04-17 19:28:27 0 d-------- C:\Program Files\GameTap
2008-04-17 19:28:27 0 d-------- C:\Documents and Settings\All Users\Application Data\GameTap
2008-04-09 01:01:48 0 d-------- C:\Program Files\Immortal Defense


-- Find3M Report ---------------------------------------------------------------

2008-03-07 19:04:00 0 d-------- C:\Program Files\Windows Media Connect 2


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-30 13:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 18:14]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-07 11:23]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"FLMK08KB"="C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE" [2006-11-10 08:10]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"CTHelper"="CTHELPER.EXE" [2004-03-19 03:33 C:\WINDOWS\system32\CTHELPER.EXE]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-08-18 17:25]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-03-31 12:46]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Citrus Alarm Clock"="C:\Program Files\Citrus Alarm Clock\citrusac.exe" [2001-10-21 22:50]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Cody's\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-06-29 18:15:10]
SilkQuit Meter.lnk - C:\Program Files\valecam\SilkQuit\SilkQuit.exe [2002-08-22 09:11:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-08-18 17:25 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
backup=C:\WINDOWS\pss\Logitech Harmony Remote V5.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
? ??? ????? ??? ???

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
? ??? ????? ??? ???

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBHC]

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-04-19 13:55:09 ------------
  • 0

#9
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Looking better!

Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\Documents and Settings\All Users\Application Data\darcvstu\fadulkta.exe
  • Click on the submit button
  • When the scan is complete, highlight all the results and copy them into Notepad
  • Save the Notepad file to your desktop as Jotti.txt
  • Please post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Run ATF Cleaner again, before carrying out this next fix.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include:
  • The contents of Jotti.txt
  • The MBAM log
  • The contents of Kaspersky.txt
And let me know how your computer is performing now.

Regards,
RatHat
  • 0

#10
nothotstuff

nothotstuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Jotti

Scan taken on 19 Apr 2008 19:45:47 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Crypt.XPACK.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Downloader.Agent.AFMR
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found probably a variant of Win32/TrojanDownloader.FakeAlert.BP (probable variant)
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

________________________________________________________________________________
__________




Malwarebytes' Anti-Malware 1.11
Database version: 656

Scan type: Quick Scan
Objects scanned: 48017
Time elapsed: 16 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 128
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{b3dce744-06c7-4c09-b99d-f54254c0954f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ea8279e1-f6b8-495a-8c6a-cb47bd8356d1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c7ccfdab-ccb0-46ad-8bf9-45aff6c7b742} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7bafe909-2f2d-4da0-a398-d22458caf3dc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{db763ed8-100a-481b-8913-50a2f41dcdc3} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d296-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d778513b-1c40-4819-b0c5-49e40b39afd0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{621feacd-8857-43a6-ae26-451d670d5370} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qtvglped.bvtp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qtvglped.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\892267 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cody's\Start Menu\Programs\VirusHeat 4.3 (Rogue.VirusHeat) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\bubbj.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cody's\Start Menu\Programs\VirusHeat 4.3\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cody's\Start Menu\Programs\VirusHeat 4.3\Uninstall VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cody's\Start Menu\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cody's\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
________________________________________________________________________________
___________________________




-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-04-21 09:16
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/04/2008
Kaspersky Anti-Virus database records: 716916
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 240338
Number of viruses found: 24
Number of infected objects: 62
Number of suspicious objects: 0
Duration of the scan process: 05:32:15

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\{00000000-00000000-00000007-00001102-00000008-10011102}.CDF Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\vnc-4_1_1-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\Documents and Settings\All Users\Documents\vnc-4_1_1-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\vnc-4_1_1-x86_win32.exe Inno: infected - 2 skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5ce8093f.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5ce8093f.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-255146ea-23ea5779.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-255146ea-23ea5779.zip/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-255146ea-23ea5779.zip/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-255146ea-23ea5779.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-28679adb-4a50ee1e.zip/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-28679adb-4a50ee1e.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-28679adb-4a50ee1e.zip/NewSecurityClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-28679adb-4a50ee1e.zip/NewURLClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-28679adb-4a50ee1e.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Cody.STEVE.000\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-42298a74.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Cody.STEVE.000\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-42298a74.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Cody's\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Cody's\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cody's\Local Settings\History\History.IE5\MSHist012008042020080421\index.dat Object is locked skipped
C:\Documents and Settings\Cody's\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cody's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Cody's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Cody's\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Cody's\Local Settings\Application Data\Mozilla\Firefox\Profiles\w7lxjcu9.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Cody's\Local Settings\Application Data\Mozilla\Firefox\Profiles\w7lxjcu9.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Cody's\Local Settings\Application Data\Mozilla\Firefox\Profiles\w7lxjcu9.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Cody's\Local Settings\Application Data\Mozilla\Firefox\Profiles\w7lxjcu9.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Cody's\Local Settings\Temp\~DF4DE2.tmp Object is locked skipped
C:\Documents and Settings\Cody's\Local Settings\Temp\~DF7FF8.tmp Object is locked skipped
C:\Documents and Settings\Cody's\Desktop\lavabeta\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Cody's\Desktop\lavabeta\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Cody's\Desktop\lavabeta\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Cody's\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Cody's\Application Data\Mozilla\Firefox\Profiles\w7lxjcu9.default\history.dat Object is locked skipped
C:\Documents and Settings\Cody's\Application Data\Mozilla\Firefox\Profiles\w7lxjcu9.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Cody's\Application Data\Mozilla\Firefox\Profiles\w7lxjcu9.default\parent.lock Object is locked skipped
C:\Documents and Settings\Cody's\Application Data\Mozilla\Firefox\Profiles\w7lxjcu9.default\cert8.db Object is locked skipped
C:\Documents and Settings\Cody's\Application Data\Mozilla\Firefox\Profiles\w7lxjcu9.default\key3.db Object is locked skipped
C:\Documents and Settings\Cody's\Application Data\Mozilla\Firefox\Profiles\w7lxjcu9.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Cody's\Application Data\Mozilla\Firefox\Profiles\w7lxjcu9.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Cody's\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll bittorrent downloader.zip/BitDownload Setup.exe/stream/data0006 Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll bittorrent downloader.zip/BitDownload Setup.exe/stream Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll bittorrent downloader.zip/BitDownload Setup.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll bittorrent downloader.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll new.zip/setup.exe/data0009/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll new.zip/setup.exe/data0009/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll new.zip/setup.exe/data0009 Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll new.zip/setup.exe/data0010/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.adj skipped
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll new.zip/setup.exe/data0010/stream/data0006 Infected: not-a-virus:AdWare.Win32.BHO.ww skipped
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll new.zip/setup.exe/data0010/stream Infected: not-a-virus:AdWare.Win32.BHO.ww skipped
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll new.zip/setup.exe/data0010 Infected: not-a-virus:AdWare.Win32.BHO.ww skipped
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll new.zip/setup.exe Infected: not-a-virus:AdWare.Win32.BHO.ww skipped
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll new.zip ZIP: infected - 8 skipped
C:\Documents and Settings\Cody's\Shared\sick slipknot.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\Cody's\ntuser.dat Object is locked skipped
C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.dbf Object is locked skipped
C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.ntx Object is locked skipped
C:\Program Files\Steam\logs\connection_log.txt Object is locked skipped
C:\Program Files\Steam\Steam.log Object is locked skipped
C:\Program Files\Steam\SteamApps\winui.gcf Object is locked skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP337\A0111490.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pjx skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP337\A0111491.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pjx skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP338\A0111768.exe Infected: not-a-virus:FraudTool.Win32.VirusProtectPro.ad skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP338\A0112791.exe Infected: Trojan-Downloader.Win32.Zlob.liz skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP338\A0112793.exe Infected: Trojan-Downloader.Win32.Zlob.liz skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP338\A0112794.exe Infected: Trojan-Downloader.Win32.Zlob.liz skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP339\A0112909.dll Infected: Trojan.Win32.Agent.keu skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP339\A0112910.dll Infected: Trojan.Win32.Agent.keu skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP339\A0112911.dll Infected: not-a-virus:AdWare.Win32.E404.aa skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP339\A0112912.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pij skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP339\A0112913.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pij skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP339\A0112914.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pjx skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP339\A0112915.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pij skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP342\A0113060.dll Infected: not-a-virus:AdWare.Win32.Vapsup.ech skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP342\A0113061.dll Infected: not-a-virus:AdWare.Win32.Vapsup.eci skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP342\A0113062.dll Infected: not-a-virus:AdWare.Win32.Vapsup.eck skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP342\A0113063.dll Infected: not-a-virus:AdWare.Win32.Vapsup.ech skipped
C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP342\change.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\892267\892267.dll.vir Infected: not-a-virus:AdWare.Win32.E404.aa skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\byXQIcDW.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.pij skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJDULEW.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.pij skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\moryfxql.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.pjx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\opnlIxVo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.pij skipped
C:\QooBox\Quarantine\C\WINDOWS\Web\def.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.c skipped
C:\QooBox\Quarantine\C\WINDOWS\Resources\ComponentAlrt.dll.vir Infected: Trojan.Win32.Agent.keu skipped
C:\QooBox\Quarantine\C\WINDOWS\Resources\RamSys.dll.vir Infected: Trojan.Win32.Agent.keu skipped
C:\QooBox\Quarantine\C\WINDOWS\lgmxvpatfbo.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.ech skipped
C:\QooBox\Quarantine\C\WINDOWS\lgmxvpatnpa.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.eci skipped
C:\QooBox\Quarantine\C\WINDOWS\pmsoarbf.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.eck skipped
C:\QooBox\Quarantine\C\WINDOWS\qtvglped.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.ech skipped
D:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}\RP342\change.log Object is locked skipped

Scan process completed.
  • 0

Advertisements


#11
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Application Data\darcvstu\fadulkta.exe
C:\Documents and Settings\All Users\Application Data\darcvstu
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5ce8093f.zip
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-255146ea-23ea5779.zip
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-28679adb-4a50ee1e.zip
C:\Documents and Settings\Cody.STEVE.000\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-42298a74.zip
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll bittorrent downloader.zip
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll new.zip
C:\Documents and Settings\Cody's\Shared\sick slipknot.mp3


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include the contents of OTM.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    Posted Image

OK, in your next reply, please post me the contents of OTM.txt, a fresh HijackThis log, taken after completing the above, and let me know how your computer is performing now.

Regards,
RatHat
  • 0

#12
nothotstuff

nothotstuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:04 AM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Citrus Alarm Clock\citrusac.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\valecam\SilkQuit\SilkQuit.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\CF11898.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Citrus Alarm Clock] C:\Program Files\Citrus Alarm Clock\citrusac.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SilkQuit Meter.lnk = C:\Program Files\valecam\SilkQuit\SilkQuit.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 7825 bytes


___________________________________________________


C:\Documents and Settings\All Users\Application Data\darcvstu\fadulkta.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\darcvstu moved successfully.
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5ce8093f.zip moved successfully.
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-255146ea-23ea5779.zip moved successfully.
C:\Documents and Settings\Cody\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-28679adb-4a50ee1e.zip moved successfully.
C:\Documents and Settings\Cody.STEVE.000\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-42298a74.zip moved successfully.
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll bittorrent downloader.zip moved successfully.
C:\Documents and Settings\Cody's\Shared\d3d9x30.dll new.zip moved successfully.
C:\Documents and Settings\Cody's\Shared\sick slipknot.mp3 moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04212008_104634
  • 0

#13
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
How is the machine performing now?
  • 0

#14
nothotstuff

nothotstuff

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I'm not seeing the pop-ups anymore but, how do I test?


Everything is looking good to me.
  • 0

#15
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take a while, so please be patient


Regards,
RatHat
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP