Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Fake security/antispyware virus trojandownloader.xs [RESOLVED]

Started by kattzzmeow , Apr 28 2008 09:28 AM

  • This topic is locked This topic is locked

#1
kattzzmeow
Posted 28 April 2008 - 09:28 AM

kattzzmeow

    New Member

  • Member
  • Pip
  • 7 posts
A few days ago I got this virus. I get the yellow triangle alert which sends me to an anti spyware site. I also get the one that looks like windows security. I am on windows vista.

This is my Hijack this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:04 PM, on 4/27/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\ProgramData\mdsncbkj\adopqxap.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\axyzmfup.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3F9F4E73-695E-C0FD-9DC2-033AFA92E7DE} - C:\Windows\system32\CfgUiSh.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SnapfishMediaDetector] C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\Windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DPService] "C:\Program Files\HP\DVDPlay\DPService.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [pywnqewy] C:\Windows\system32\axyzmfup.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [vbeieiiz] C:\ProgramData\vbeieiiz\afebujcr.exe
O4 - HKCU\..\Run: [ywrxcmqs] C:\ProgramData\ywrxcmqs\tkzclmfu.exe
O4 - HKLM\..\Policies\Explorer\Run: [1TlD6abmQm] C:\ProgramData\mdsncbkj\adopqxap.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8500 bytes
  • 0

Advertisements

#2
Essexboy
Posted 28 April 2008 - 02:12 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
As a Vista user I will require that all the programmes I ask you to run, be run by right clicking the icon and selecting Run as Administrator. Otherwise some programmes may fail to do their job properly

Hi lets see if I can assist

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {3F9F4E73-695E-C0FD-9DC2-033AFA92E7DE} - C:\Windows\system32\CfgUiSh.dll
O4 - HKCU\..\Run: [pywnqewy] C:\Windows\system32\axyzmfup.exe
O4 - HKCU\..\Run: [vbeieiiz] C:\ProgramData\vbeieiiz\afebujcr.exe
O4 - HKCU\..\Run: [ywrxcmqs] C:\ProgramData\ywrxcmqs\tkzclmfu.exe
O4 - HKLM\..\Policies\Explorer\Run: [1TlD6abmQm] C:\ProgramData\mdsncbkj\adopqxap.exe


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Windows\system32\CfgUiSh.dll
C:\Windows\system32\axyzmfup.exe
C:\ProgramData\vbeieiiz
C:\ProgramData\ywrxcmqs
C:\ProgramData\mdsncbkj
Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


FINALLY FOR NOW

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Logs required : OTMoveit and DSS Main and Extra texts
  • 0

#3
kattzzmeow
Posted 28 April 2008 - 04:37 PM

kattzzmeow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok so here are the logs from everything I was told to do. hopefully I did it right!
I did get a pop up security warning as I was pasting this to the reply so..there might be more still!
Thanks in advance for your help!

File/Folder C:\Windows\system32\CfgUiSh.dll not found.
File move failed. C:\Windows\system32\axyzmfup.exe scheduled to be moved on reboot.
C:\ProgramData\vbeieiiz moved successfully.
C:\ProgramData\ywrxcmqs moved successfully.
Folder move failed. C:\ProgramData\mdsncbkj scheduled to be moved on reboot.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04282008_151102


Deckard's System Scanner v20071014.68
Run by Kristie on 2008-04-28 15:23:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
15: 2008-04-28 16:50:49 UTC - RP93 - Scheduled Checkpoint
14: 2008-04-27 18:18:44 UTC - RP92 - Scheduled Checkpoint
13: 2008-04-26 07:26:40 UTC - RP91 - Removed WinZip 11.1
12: 2008-04-26 05:20:04 UTC - RP90 - ComboFix created restore point
11: 2008-04-26 03:04:53 UTC - RP89 - Restore Operation


-- First Restore Point --
1: 2008-04-12 16:41:06 UTC - RP79 - Scheduled Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Kristie.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:31 PM, on 4/28/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\ProgramData\vqcluejs\harajmvg.exe
C:\Users\Kristie\Desktop\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kristie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SnapfishMediaDetector] C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\Windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DPService] "C:\Program Files\HP\DVDPlay\DPService.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [vqcluejs] C:\ProgramData\vqcluejs\harajmvg.exe
O4 - HKCU\..\Run: [pywnqewy] C:\Windows\system32\axyzmfup.exe
O4 - HKCU\..\Run: [vbeieiiz] C:\ProgramData\vbeieiiz\afebujcr.exe
O4 - HKCU\..\Run: [ywrxcmqs] C:\ProgramData\ywrxcmqs\tkzclmfu.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7520 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080427-195756-121 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20080427-195756-214 O2 - BHO: (no name) - {3F9F4E73-695E-C0FD-9DC2-033AFA92E7DE} - C:\Windows\system32\CfgUiSh.dll
backup-20080427-195756-272 O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
backup-20080427-195756-818 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
backup-20080427-195756-871 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
backup-20080427-195756-939 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
backup-20080428-150533-385 O4 - HKLM\..\Policies\Explorer\Run: [1TlD6abmQm] C:\ProgramData\mdsncbkj\adopqxap.exe
backup-20080428-150533-665 O4 - HKCU\..\Run: [vbeieiiz] C:\ProgramData\vbeieiiz\afebujcr.exe
backup-20080428-150533-875 O4 - HKCU\..\Run: [ywrxcmqs] C:\ProgramData\ywrxcmqs\tkzclmfu.exe
backup-20080428-150533-885 O4 - HKCU\..\Run: [pywnqewy] C:\Windows\system32\axyzmfup.exe
backup-20080428-150726-135 O4 - HKCU\..\Run: [pywnqewy] C:\Windows\system32\axyzmfup.exe
backup-20080428-150726-334 O4 - HKCU\..\Run: [vbeieiiz] C:\ProgramData\vbeieiiz\afebujcr.exe
backup-20080428-150726-996 O4 - HKCU\..\Run: [ywrxcmqs] C:\ProgramData\ywrxcmqs\tkzclmfu.exe

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 KodakSvc (Kodak AiO Device Service) - "c:\program files\kodak\printer\center\kodaksvc.exe" <Not Verified; Eastman Kodak Company; KodakSvc>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-17 20:33:12 404 --a------ C:\Windows\Tasks\EasyShare Registration Task.job


-- Files created between 2008-03-28 and 2008-04-28 -----------------------------

2008-04-28 07:33:41 0 d-------- C:\Users\All Users\vqcluejs
2008-04-27 19:36:58 53248 --a------ C:\Windows\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-27 09:43:10 0 d-------- C:\Users\All Users\wfyqysdr
2008-04-26 22:35:49 0 d-------- C:\Users\All Users\cakocuoq
2008-04-26 11:55:18 0 d-------- C:\Program Files\Panda Security
2008-04-26 10:35:18 0 d-------- C:\Users\All Users\lmepphds
2008-04-26 10:02:47 0 d-------- C:\Program Files\Enigma Software Group
2008-04-26 09:04:39 0 d-------- C:\Users\All Users\mzmghygo
2008-04-26 00:32:10 0 d-------- C:\Program Files\Trend Micro
2008-04-25 23:51:31 0 d-------- C:\Program Files\CCleaner
2008-04-25 23:01:40 0 d-------- C:\VundoFix Backups
2008-04-25 22:19:38 68096 --a------ C:\Windows\zip.exe
2008-04-25 22:19:38 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-25 22:19:38 98816 --a------ C:\Windows\sed.exe
2008-04-25 22:19:38 80412 --a------ C:\Windows\grep.exe
2008-04-25 22:19:38 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-25 22:19:37 49152 --a------ C:\Windows\VFind.exe
2008-04-25 22:19:37 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-25 22:19:37 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-25 21:02:35 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-25 20:55:50 0 -rahs---- C:\MSDOS.SYS
2008-04-25 20:55:50 0 -rahs---- C:\IO.SYS
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\WINWGPX.EXE
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\winsystem.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\winlogonpc.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\vcatchpi.dll
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\temp#01.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\taack.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\taack.dat
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\sysreq.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\ssvchost.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\ssvchost.com
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\ssurf022.dll
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\sncntr.exe
2008-04-25 14:30:33 0 d-------- C:\Windows\system32\smp
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\Rundl1.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\regm64.dll
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\regc64.dll
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\psoft1.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\psof1.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\ps1.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\newsd32.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\netode.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\mwin32.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\mtr2.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\msvchost.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\mssecu.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\msnbho.dll
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\msgp.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\hxiwlgpm.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\hxiwlgpm.dat
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\hoproxy.dll
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\dpcproxy.exe
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\bdn.com
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\awtoolb.dll
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\anticipator.dll
2008-04-25 14:30:33 4096 --a------ C:\Windows\system32\akttzn.exe
2008-04-25 14:30:25 126976 --a------ C:\Users\All Users\vsnitczg.dll
2008-04-25 14:30:25 0 d-------- C:\Users\All Users\mdsncbkj
2008-04-25 14:30:19 98304 --a------ C:\Windows\system32\axyzmfup.exe


-- Find3M Report ---------------------------------------------------------------

2008-04-26 11:34:38 0 d-------- C:\Users\Kristie\AppData\Roaming\Google
2008-04-26 09:53:52 0 d-------- C:\Program Files\Yahoo!
2008-04-26 09:53:37 0 d-------- C:\Program Files\Google
2008-04-26 00:25:54 0 d-------- C:\Program Files\Real
2008-04-26 00:25:54 0 d-------- C:\Program Files\Common Files\Real
2008-04-26 00:25:44 0 d-------- C:\Users\Kristie\AppData\Roaming\Real
2008-04-25 20:57:28 0 d-------- C:\Program Files\Common Files
2008-04-25 20:08:41 0 d-------- C:\Program Files\Picasa2
2008-04-25 14:19:35 0 d-------- C:\Users\Kristie\AppData\Roaming\LimeWire
2008-04-13 22:46:25 0 d-------- C:\Users\Kristie\AppData\Roaming\Corel
2008-04-13 22:22:04 1682 --ahs---- C:\Windows\system32\KGyGaAvL.sys
2008-04-13 19:36:49 0 d-------- C:\Program Files\Rhapsody
2008-04-09 14:11:03 0 d-------- C:\Program Files\Windows Mail
2008-04-05 20:47:14 0 d-------- C:\Users\Kristie\AppData\Roaming\Roxio
2008-04-04 15:09:28 0 d-------- C:\Program Files\World of Warcraft
2008-04-03 22:11:37 0 d-------- C:\Program Files\Java
2008-03-20 14:15:59 0 d-------- C:\Program Files\Lavasoft
2008-03-20 14:15:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 12:35:10 0 d-------- C:\Program Files\Corel
2008-03-11 18:25:44 0 d-------- C:\Program Files\Realtek
2008-03-11 18:21:59 0 d-------- C:\Program Files\HP
2008-03-11 18:21:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-11 18:05:19 0 d-------- C:\Users\Kristie\AppData\Roaming\WinBatch
2008-03-11 09:44:44 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-08 09:39:23 0 d-------- C:\Users\Kristie\AppData\Roaming\Adobe
2008-03-06 21:50:02 0 d-------- C:\Program Files\Common Files\Corel
2008-03-06 21:35:38 0 d-------- C:\Program Files\Kodak
2008-03-06 21:35:15 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-06 09:47:07 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-03-06 09:35:50 0 d-------- C:\Users\Kristie\AppData\Roaming\Ideazon
2008-03-06 09:33:23 0 d-------- C:\Program Files\Ideazon
2008-03-05 17:31:23 0 d-------- C:\Users\Kristie\AppData\Roaming\muvee Technologies
2008-03-04 22:13:50 0 d-------- C:\Users\Kristie\AppData\Roaming\WildTangent
2008-03-04 19:26:42 0 d-------- C:\Program Files\ffvfw
2008-03-04 17:58:50 0 d-------- C:\Users\Kristie\AppData\Roaming\Ulead Systems
2008-03-04 17:50:31 0 d-------- C:\Program Files\Windows Media Components
2008-03-04 17:49:45 0 d-------- C:\Program Files\Common Files\Ulead Systems
2008-03-04 17:49:38 0 d-------- C:\Program Files\Ulead Systems
2008-03-04 17:49:38 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-03 20:23:25 0 d-------- C:\Program Files\Alwil Software
2008-03-03 20:09:29 174 --ahs---- C:\Program Files\desktop.ini
2008-03-03 20:05:14 0 d-------- C:\Program Files\Windows Calendar
2008-03-03 20:04:40 0 d-------- C:\Program Files\Windows Defender
2008-03-03 20:04:09 0 d-------- C:\Program Files\Windows Sidebar
2008-03-03 19:32:07 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-03 19:04:13 0 d-------- C:\Program Files\MSXML 4.0
2008-03-03 18:02:22 0 d-------- C:\Program Files\LimeWire
2008-03-03 17:58:34 0 d-------- C:\Users\Kristie\AppData\Roaming\Vso
2008-03-03 17:58:33 34 --a------ C:\Users\Kristie\AppData\Roaming\pcouffin.log
2008-03-03 17:54:24 7887 --a------ C:\Users\Kristie\AppData\Roaming\pcouffin.cat
2008-03-03 17:54:21 0 d-------- C:\Program Files\MagicDVDCopier
2008-03-03 17:50:28 0 d-------- C:\Program Files\Common Files\Java
2008-03-03 17:08:28 0 --a------ C:\Windows\nsreg.dat
2008-03-03 17:08:21 0 d-------- C:\Users\Kristie\AppData\Roaming\Mozilla
2008-03-03 16:50:44 0 d-------- C:\Users\Kristie\AppData\Roaming\Hewlett-Packard
2008-03-03 16:48:33 0 d-------- C:\Users\Kristie\AppData\Roaming\Snapfish
2008-03-03 16:48:01 0 d-------- C:\Users\Kristie\AppData\Roaming\Identities
2008-03-03 16:41:51 0 d-------- C:\Users\Kristie\AppData\Roaming\Macromedia


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/03/2008 07:36 PM]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [09/28/2006 06:42 AM]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [02/15/2007 03:59 AM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [02/10/2007 05:18 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [02/10/2007 05:18 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [02/10/2007 05:18 PM]
"RtHDVCpl"="RtHDVCpl.exe" [01/15/2008 11:26 AM C:\Windows\RtHDVCpl.exe]
"SnapfishMediaDetector"="C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe" [03/02/2007 02:55 PM]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/16/2005 11:11 PM]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [07/15/2005 02:48 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 11:37 AM]
"EKIJ5000StatusMonitor"="C:\Windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [11/13/2007 11:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"DPService"="C:\Program Files\HP\DVDPlay\DPService.exe" [12/18/2007 01:18 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [03/03/2008 07:08 PM]
"WindowsWelcomeCenter"="oobefldr.dll,ShowWelcomeCenter " []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"vqcluejs"="C:\ProgramData\vqcluejs\harajmvg.exe" [04/28/2008 07:33 AM]
"pywnqewy"="C:\Windows\system32\axyzmfup.exe" [04/25/2008 02:30 PM]
"vbeieiiz"="C:\ProgramData\vbeieiiz\afebujcr.exe" []
"ywrxcmqs"="C:\ProgramData\ywrxcmqs\tkzclmfu.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/11/2008 9:45:11 AM]
Snapfish Media Detector.lnk - C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe [3/2/2007 2:55:02 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-04-28 15:27:04 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Basic (build 6000)
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 3600+
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 1405.94 MiB / 759.68 MiB
Pagefile Memory (total/avail): 3047.88 MiB / 2229.74 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.92 MiB

C: is Fixed (NTFS) - 140.67 GiB total, 92.44 GiB free.
D: is Fixed (NTFS) - 8.38 GiB total, 1.01 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (FAT)

\\.\PHYSICALDRIVE0 - WDC WD16 00JS-60NCB1 SCSI Disk Device - 149.05 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 140.67 GiB - C:
\PARTITION1 - Installable File System - 8.38 GiB - D:

\\.\PHYSICALDRIVE2 - Generic- Compact Flash USB Device

\\.\PHYSICALDRIVE5 - Generic- MS/MS-Pro USB Device

\\.\PHYSICALDRIVE4 - Generic- SD/MMC USB Device

\\.\PHYSICALDRIVE3 - Generic- SM/xD-Picture USB Device

\\.\PHYSICALDRIVE1 - SD/MMC Card Reader USB Device - 1937.53 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 1937.13 MiB - J:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: avast! antivirus 4.8.1169 [VPS 080428-0] v4.8.1169 (ALWIL Software)
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.) Disabled
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: avast! antivirus 4.8.1169 [VPS 080428-0] v4.8.1169 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Kristie\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KRISTIE-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Kristie
KDS_LANGUAGE=13
LOCALAPPDATA=C:\Users\Kristie\AppData\Local
LOGONSERVER=\\KRISTIE-PC
NUMBER_OF_PROCESSORS=2
OnlineServices=Online Services
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\hp\bin\Python;c:\Program Files\Common Files\Roxio Shared\DLLShared;c:\Program Files\Common Files\Roxio Shared\DLLShared;c:\Program Files\Common Files\Roxio Shared\9.0\DLLShared;C:\Program Files\Common Files\Ulead Systems\MPEG
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PCBRAND=Presario
PLATFORM=HPD
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 107 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=6b01
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
RoxioCentral=c:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Kristie\AppData\Local\Temp
TMP=C:\Users\Kristie\AppData\Local\Temp
USERDOMAIN=Kristie-PC
USERNAME=Kristie
USERPROFILE=C:\Users\Kristie
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Kristie


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\HP Games\Bejeweled 2 Deluxe\Uninstall.exe"
--> "C:\Program Files\HP Games\Blackhawk Striker 2\Uninstall.exe"
--> "C:\Program Files\HP Games\Blasterball 3\Uninstall.exe"
--> "C:\Program Files\HP Games\Bookworm Deluxe\Uninstall.exe"
--> "C:\Program Files\HP Games\Bounce Symphony\Uninstall.exe"
--> "C:\Program Files\HP Games\Cake Mania\Uninstall.exe"
--> "C:\Program Files\HP Games\Chuzzle Deluxe\Uninstall.exe"
--> "C:\Program Files\HP Games\Crystal Maze\Uninstall.exe"
--> "C:\Program Files\HP Games\Cue Master\Uninstall.exe"
--> "C:\Program Files\HP Games\Diner Dash\Uninstall.exe"
--> "C:\Program Files\HP Games\Family Feud\Uninstall.exe"
--> "C:\Program Files\HP Games\FATE\Uninstall.exe"
--> "C:\Program Files\HP Games\Final Drive Nitro\Uninstall.exe"
--> "C:\Program Files\HP Games\Flip Words\Uninstall.exe"
--> "C:\Program Files\HP Games\Insaniquarium Deluxe\Uninstall.exe"
--> "C:\Program Files\HP Games\JEOPARDY\Uninstall.exe"
--> "C:\Program Files\HP Games\Jewel Quest\Uninstall.exe"
--> "C:\Program Files\HP Games\Mah Jong Quest\Uninstall.exe"
--> "C:\Program Files\HP Games\My HP Game Console\Uninstall.exe"
--> "C:\Program Files\HP Games\Otto\Uninstall.exe"
--> "C:\Program Files\HP Games\Overball\Uninstall.exe"
--> "C:\Program Files\HP Games\Penguins!\Uninstall.exe"
--> "C:\Program Files\HP Games\Phoenix Assault\Uninstall.exe"
--> "C:\Program Files\HP Games\Polar Bowler\Uninstall.exe"
--> "C:\Program Files\HP Games\Polar Golfer\Uninstall.exe"
--> "C:\Program Files\HP Games\Polar Tubing\Uninstall.exe"
--> "C:\Program Files\HP Games\Ricochet Lost Worlds\Uninstall.exe"
--> "C:\Program Files\HP Games\SCRABBLE\Uninstall.exe"
--> "C:\Program Files\HP Games\Super Granny\Uninstall.exe"
--> "C:\Program Files\HP Games\Tradewinds\Uninstall.exe"
--> "C:\Program Files\HP Games\Wheel of Fortune\Uninstall.exe"
--> "C:\Program Files\HP Games\Zuma Deluxe\Uninstall.exe"
Activation Assistant for the 2007 Microsoft Office suites --> "C:\ProgramData\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
aiofw --> MsiExec.exe /I{791E3D44-33D3-4446-82AD-5CD4B0169083}
aioocr --> MsiExec.exe /I{3BED0238-3A25-41AE-BC23-316914B5B048}
aioprnt --> MsiExec.exe /I{2A97D5B3-A989-47E1-B207-1CA9E3635655}
aioscnnr --> MsiExec.exe /I{C0251585-1BE8-4278-B3CB-964B6E01C59D}
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
center --> MsiExec.exe /I{79E41D91-BA1C-44B9-9358-48E598263ECF}
Corel Paint Shop Pro Photo XI --> MsiExec.exe /I{E1C7EF5E-3A7B-4ED4-A48B-F70F1B36EAB4}
Digital Video --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4A71E27C-07D2-4CB8-ACA9-165242416758}\Setup.exe" -l0x9
DVD Play --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
Google Gmail Notifier --> "C:\Program Files\Google\Gmail Notifier\UninstallGmail.exe"
Google Photos Screensaver --> MsiExec.exe /X{481E9852-DA0C-403B-ADA4-05D86C8BF9A9}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Hardware Diagnostic Tools --> C:\Program Files\PC-Doctor 5 for Windows\uninst.exe
Help_CTR --> MsiExec.exe /I{0996C331-6DCB-4E38-A3EC-0A77ABAE1361}
helptut --> MsiExec.exe /I{843081BD-351F-46FC-8A17-517A0D9117A3}
helpug --> MsiExec.exe /I{DC626A21-EDF1-40C7-8F2F-D2BA7535529F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Customer Experience Enhancements --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB5E289E-76BF-4251-9F3F-9B763F681AE0}\setup.exe" -l0x9 -removeonly
HP Customer Feedback --> MsiExec.exe /I{9DBA770F-BF73-4D39-B1DF-6035D95268FC}
HP Easy Setup - Frontend --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40F7AED3-0C7D-4582-99F6-484A515C73F2}\setup.exe" -l0x9 -removeonly
HP On-Screen Cap/Num/Scroll Lock Indicator --> C:\Windows\system32\OsdRemove.exe
HP Photosmart Essential 2.0 --> C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Total Care Advisor --> MsiExec.exe /X{2990BC81-3B19-4E53-A53E-30DE3F1BFFA8}
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
KODAK All-in-One Printer Software --> C:\ProgramData\Kodak\EasyShareSetup\$SETUP_140002_1a16408\Setup.exe /APR-REMOVE
ksdip --> MsiExec.exe /I{73F1681F-ADE1-461F-9F18-B7640507D395}
LimeWire PRO 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Magic DVD Copier Version 4.7.1 build 8 --> "C:\Program Files\MagicDVDCopier\unins000.exe"
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB929729) --> "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M929729\M929729Uninstall.msp"
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
muvee autoProducer 6.0 --> C:\Program Files\InstallShield Installation Information\{6AF49698-949A-4C89-9B31-041D2CCB5FBD}\setup.exe -runfromtemp -l0x0009 -removeonly
My HP Games --> "C:\Program Files\HP Games\Uninstall.exe"
netbrdg --> MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Python 2.4.3 --> MsiExec.exe /I{75E71ADD-042C-4F30-BFAC-A9EC42351313}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Rhapsody --> C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\install.log
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Roxio Activation Module --> MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Roxio Creator Audio --> MsiExec.exe /X{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator Basic v9 --> MsiExec.exe /X{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Copy --> MsiExec.exe /X{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data --> MsiExec.exe /X{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator EasyArchive --> MsiExec.exe /X{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
Roxio Creator Tools --> MsiExec.exe /X{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Express Labeler 3 --> MsiExec.exe /X{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD Basic v9 --> MsiExec.exe /X{938B1CD7-7C60-491E-AA90-1F1888168240}
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
Snapfish Media Detector --> MsiExec.exe /X{4EF6FDB0-3B11-4820-9860-8E08E9965195}
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\UIU32m.exe -U -ITrx200Cz.INF
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Ulead VideoStudio 8.0 SE DVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F1DA6BF-3614-48A1-9970-9E90F646789E}\Setup.exe" -l0x9
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft (2)\Uninstall.exe
XVID Codec Installation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{534C6D59-D6E3-48A6-AD0B-747799019960}\Setup.exe" -l0x9


-- Application Event Log -------------------------------------------------------

Event Record #/Type5181 / Success
Event Submitted/Written: 04/28/2008 03:14:00 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type5179 / Success
Event Submitted/Written: 04/28/2008 03:13:59 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type5177 / Success
Event Submitted/Written: 04/28/2008 03:13:48 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type5166 / Warning
Event Submitted/Written: 04/28/2008 03:12:32 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2483958015-494926966-1414417166-1000_Classes:
Process 916 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2483958015-494926966-1414417166-1000_CLASSES

Event Record #/Type5165 / Warning
Event Submitted/Written: 04/28/2008 03:12:32 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2483958015-494926966-1414417166-1000:
Process 916 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2483958015-494926966-1414417166-1000



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type29906 / Warning
Event Submitted/Written: 04/28/2008 03:25:51 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Kristie-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Kristie-PC27 can't undo changes that you allow.

For more information please see the following:
%Kristie-PC275

Scan ID: {477134C1-6211-405A-8424-2B7EBD4763AE}

User: Kristie-PC\Kristie

Name: %Kristie-PC271

ID: %Kristie-PC272

Severity ID: %Kristie-PC273

Category ID: %Kristie-PC274

Path Found: %Kristie-PC276

Alert Type: %Kristie-PC278

Detection Type: 1.1.1505.02

Event Record #/Type29905 / Warning
Event Submitted/Written: 04/28/2008 03:25:51 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Kristie-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Kristie-PC27 can't undo changes that you allow.

For more information please see the following:
%Kristie-PC275

Scan ID: {988D681F-0CE8-482B-A0A8-9DD3BEC328F4}

User: Kristie-PC\Kristie

Name: %Kristie-PC271

ID: %Kristie-PC272

Severity ID: %Kristie-PC273

Category ID: %Kristie-PC274

Path Found: %Kristie-PC276

Alert Type: %Kristie-PC278

Detection Type: 1.1.1505.02

Event Record #/Type29904 / Warning
Event Submitted/Written: 04/28/2008 03:25:51 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Kristie-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Kristie-PC27 can't undo changes that you allow.

For more information please see the following:
%Kristie-PC275

Scan ID: {A5E34E91-66F0-4FCF-B142-2BEB8E9EB1D2}

User: Kristie-PC\Kristie

Name: %Kristie-PC271

ID: %Kristie-PC272

Severity ID: %Kristie-PC273

Category ID: %Kristie-PC274

Path Found: %Kristie-PC276

Alert Type: %Kristie-PC278

Detection Type: 1.1.1505.02

Event Record #/Type29903 / Warning
Event Submitted/Written: 04/28/2008 03:25:48 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Kristie-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Kristie-PC27 can't undo changes that you allow.

For more information please see the following:
%Kristie-PC275

Scan ID: {19013246-557B-4C7C-AD44-24DFE8784044}

User: Kristie-PC\Kristie

Name: %Kristie-PC271

ID: %Kristie-PC272

Severity ID: %Kristie-PC273

Category ID: %Kristie-PC274

Path Found: %Kristie-PC276

Alert Type: %Kristie-PC278

Detection Type: 1.1.1505.02

Event Record #/Type29902 / Warning
Event Submitted/Written: 04/28/2008 03:25:48 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Kristie-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Kristie-PC27 can't undo changes that you allow.

For more information please see the following:
%Kristie-PC275

Scan ID: {30944A78-D2FA-4DA0-8E1E-15095A16005D}

User: Kristie-PC\Kristie

Name: %Kristie-PC271

ID: %Kristie-PC272

Severity ID: %Kristie-PC273

Category ID: %Kristie-PC274

Path Found: %Kristie-PC276

Alert Type: %Kristie-PC278

Detection Type: 1.1.1505.02



-- End of Deckard's System Scanner: finished at 2008-04-28 15:27:04 ------------
  • 0

#4
Essexboy
Posted 29 April 2008 - 11:30 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yep you sure are still infected - I just took out the ones I could see initially. Now it is time to get nasty with these critters :)

This will be a long fix so I would recommend copying this post to a text file for reference


One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.



First I will secure your system

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

To begin cleaning

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKCU\..\Run: [vqcluejs] C:\ProgramData\vqcluejs\harajmvg.exe
O4 - HKCU\..\Run: [pywnqewy] C:\Windows\system32\axyzmfup.exe
O4 - HKCU\..\Run: [vbeieiiz] C:\ProgramData\vbeieiiz\afebujcr.exe
O4 - HKCU\..\Run: [ywrxcmqs] C:\ProgramData\ywrxcmqs\tkzclmfu.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


NEXT

  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\ProgramData\vqcluejs
C:\Windows\system32\axyzmfup.exe
C:\ProgramData\vbeieiiz
C:\ProgramData\ywrxcmqs
C:\Users\All Users\vqcluejs
C:\Users\All Users\wfyqysdr
C:\Users\All Users\cakocuoq
C:\Users\All Users\lmepphds
C:\Users\All Users\mzmghygo
C:\Windows\system32\winsystem.exe
C:\Windows\system32\vcatchpi.dll
C:\Windows\system32\temp#01.exe
C:\Windows\system32\taack.exe
C:\Windows\system32\taack.dat
C:\Windows\system32\sysreq.exe
C:\Windows\system32\ssvchost.exe
C:\Windows\system32\ssvchost.com
C:\Windows\system32\ssurf022.dll
C:\Windows\system32\sncntr.exe
C:\Windows\system32\regm64.dll
C:\Windows\system32\regc64.dll
C:\Windows\system32\psoft1.exe
C:\Windows\system32\psof1.exe
C:\Windows\system32\ps1.exe
C:\Windows\system32\newsd32.exe
C:\Windows\system32\netode.exe
C:\Windows\system32\mwin32.exe
C:\Windows\system32\mtr2.exe
C:\Windows\system32\msvchost.exe
C:\Windows\system32\mssecu.exe
C:\Windows\system32\msnbho.dll
C:\Windows\system32\msgp.exe
C:\Windows\system32\hxiwlgpm.exe
C:\Windows\system32\hxiwlgpm.dat
C:\Windows\system32\hoproxy.dll
C:\Windows\system32\dpcproxy.exe
C:\Windows\system32\bdn.com
C:\Windows\system32\awtoolb.dll
C:\Windows\system32\anticipator.dll
C:\Windows\system32\akttzn.exe
C:\Users\All Users\vsnitczg.dll
C:\Users\All Users\mdsncbkj
C:\Windows\system32\axyzmfup.exe
C:\Program Files\ffvfw
Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Please download ComboFix from Here or Here to your Desktop.

Combofix when you run it on Vista may take up to two minutes to initialise

IMPORTANT

Prior to running Combofix Right Click the Avast Icon and select Program Settings
Then select Trouble shooting
Within the settings place a tick alongside Disable Avast self defence module
Click OK
Finally Right click the Avast Icon and select Stop on access protection


**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Logs required : OTMoveit and Combofix
  • 0

#5
kattzzmeow
Posted 29 April 2008 - 12:03 PM

kattzzmeow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Before I do all that. I realized that I didnt turn off that teatimer in spybot. So I did that and re-did what you told me to do.
I havent seen a pop up in about 12 hours. I did the hijack this scan and did not find any of the things you wanted me to delete.

i did update the java thing.

Should I wait? Send a new scan?
  • 0

#6
Essexboy
Posted 29 April 2008 - 12:21 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No continue with the OTMoveit fix as the files are probably still there then follow that with the combofix run :)
  • 0

#7
kattzzmeow
Posted 01 May 2008 - 09:25 AM

kattzzmeow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ComboFix 08-04-28.2 - Kristie 2008-05-01 8:17:41.10 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.900 [GMT -7:00]
Running from: C:\Users\Kristie\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-05-01 03:01 . 2008-05-01 03:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-30 12:34 . 2008-04-30 12:34 <DIR> d-------- C:\Users\All Users\vsosdk
2008-04-30 12:34 . 2008-04-30 12:34 <DIR> d-------- C:\ProgramData\vsosdk
2008-04-29 22:25 . 2008-04-29 22:25 <DIR> d-------- C:\Program Files\Bonjour
2008-04-29 22:24 . 2008-04-29 22:24 <DIR> d-------- C:\Windows\Downloaded Installations
2008-04-29 22:24 . 2008-04-29 22:24 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-29 22:24 . 2008-04-29 22:24 1,409 --a------ C:\Windows\QTFont.for
2008-04-29 22:23 . 2008-04-29 22:23 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-04-29 22:23 . 2008-04-29 22:23 <DIR> d-------- C:\ProgramData\Apple Computer
2008-04-29 22:23 . 2008-04-29 22:24 <DIR> d-------- C:\Program Files\QuickTime
2008-04-29 22:22 . 2008-04-29 22:22 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-04-29 22:21 . 2008-04-29 22:21 <DIR> d-------- C:\Windows\System32\color
2008-04-29 22:21 . 2008-04-29 22:21 <DIR> d-------- C:\KPCMS
2008-04-29 10:55 . 2008-04-29 10:56 <DIR> d-------- C:\Program Files\Java
2008-04-29 10:55 . 2008-04-29 10:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-28 19:06 . 2008-04-28 19:06 <DIR> d-------- C:\Program Files\TouchStoneSoftware
2008-04-28 15:23 . 2008-04-28 15:23 <DIR> d-------- C:\Deckard
2008-04-28 15:11 . 2008-04-28 15:11 <DIR> d-------- C:\_OTMoveIt
2008-04-26 11:55 . 2008-04-26 12:03 <DIR> d-------- C:\Program Files\Panda Security
2008-04-26 10:02 . 2008-04-26 10:16 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-26 00:32 . 2008-04-26 00:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-25 23:51 . 2008-04-25 23:51 <DIR> d-------- C:\Program Files\CCleaner
2008-04-25 23:01 . 2008-04-25 23:01 <DIR> d-------- C:\VundoFix Backups
2008-04-25 21:02 . 2008-04-25 21:45 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-25 21:02 . 2008-04-25 21:45 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-04-25 21:02 . 2008-04-25 21:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-25 14:30 . 2008-04-25 14:30 126,976 --a------ C:\Users\All Users\vsnitczg.dll
2008-04-25 14:30 . 2008-04-25 14:30 126,976 --a------ C:\ProgramData\vsnitczg.dll
2008-04-25 14:30 . 2008-04-25 14:30 4,096 --a------ C:\Windows\System32\WINWGPX.EXE
2008-04-25 14:30 . 2008-04-25 14:30 4,096 --a------ C:\Windows\System32\winlogonpc.exe
2008-04-25 14:30 . 2008-04-25 14:30 4,096 --a------ C:\Windows\System32\VBIEWER.OCX
2008-04-25 14:30 . 2008-04-25 14:30 4,096 --a------ C:\Windows\System32\Rundl1.exe
2008-04-09 08:52 . 2008-02-14 16:19 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-09 08:52 . 2008-02-18 22:10 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-09 08:52 . 2008-02-28 23:39 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-09 08:52 . 2008-02-28 23:38 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-09 08:52 . 2008-02-28 23:39 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-09 08:52 . 2008-02-28 23:51 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-09 08:52 . 2008-02-28 23:38 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-09 08:52 . 2008-02-28 23:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-09 08:52 . 2008-02-28 23:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-05 20:46 . 2008-04-05 20:47 <DIR> d-------- C:\Users\Kristie\AppData\Roaming\Roxio
2008-04-01 19:54 . 2008-04-01 19:54 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 10:03 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-30 23:06 --------- d-----w C:\Program Files\MagicDVDCopier
2008-04-30 05:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-30 05:22 --------- d-----w C:\Program Files\Kodak
2008-04-29 02:06 --------- d---a-w C:\ProgramData\TEMP
2008-04-29 01:16 --------- d-----w C:\Users\Kristie\AppData\Roaming\LimeWire
2008-04-29 00:32 --------- d-----w C:\Program Files\Real
2008-04-29 00:32 --------- d-----w C:\Program Files\Picasa2
2008-04-29 00:32 --------- d-----w C:\Program Files\Common Files\Real
2008-04-26 16:53 --------- d-----w C:\Program Files\Yahoo!
2008-04-26 16:53 --------- d-----w C:\Program Files\Google
2008-04-26 07:27 --------- d-----w C:\ProgramData\WinZip
2008-04-14 05:46 --------- d-----w C:\Users\Kristie\AppData\Roaming\Corel
2008-04-14 05:22 1,682 --sha-w C:\Windows\System32\KGyGaAvL.sys
2008-04-14 02:36 --------- d-----w C:\Program Files\Rhapsody
2008-04-09 21:11 --------- d-----w C:\Program Files\Windows Mail
2008-04-04 22:09 --------- d-----w C:\Program Files\World of Warcraft
2008-03-29 18:32 50,768 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2008-03-23 19:37 --------- d-----w C:\ProgramData\kds_kodak
2008-03-20 21:16 --------- d-----w C:\ProgramData\Lavasoft
2008-03-20 21:15 --------- d-----w C:\Program Files\Lavasoft
2008-03-20 21:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 19:35 --------- d-----w C:\Program Files\Corel
2008-03-12 01:25 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-03-12 01:25 --------- d-----w C:\Program Files\Realtek
2008-03-12 01:22 --------- d-----w C:\ProgramData\CyberLink
2008-03-12 01:21 --------- d-----w C:\Program Files\HP
2008-03-12 01:05 --------- d-----w C:\Users\Kristie\AppData\Roaming\WinBatch
2008-03-11 16:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-07 04:50 --------- d-----w C:\ProgramData\Corel
2008-03-07 04:50 --------- d-----w C:\Program Files\Common Files\Corel
2008-03-07 04:44 --------- d-----w C:\ProgramData\Kodak
2008-03-07 04:42 --------- d-----w C:\ProgramData\Eastman Kodak Company
2008-03-06 16:47 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-03-06 16:45 --------- d-----w C:\ProgramData\NVIDIA
2008-03-06 16:35 --------- d-----w C:\Users\Kristie\AppData\Roaming\Ideazon
2008-03-06 16:33 --------- d-----w C:\Program Files\Ideazon
2008-03-06 00:31 --------- d-----w C:\Users\Kristie\AppData\Roaming\muvee Technologies
2008-03-05 05:14 --------- d-----w C:\ProgramData\WildTangent
2008-03-05 05:13 --------- d-----w C:\Users\Kristie\AppData\Roaming\WildTangent
2008-03-05 02:26 --------- d-----w C:\Program Files\ffvfw
2008-03-05 00:59 --------- d-----w C:\ProgramData\Sonic
2008-03-05 00:58 --------- d-----w C:\Users\Kristie\AppData\Roaming\Ulead Systems
2008-03-05 00:58 --------- d-----w C:\ProgramData\Ulead Systems
2008-03-05 00:50 --------- d-----w C:\Program Files\Windows Media Components
2008-03-05 00:49 --------- d-----w C:\Program Files\Ulead Systems
2008-03-05 00:49 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2008-03-05 00:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-04 03:23 --------- d-----w C:\Program Files\Alwil Software
2008-03-04 03:09 174 --sha-w C:\Program Files\desktop.ini
2008-03-04 03:05 --------- d-----w C:\Program Files\Windows Calendar
2008-03-04 03:04 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-04 03:04 --------- d-----w C:\Program Files\Windows Defender
2008-03-04 03:03 --------- d-----w C:\ProgramData\Symantec
2008-03-04 02:53 8,192 ----a-w C:\Windows\System32\riched32.dll
2008-03-04 02:51 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-03-04 02:51 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-03-04 02:51 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-03-04 02:49 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-03-04 02:49 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-03-04 02:49 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-03-04 02:48 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-03-04 02:48 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-03-04 02:48 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-03-04 02:48 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-03-04 02:48 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-03-04 02:48 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-03-04 02:48 2,923,520 ----a-w C:\Windows\explorer.exe
2008-03-04 02:47 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-03-04 02:47 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-03-04 02:45 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2008-03-04 02:45 376,320 ----a-w C:\Windows\System32\winsrv.dll
2008-03-04 02:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-04 02:29 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-03-04 02:29 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-03-04 02:29 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-03-04 02:29 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-03-04 02:28 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2008-03-04 02:28 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-03-04 02:28 61,952 ----a-w C:\Windows\System32\cmifw.dll
2008-03-04 02:28 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2008-03-04 02:28 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2008-03-04 02:28 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2008-03-04 02:28 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2008-03-04 02:28 16,896 ----a-w C:\Windows\System32\wfapigp.dll
2008-03-04 02:28 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2008-03-04 02:24 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-03-04 02:24 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-03-04 02:24 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-03-04 02:24 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-03-04 02:24 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-03-04 02:24 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-03-04 02:24 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-03-04 02:24 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-03-04 02:23 2,048 ----a-w C:\Windows\System32\msxml3r.dll
2008-03-04 02:23 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-03-04 02:18 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-03-04 02:18 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-03-04 02:18 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-03-04 02:18 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
.

((((((((((((((((((((((((((((( snapshot_2008-04-29_19.58.46.91 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 02:07:03 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-01 15:16:24 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2006-10-27 22:07:36 17,891,112 ----a-r C:\Windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\EXCEL.EXE
+ 2006-10-27 04:13:08 14,674,216 ----a-r C:\Windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\XL12CNV.EXE
+ 2006-10-27 04:17:08 11,072 ----a-r C:\Windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\XLCALL32.DLL
- 2007-05-10 19:07:35 20,240 ----a-r C:\Windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-05-01 10:03:16 20,240 ----a-r C:\Windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
- 2007-05-10 19:07:35 184,080 ----a-r C:\Windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-05-01 10:03:15 184,080 ----a-r C:\Windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
- 2007-05-10 19:07:35 217,864 ----a-r C:\Windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
+ 2008-05-01 10:03:16 217,864 ----a-r C:\Windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
- 2007-05-10 19:07:35 18,704 ----a-r C:\Windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-05-01 10:03:16 18,704 ----a-r C:\Windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-05-10 19:07:35 35,088 ----a-r C:\Windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-05-01 10:03:16 35,088 ----a-r C:\Windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
- 2007-05-10 19:07:35 922,384 ----a-r C:\Windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-05-01 10:03:16 922,384 ----a-r C:\Windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
- 2007-05-10 19:07:35 888,080 ----a-r C:\Windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-05-01 10:03:16 888,080 ----a-r C:\Windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
- 2007-05-10 19:07:35 1,172,240 ----a-r C:\Windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-05-01 10:03:15 1,172,240 ----a-r C:\Windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-04-30 05:24:28 22,486 ----a-r C:\Windows\Installer\{929408E6-D265-4174-805F-81D1D914E2A4}\ARPPRODUCTICON.exe
+ 2008-04-30 05:24:28 22,486 ----a-r C:\Windows\Installer\{929408E6-D265-4174-805F-81D1D914E2A4}\PictureViewer_ico.exe
+ 2008-04-30 05:24:28 22,486 ----a-r C:\Windows\Installer\{929408E6-D265-4174-805F-81D1D914E2A4}\QuickTimePlayer_ico.exe
+ 2008-04-30 05:24:28 22,486 ----a-r C:\Windows\Installer\{929408E6-D265-4174-805F-81D1D914E2A4}\QuickTimeUninstaller_ico.exe
+ 2008-04-30 05:20:38 65,536 ----a-r C:\Windows\Installer\{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}\EasyShareDesktopShortcut.exe
+ 2008-04-30 05:20:38 180,224 ----a-r C:\Windows\Installer\{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}\EasyShareStartMenu.exe
+ 2008-04-30 05:20:38 180,224 ----a-r C:\Windows\Installer\{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}\EasyShareStartupShortcut.exe
+ 2008-04-30 05:25:30 10,342 ----a-r C:\Windows\Installer\{E0A96F36-D546-4A2A-BDAA-2A2A578B2C0D}\ARPPRODUCTICON.exe
+ 2008-04-30 05:22:17 45,056 ----a-r C:\Windows\Installer\{FCDB1C92-03C6-4C76-8625-371224256091}\PdockShortcut4.exe
+ 2008-04-30 05:22:17 135,168 ----a-r C:\Windows\Installer\{FCDB1C92-03C6-4C76-8625-371224256091}\PdockShortcut5.exe
- 2008-04-29 17:06:32 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-04-30 03:03:45 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-04-29 17:06:32 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-04-30 03:03:45 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-04-30 02:25:35 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-05-01 14:27:13 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-29 17:17:10 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-30 03:14:29 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-04-30 02:54:56 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-05-01 14:27:48 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-29 17:17:05 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-30 03:14:24 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2006-03-29 22:54:06 688,920 ----a-w C:\Windows\System32\color\Pcdoidx.dat
- 2008-04-30 02:43:10 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-01 14:27:05 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-30 02:43:10 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-01 14:27:05 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-30 02:43:10 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-01 14:27:05 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2005-11-28 19:10:30 61,440 ----a-w C:\Windows\System32\dns-sd.exe
+ 2005-11-28 19:10:18 53,248 ----a-w C:\Windows\System32\dnssd.dll
- 2007-02-02 10:00:00 9,336 ----a-w C:\Windows\System32\drivers\cdr4_xp.sys
+ 2005-11-03 10:00:00 2,432 ----a-w C:\Windows\System32\drivers\cdr4_xp.sys
- 2007-02-02 10:00:00 9,464 ----a-w C:\Windows\System32\drivers\cdralw2k.sys
+ 2005-11-03 10:00:00 2,560 ----a-w C:\Windows\System32\drivers\cdralw2k.sys
+ 2005-11-28 19:10:28 53,248 ----a-w C:\Windows\System32\jdns_sd.dll
+ 2000-04-14 21:23:52 19,456 ----a-w C:\Windows\System32\kcm2sp.dll
+ 2000-09-09 00:53:50 73,839 ----a-w C:\Windows\System32\KodakOneTouch.dll
+ 2000-04-14 21:23:56 197,632 ----a-w C:\Windows\System32\kpcp32.dll
+ 2000-04-14 21:23:56 37,376 ----a-w C:\Windows\System32\kpsys32.dll
- 2008-04-29 18:14:40 107,508 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-30 03:08:14 107,508 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-29 18:14:40 626,738 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-30 03:08:14 626,738 ----a-w C:\Windows\System32\perfh009.dat
+ 2001-07-18 23:25:46 86,016 ----a-w C:\Windows\System32\PrintAPI.dll
- 2007-02-06 23:04:04 158,456 ------w C:\Windows\System32\pxwma.dll
+ 2006-02-06 17:38:22 151,552 ----a-w C:\Windows\System32\pxwma.dll
+ 2000-04-14 21:24:56 133,120 ----a-w C:\Windows\System32\sprof32.dll
- 2008-04-29 17:26:54 6,796 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2483958015-494926966-1414417166-1000_UserData.bin
+ 2008-04-30 03:26:03 6,796 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2483958015-494926966-1414417166-1000_UserData.bin
- 2008-04-29 17:26:53 49,944 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-30 03:26:02 49,952 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-29 17:26:53 33,408 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-30 03:26:01 33,448 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-03-03 19:08 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 05:34 2159104 C:\Windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-03-03 19:36 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 06:42 65536]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 03:59 118784]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-02-10 17:18 90192]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-02-10 17:18 8429568]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-02-10 17:18 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 11:26 4874240 C:\Windows\RtHDVCpl.exe]
"SnapfishMediaDetector"="C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe" [2007-03-02 14:55 1441792]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 14:48 479232]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 11:37 79224]
"EKIJ5000StatusMonitor"="C:\Windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-11-13 11:00 1052672]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"DPService"="C:\Program Files\HP\DVDPlay\DPService.exe" [2007-12-18 13:18 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-29 22:24 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 18:23 443968]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-11 09:45:11 113664]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 04:29:26 180224]
Snapfish Media Detector.lnk - C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe [2007-03-02 14:55:02 1441792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.mpegacm "= mpegacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A38BFD50-6D38-4631-B38E-E0E65CE16D35}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5F492DF9-3E76-42E6-973A-8083AE42F792}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C39C9369-DF78-4BA3-B71E-AAEBCCC33157}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E6281A08-83AE-4E62-8A1A-2C189B8D1BE7}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{21C042E9-8F4D-4046-980E-4F45283AC8F2}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{61D8597E-437D-43DD-89CC-62F487F13081}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{CFE6DE30-FE46-4C60-B0B7-09C12C3214F0}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B82921CB-E57D-4E9E-AADF-71E261A9A6FC}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{ED162284-9E45-431F-96D5-945BB9315047}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{8EBB99EE-665D-4C22-8679-1D176B67478D}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{B0371A73-5DD1-45B9-AD7C-708E1E68C10F}"= UDP:C:\Program Files\World of Warcraft\WoW-2.3.0-enUS-downloader.exe:Blizzard Downloader
"TCP Query User{BCC20F1E-B350-485A-8228-0F6C272BBDC8}C:\\program files\\world of warcraft\\repair.exe"= UDP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{B0353B26-E350-4DE4-83DE-DCFF67C54BDC}C:\\program files\\world of warcraft\\repair.exe"= TCP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"TCP Query User{321E5DF4-6E65-41C0-8152-7DF4BBA55FA5}C:\\users\\kristie\\desktop\\wow-burningcrusade-enus-installer-downloader.exe"= UDP:C:\users\kristie\desktop\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
"UDP Query User{759E2FF5-35CD-4DE7-B075-487A263972AF}C:\\users\\kristie\\desktop\\wow-burningcrusade-enus-installer-downloader.exe"= TCP:C:\users\kristie\desktop\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
"{27750BEC-CF82-4905-89BB-EF13390B9FCD}"= UDP:3724:wow
"{93259215-97E0-4E38-9C84-B118857F5DF5}"= UDP:8086:wow
"{55DB1AAF-8CE1-4D34-8504-38A54E4CF4B1}"= UDP:8087:wow
"{37A6C067-3783-4995-8AC6-3C816FF05C1F}"= UDP:9081:wow
"{C27F6351-AC10-4625-9CD9-6F3E172D6CCC}"= UDP:9097:wow
"{69541D36-BD91-4939-8035-9BB7C1A0B1BC}"= UDP:9100:wow
"{EB18B763-DDD3-49BB-93F5-5EB96BCD2B86}"= UDP:6112:wow
"{56AFD9F9-D2A9-4A95-AEC2-6EF635DB4DF6}"= UDP:6881:wow
"{6065474A-89BD-4C06-BB17-2B750256BC3C}"= UDP:6882:wow
"{4143F283-B187-4542-92EC-653C963BDD3E}"= UDP:6883:wow
"{C3A1C5AD-0964-4B1F-93F7-A767965FE2AD}"= UDP:6884:wow
"{76B9D867-21D4-4513-9EBC-42E62EB92372}"= UDP:6885:wow
"{75A41E72-A497-41C1-A735-C7128EE8D7B5}"= UDP:6886:wow
"{8575B570-6478-4059-BFC3-183C8F6AB53D}"= UDP:6887:wow
"{D650917A-41A8-438F-8A4D-8F2F2CC1E098}"= UDP:6888:wow
"{0BEC456F-BDEB-4E04-A676-AA93675EE743}"= UDP:6889:wow
"{E49AF44F-1DE8-4C69-A996-4F869CE9F181}"= UDP:6890:wow
"{59E037E9-17F6-4E7E-81CC-FFC6BD28A263}"= UDP:6891:wow
"{7C089BB5-1D1C-4991-A177-90629F8E9EFF}"= UDP:6892:wow
"{13292E02-86FC-40F7-B21A-167B6ABB288C}"= UDP:6893:wow
"{EB08F1E3-3438-43C1-A20E-9D283A339610}"= UDP:6894:wow
"{B827E417-BADB-47F4-AEA4-82B7BEC3408E}"= UDP:6895:wow
"{D14DD265-CB56-4CE0-92A9-A26742DBEA4E}"= UDP:6896:wow
"{B6BDCEC6-AA26-42C7-8703-D2315CFE7535}"= UDP:6897:wow
"{463EC729-8C84-4500-9711-5A175F9192DF}"= UDP:6898:wow
"{C198B22B-0F42-4F83-8982-0FADB5F6D22C}"= UDP:6899:wow
"{551DD8D3-FCB7-4152-9D8C-4D85D2481F03}"= C:\Program Files\HP\DVDPlay\DVDPlay.exe:DVD Play
"{FECEC778-2362-4B20-9F7C-016BB3B6E3B8}"= C:\Program Files\HP\DVDPlay\DPService.exe:DVD Play Resident Program
"TCP Query User{9E4BA6E5-9554-4865-828A-140FBBEFBEB3}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{EF2FA284-009B-4409-8C8F-970C28144624}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"{6F58D44A-78F2-40D0-91B0-90FA505C326D}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{FCF90614-C258-4F03-B3A0-73BAFCE5C4CB}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-03-29 11:31]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-03-29 11:35]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-03-29 11:32]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-12-13 12:07]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-08-07 14:26]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
S3 Alpham;Ideazon Merc Composite Keyboard Driver;C:\Windows\system32\DRIVERS\Alpham.sys [2005-12-04 14:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 03:33:12 C:\Windows\Tasks\EasyShare Registration Task.job"

s
À €!Ø.!
\- C:\Windows\system32\rundll32.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 08:21:13
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-01 8:22:29
ComboFix-quarantined-files.txt 2008-05-01 15:22:11
ComboFix2.txt 2008-04-30 02:59:07
ComboFix3.txt 2008-04-28 23:55:10
ComboFix4.txt 2008-04-28 02:38:24
ComboFix5.txt 2008-04-27 17:47:55

Pre-Run: 98,832,109,568 bytes free
Post-Run: 98,841,251,840 bytes free

363 --- E O F --- 2008-05-01 10:03:28




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:54 AM, on 5/1/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SnapfishMediaDetector] C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\Windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DPService] "C:\Program Files\HP\DVDPlay\DPService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8010 bytes
  • 0

#8
Essexboy
Posted 01 May 2008 - 01:47 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Okey Dokey that looks a bit better - lets kill another file and run a malware scanner

  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Windows\System32\Rundl1.exe
Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

THEN

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs required : OTMoveit and MBAM plus how is your computer now ?
  • 0

#9
kattzzmeow
Posted 01 May 2008 - 03:31 PM

kattzzmeow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
File/Folder C:\Windows\System32\Rundl1.exe not found.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05012008_142152


alwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Quick Scan
Objects scanned: 27912
Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully.



Thanks again for all of your help! I really appreciate it!
  • 0

#10
Essexboy
Posted 01 May 2008 - 03:34 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK then that picked up a few extras - but nothing major.. Subject to there being no further problems

Now the best part of the day ----- Your log now appears clean :)

Double click OTMoveIt2 once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt2 wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself


Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe :)
  • 0

#11
kattzzmeow
Posted 01 May 2008 - 04:57 PM

kattzzmeow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok everything seems great!
I have one question that is probably simple but I dont know it...
Somehow my clock has been switched to government time? Where its 15:57 instead of 3:57
How do I switch it back? LOL
  • 0

#12
kattzzmeow
Posted 01 May 2008 - 05:07 PM

kattzzmeow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Oh I figured it out!!!!
Ok All is good!
THANKS so much!
  • 0

#13
Essexboy
Posted 02 May 2008 - 09:31 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP