Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows Explorer Opens then closes and finally stops [CLOSED]


  • This topic is locked This topic is locked

#1
VOLKMIESTER

VOLKMIESTER

    New Member

  • Member
  • Pip
  • 2 posts
______EDITED BY ME_______

The problem seems to have gone away for now.
This is the post but it appears that it has resolved. I say this with trepidation because i have thought it was fixed before.

Sorry for any waste of time

______END EDIT_________

HI, We recently had the Smitfraud virus on our computer and we removed it using the smitfraud fix program but recently our antivirus program (antivira personal -free edition) has been coming up with loads of notifications about suspicious files. Then explorer started to flash, the bottom bar and desktop will flash on and off. Any programs running are unaffected and every time I restart explorer it flashes then closes. I have run SUPERantispyware and removed the files. It asks me to restart because it can't delete certain files. Then the problem returns same as before. I am running the Malwarebytes Anti-malware search now. And this is the HijackThis log. Thank you for your time.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:38 PM, on 4/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\RAM Idle LE\RAM_XP.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Documents and Settings\Kevin\Desktop\Music\Bob Marley & The Wailers\Legend\[bleep]\Valve\Steam\Steam.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "c:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Steam] "C:\Documents and Settings\Kevin\Desktop\Music\Bob Marley & The Wailers\Legend\[bleep]\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [btyqnjri] C:\WINDOWS\system32\nmnyvctk.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [a6kdrqmtqH] C:\Documents and Settings\All Users\Application Data\vohojsxu\bofavwjq.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - c:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9454 bytes

THIS IS MY SUPER SPYWARE LOG

SUPERAntiSpyware Scan Log
Generated 04/22/2008 at 04:12 PM

Application Version : 3.6.1000

Core Rules Database Version : 3444
Trace Rules Database Version: 1436

Scan type : Quick Scan
Total Scan Time : 00:29:40

Memory items scanned : 390
Memory threats detected : 0
Registry items scanned : 1016
Registry threats detected : 12
File items scanned : 15422
File threats detected : 26

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7348D74C-731B-DECE-9F8A-A37D8214708E}
HKCR\CLSID\{7348D74C-731B-DECE-9F8A-A37D8214708E}
HKCR\CLSID\{7348D74C-731B-DECE-9F8A-A37D8214708E}\InProcServer32
HKCR\CLSID\{7348D74C-731B-DECE-9F8A-A37D8214708E}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\WLCSTP32.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F3AEF888-A3E2-44EB-BD85-F0C85BA7673F}
HKCR\CLSID\{F3AEF888-A3E2-44EB-BD85-F0C85BA7673F}
HKCR\CLSID\{F3AEF888-A3E2-44EB-BD85-F0C85BA7673F}\InprocServer32
HKCR\CLSID\{F3AEF888-A3E2-44EB-BD85-F0C85BA7673F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWTSPNHF.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{F3AEF888-A3E2-44EB-BD85-F0C85BA7673F}
HKCR\CLSID\{7348D74C-731B-DECE-9F8A-A37D8214708E}
HKCR\CLSID\{F3AEF888-A3E2-44EB-BD85-F0C85BA7673F}

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Kevin\Cookies\[email protected][1].txt
C:\Documents and Settings\Kevin\Cookies\[email protected][1].txt
C:\Documents and Settings\Kevin\Cookies\[email protected][1].txt
C:\Documents and Settings\Kevin\Cookies\[email protected][1].txt
C:\Documents and Settings\Kevin\Cookies\[email protected][2].txt
C:\Documents and Settings\Kevin\Cookies\[email protected][2].txt
C:\Documents and Settings\Kevin\Cookies\[email protected][1].txt
C:\Documents and Settings\Kevin\Cookies\[email protected][1].txt

Trojan.DNSChanger-Codec
HKU\S-1-5-21-1214440339-1085031214-725345543-500\Software\uninstall

Adware.OneStepSearch
C:\Program Files\OneStepSearch\OneStepSearch_deleted0
C:\Program Files\OneStepSearch\OneStepSearch_deleted1\onestep.dll
C:\Program Files\OneStepSearch\OneStepSearch_deleted1\onestep.exe
C:\Program Files\OneStepSearch\OneStepSearch_deleted1\uninstall.exe
C:\Program Files\OneStepSearch\OneStepSearch_deleted1
C:\Program Files\OneStepSearch\OneStepSearch_deleted_\onestep.dll
C:\Program Files\OneStepSearch\OneStepSearch_deleted_\onestep.exe
C:\Program Files\OneStepSearch\OneStepSearch_deleted_\uninstall.exe
C:\Program Files\OneStepSearch\OneStepSearch_deleted_
C:\Program Files\OneStepSearch

Trojan.Downloader-Gen/Win
C:\WINDOWS\NPQTSRAK.EXE
C:\WINDOWS\RTQMEKWG.EXE

Here is the anti malware file

Malwarebytes' Anti-Malware 1.11
Database version: 672

Scan type: Quick Scan
Objects scanned: 36859
Time elapsed: 10 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\cbXNdEUN.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8ce7331e-5821-466d-aedf-30a10c122ce2} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8ce7331e-5821-466d-aedf-30a10c122ce2} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f3aef888-a3e2-44eb-bd85-f0c85ba7673f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f3aef888-a3e2-44eb-bd85-f0c85ba7673f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxndeun -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxndeun -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cbXNdEUN.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\NUEdNXbc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NUEdNXbc.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\System32bdn.com (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32hxiwlgpm.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32ssvchost.com (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32taack.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\System32VBIEWER.OCX (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\explorer.exe.Z-missing.txt (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Edited by VOLKMIESTER, 22 April 2008 - 06:59 PM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

There are infected files listed there...let's remove them :)

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
VOLKMIESTER

VOLKMIESTER

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Here it is:

ComboFix 08-04-22.5 - Kevin 2008-04-23 18:39:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.393 [GMT -7:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hRrtuBeg.ini
C:\WINDOWS\system32\hRrtuBeg.ini2
C:\WINDOWS\system32\qWGjPXyb.ini
C:\WINDOWS\system32\qWGjPXyb.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-22 21:21 . 2008-04-22 21:21 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
2008-04-22 19:36 . 2008-04-22 19:36 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Comodo
2008-04-22 18:55 . 2008-04-22 18:56 <DIR> d-------- C:\Program Files\CHEMIX School 3_50 (Evaluation Copy)
2008-04-22 17:49 . 2008-04-22 17:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2008-04-22 17:45 . 2008-04-22 17:45 <DIR> d-------- C:\Program Files\Comodo
2008-04-22 17:45 . 2007-06-05 08:55 211 --a------ C:\boot.ini.comodofirewall
2008-04-22 17:33 . 2008-04-22 17:33 <DIR> d-------- C:\Program Files\Panda Security
2008-04-22 17:14 . 2008-04-22 17:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-22 16:58 . 2008-04-22 16:58 <DIR> d-------- C:\Deckard
2008-04-22 15:41 . 2008-04-22 15:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-22 15:40 . 2008-04-22 17:38 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-22 15:40 . 2008-04-22 15:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-22 15:40 . 2008-04-22 15:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-22 15:40 . 2008-04-22 15:40 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-22 15:40 . 2008-04-22 15:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-22 06:20 . 2008-04-23 18:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-22 06:20 . 2008-04-22 06:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-21 20:41 . 2008-04-21 20:41 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-21 09:41 . 2008-04-21 20:48 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-04-17 19:51 . 2008-04-17 19:51 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\ATI
2008-04-17 19:51 . 2008-04-17 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-04-17 19:50 . 2008-04-17 19:50 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-04-17 17:08 . 2008-04-17 17:08 <DIR> d-------- C:\ATI
2008-04-17 16:44 . 2008-04-17 16:47 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-04-16 21:08 . 2008-04-16 21:08 <DIR> d-------- C:\Program Files\WinDirStat
2008-04-16 20:49 . 2008-04-16 21:03 <DIR> d-------- C:\WINDOWS\$regcmp$
2008-04-16 20:47 . 2008-04-16 20:47 <DIR> d-------- C:\Program Files\Auslogics
2008-04-16 20:47 . 2008-04-16 20:47 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Auslogics
2008-04-16 20:17 . 2008-04-16 20:17 <DIR> d-------- C:\Program Files\Registry Clean Expert
2008-04-16 20:05 . 2008-04-16 20:05 <DIR> d-------- C:\Program Files\Belarc
2008-04-16 20:05 . 2008-02-27 13:49 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2008-04-16 20:04 . 2008-04-23 15:38 <DIR> d-------- C:\Program Files\RAM Idle LE
2008-04-16 20:04 . 2002-09-22 12:42 17,408 --a------ C:\WINDOWS\Shortcut.exe
2008-04-16 16:12 . 2008-04-16 16:12 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-16 15:49 . 2008-04-16 15:52 <DIR> d-------- C:\Program Files\AdVantage
2008-04-16 15:28 . 2008-04-16 15:28 2,561,772 --a------ C:\WINDOWS\system32\attractaemc1200.avi
2008-04-16 15:28 . 2008-04-16 15:28 272,868 --a------ C:\WINDOWS\system32\Windows XP Media Center Edition Screen Saver.scr
2008-04-16 15:20 . 2008-04-16 15:20 <DIR> d-------- C:\WINDOWS\resources
2008-04-15 22:22 . 2008-04-15 22:22 <DIR> d-------- C:\Program Files\Avira
2008-04-15 22:22 . 2008-04-15 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-15 22:21 . 2008-04-15 22:21 <DIR> d-------- C:\Program Files\IObit
2008-04-15 20:59 . 2008-04-15 22:58 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\TmpRecentIcons
2008-04-15 19:11 . 2008-04-16 16:23 204 --a------ C:\WINDOWS\wininit.ini
2008-04-15 18:55 . 2008-04-17 19:40 3,940 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-15 18:47 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-15 18:47 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-15 18:47 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-15 18:47 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-15 18:47 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-15 18:47 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-15 18:47 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-15 18:40 . 2008-04-17 16:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vohojsxu
2008-04-15 17:44 . 2008-04-15 17:44 <DIR> d-------- C:\Program Files\CFToolbox
2008-04-14 23:32 . 2008-04-14 23:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-14 15:41 . 2008-04-23 06:50 <DIR> d-------- C:\Program Files\Wireshark
2008-04-14 15:41 . 2008-04-14 15:41 <DIR> d-------- C:\Program Files\WinPcap
2008-04-06 17:27 . 2008-04-06 17:32 <DIR> d-------- C:\Program Files\Picasa2
2008-04-06 16:29 . 2008-04-06 16:29 115 --a------ C:\WINDOWS\VMorpher.INI
2008-04-06 16:29 . 2008-04-06 16:29 0 --a------ C:\WINDOWS\VDVD.INI
2008-04-06 16:29 . 2008-04-06 16:29 0 --a------ C:\WINDOWS\Cover.INI
2008-04-06 16:29 . 2008-04-06 16:29 0 --a------ C:\WINDOWS\avvcnvrt.INI
2008-04-06 16:21 . 2008-04-06 16:21 29 --a------ C:\WINDOWS\AVFTP.INI
2008-04-06 16:17 . 2008-04-06 16:17 <DIR> d-------- C:\Program Files\Solveig Multimedia
2008-04-06 15:10 . 2008-04-06 15:10 <DIR> d-------- C:\Program Files\iTunes
2008-04-06 15:10 . 2008-04-06 15:10 <DIR> d-------- C:\Program Files\iPod
2008-04-03 22:07 . 2008-04-03 22:07 <DIR> d-------- C:\DVDVideoSoft
2008-04-03 22:00 . 2008-04-21 20:48 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-03-30 12:10 . 1999-06-25 10:55 149,504 --a------ C:\WINDOWS\UNWISE.EXE
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-28 22:19 . 2008-03-28 22:19 9,801,728 --a------ C:\WINDOWS\system32\atioglx2.dll
2008-03-28 21:40 . 2008-03-28 21:40 167,936 --a------ C:\WINDOWS\system32\atiok3x2.dll
2008-03-28 21:05 . 2008-03-28 21:05 372,736 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2008-03-28 21:04 . 2008-03-28 21:04 299,008 --a------ C:\WINDOWS\system32\SET5F.tmp
2008-03-28 21:04 . 2008-03-28 21:04 299,008 --a------ C:\WINDOWS\system32\SET25.tmp
2008-03-28 20:55 . 2008-03-28 20:55 43,520 --a------ C:\WINDOWS\system32\SET69.tmp
2008-03-28 20:55 . 2008-03-28 20:55 43,520 --a------ C:\WINDOWS\system32\SET4D.tmp
2008-03-28 20:54 . 2008-03-28 20:54 536,576 --a------ C:\WINDOWS\system32\SET67.tmp
2008-03-28 20:54 . 2008-03-28 20:54 536,576 --a------ C:\WINDOWS\system32\SET41.tmp
2008-03-28 20:43 . 2008-03-28 20:43 3,176,480 --a------ C:\WINDOWS\system32\SET63.tmp
2008-03-28 20:43 . 2008-03-28 20:43 3,176,480 --a------ C:\WINDOWS\system32\SET2E.tmp
2008-03-28 20:36 . 2008-03-28 20:36 3,107,788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2008-03-28 20:36 . 2008-03-28 20:36 3,107,788 --a------ C:\WINDOWS\system32\ativva5x.dat
2008-03-28 20:36 . 2008-03-28 20:36 1,765,120 --a------ C:\WINDOWS\system32\SET65.tmp
2008-03-28 20:36 . 2008-03-28 20:36 1,765,120 --a------ C:\WINDOWS\system32\SET31.tmp
2008-03-28 20:36 . 2008-03-28 20:36 887,724 --a------ C:\WINDOWS\system32\ativva6x.dat
2008-03-28 20:24 . 2008-03-28 20:24 46,080 --a------ C:\WINDOWS\system32\amdpcom32.dll
2008-03-28 20:21 . 2008-03-28 20:21 393,216 --a------ C:\WINDOWS\system32\SET6B.tmp
2008-03-28 20:21 . 2008-03-28 20:21 393,216 --a------ C:\WINDOWS\system32\SET50.tmp
2008-03-28 20:12 . 2008-03-28 20:12 520,192 --a------ C:\WINDOWS\system32\SET61.tmp
2008-03-28 20:12 . 2008-03-28 20:12 520,192 --a------ C:\WINDOWS\system32\SET28.tmp
2008-03-26 15:33 . 2008-03-26 15:33 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Chief Architect X1
2008-03-25 22:40 . 2008-03-25 22:40 <DIR> d-------- C:\Program Files\FamilySearch
2008-03-25 22:13 . 2008-04-13 20:51 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Bioshock
2008-03-25 22:13 . 2008-03-25 22:13 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-03-25 21:02 . 2008-03-25 21:02 <DIR> d-------- C:\Program Files\BitTorrent
2008-03-25 17:12 . 2008-03-25 17:12 <DIR> d-------- C:\Program Files\DIFX
2008-03-25 17:12 . 2008-03-25 17:12 <DIR> d-------- C:\Program Files\Common Files\Aladdin Shared
2008-03-25 17:12 . 2007-03-06 21:39 694,272 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2008-03-25 17:12 . 2007-03-15 14:48 535,807 --a------ C:\WINDOWS\system32\hasplms.exe
2008-03-25 17:12 . 2007-03-15 14:48 535,807 --a------ C:\WINDOWS\system32\aksllmtp.exe
2008-03-25 17:12 . 2007-03-12 20:48 351,744 --a------ C:\WINDOWS\system32\drivers\aksfridge.sys
2008-03-25 17:11 . 2008-03-25 17:11 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Chief Architect Full Version 11
2008-03-25 17:11 . 2007-03-06 21:39 329,856 --a------ C:\WINDOWS\system32\drivers\akshasp.sys
2008-03-25 17:11 . 2007-03-06 21:39 135,424 --a------ C:\WINDOWS\system32\drivers\akshhl.sys
2008-03-25 17:11 . 2007-03-06 21:39 105,728 --a------ C:\WINDOWS\system32\drivers\aksclass.sys
2008-03-25 17:11 . 2007-03-06 21:39 99,712 --a------ C:\WINDOWS\system32\drivers\aksusb.sys
2008-03-25 17:11 . 2007-03-12 20:48 29,184 --a------ C:\WINDOWS\system32\akshhl25.dll
2008-03-25 17:11 . 2007-01-28 17:22 7,168 --a------ C:\WINDOWS\system32\akshsp49.dll
2008-03-25 16:58 . 2008-03-25 17:10 <DIR> d-------- C:\Program Files\Chief Architect Inc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 15:14 --------- d-----w C:\Documents and Settings\Kevin\Application Data\U3
2008-04-22 04:15 --------- d-----w C:\Documents and Settings\Kevin\Application Data\BitTorrent
2008-04-22 03:42 --------- d-----w C:\Program Files\Safari
2008-04-18 00:14 --------- d-----w C:\Program Files\ATI Technologies
2008-04-18 00:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-16 04:59 --------- d-----w C:\Program Files\StepMania CVS
2008-04-15 07:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-15 00:07 --------- d-----w C:\Program Files\eMule
2008-04-15 00:07 --------- d-----w C:\Program Files\Britannica 2004
2008-04-14 04:11 --------- d-----w C:\Program Files\Winamp
2008-04-07 00:27 --------- d-----w C:\Program Files\Google
2008-04-06 22:09 --------- d-----w C:\Program Files\QuickTime
2008-03-30 20:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-30 19:11 --------- d-----w C:\Program Files\Dell
2008-03-24 03:48 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Apple Computer
2008-03-23 00:08 --------- d-----w C:\Program Files\Bonjour
2008-03-23 00:03 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-22 23:29 --------- d-----w C:\Program Files\Memory Optimizer
2008-03-22 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-22 23:28 --------- d-----w C:\Program Files\HooTech
2008-03-22 23:27 --------- d-----w C:\Program Files\LimeWire
2008-03-22 23:22 --------- d-----w C:\Program Files\Java
2007-05-22 18:59 288 ----a-w C:\Documents and Settings\Kevin\generate.bat
2006-10-17 23:30 94,080 ----a-w C:\Documents and Settings\Kevin\Application Data\ezplay.sys
2006-10-17 23:30 81,920 ----a-w C:\Documents and Settings\Kevin\Application Data\ezpinst.exe
2006-10-07 02:02 47,360 ----a-w C:\Documents and Settings\Kevin\Application Data\pcouffin.sys
2003-04-24 22:53 827,392 ----a-w C:\Documents and Settings\Kevin\libeay32.dll
2007-08-07 15:36 23 --sha-w C:\WINDOWS\system32\afaaebf2_r.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 13:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C7EA796-7AF3-4EA3-86F3-C1C1E723D519}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{776A1C7F-3DA3-498C-AF70-1F4830C1FBB2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-10-04 13:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 13:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"SB Audigy 2 Startup Menu"=" /L:ENG" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2003-02-20 15:45 28672 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2004-08-12 06:27 11776 C:\WINDOWS\system32\regsvr32.exe]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 06:18 49152]
"Adobe Version Cue CS2"="c:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58 856064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"RAM Idle Professional"="C:\Program Files\RAM Idle LE\RAM_XP.exe" [2006-01-17 05:38 135168]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2008-04-22 17:45 1115728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtspNhf]
awtspNhf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
backup=C:\WINDOWS\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\Kevin\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2008-02-27 12:53 587568 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVMedia]
E:\\Resource\AutoRerun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
--a------ 2007-01-12 19:36 323216 C:\Program Files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SequelizerUpdate]
C:\Program Files\Sequelizer\sequelizerupdate.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIUCU]
C:\DOCUME~1\Kevin\LOCALS~1\Temp\UIUCU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-10 22:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:*:Disabled:HASP SRM
"1947:UDP"= 1947:UDP:*:Disabled:HASP SRM
"57812:TCP"= 57812:TCP:*:Disabled:Pando P2P TCP Listening Port
"57812:UDP"= 57812:UDP:*:Disabled:Pando P2P UDP Listening Port

R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 10:46]
R2 aksfridge;HASP Fridge;C:\WINDOWS\system32\DRIVERS\aksfridge.sys [2007-03-12 20:48]
R2 dvdmmg;dvdmmg;C:\WINDOWS\system32\drivers\dvdmmg.sys [2007-09-06 03:15]
R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 14:01]
S3 akshhl;Aladdin HASP HL Key;C:\WINDOWS\system32\DRIVERS\akshhl.sys [2007-03-06 21:39]
S3 HPx9G+;HPx9G+ Device USB Driver;C:\WINDOWS\system32\DRIVERS\HPx9G2k.sys [2006-01-04 19:42]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 13:22]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 03:41:27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-12 23:12:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 2400 series#1158041941.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe0/#Hewlett-Packard#hp psc 2400 series#1158041941
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 18:44:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2008-04-23 18:48:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 01:48:39

Pre-Run: 40,453,865,472 bytes free
Post-Run: 40,297,365,504 bytes free

303 --- E O F --- 2008-04-15 07:20:51
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up C:\WINDOWS\wininit.ini in Notepad and erase all the contents inside. Copy and paste the below two lines into it and save the file:

[rename]
nul=


I want you to upload this file (C:\WINDOWS\system32\afaaebf2_r.dll) to http://virusscan.jotti.org and report back what it found.

Do you know what this is for?
C:\Program Files\Sequelizer\sequelizerupdate.lnk

If not, delete the Sequelizer folder.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
Folder::
C:\Documents and Settings\All Users\Application Data\vohojsxu
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C7EA796-7AF3-4EA3-86F3-C1C1E723D519}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{776A1C7F-3DA3-498C-AF70-1F4830C1FBB2}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtspNhf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIUCU]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far? Still ok? :)
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP