Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Checking if Virtumonde/Vundo Infection is Gone [CLOSED]

Started by Alanpfds , May 02 2008 07:25 PM

  • This topic is locked This topic is locked

#1
Alanpfds
Posted 02 May 2008 - 07:25 PM

Alanpfds

    New Member

  • Member
  • Pip
  • 3 posts
I recently used Combofix to clean a bad Vundo/Virtumonde infection. Below, is a log file from Hijackthis. Is it possible for someone to take a quick look at it to ensure that all malware has been successfully removed? Many thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:13 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ClipCache\clipc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: UltraEdit Toolbar - {4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} - C:\PROGRA~1\UE_TOO~1\UE_TOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: UltraEdit Toolbar - {4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} - C:\PROGRA~1\UE_TOO~1\UE_TOO~1.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ClipCache Pro.lnk = C:\Program Files\ClipCache\clipc.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198525903984
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://vpn-portal.v...ble/iewiper.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL,avgrsstx.dll
O20 - Winlogon Notify: khfFVOif - khfFVOif.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Eset HTTP Server (EHttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe (file missing)
O23 - Service: Eset Service (ekrn) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\ekrn.exe (file missing)
O23 - Service: Google Desktop Manager 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 10354 bytes
  • 0

Advertisements

#2
greyknight17
Posted 03 May 2008 - 01:57 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Did you uninstall Eset lately?

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O20 - Winlogon Notify: khfFVOif - khfFVOif.dll (file missing)

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop EHttpSrv
sc stop ekrn
sc delete EHttpSrv
sc delete ekrn
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Restart and run a new HijackThis scan. Save the log file and post it here.

Post your Combofix log here also (C:\Combofix.txt).
  • 0

#3
Alanpfds
Posted 03 May 2008 - 03:12 PM

Alanpfds

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks.

Here's the new HJT log with Combofix.txt below it...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:49 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ClipCache\clipc.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: UltraEdit Toolbar - {4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} - C:\PROGRA~1\UE_TOO~1\UE_TOO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: PDF-XChange Viewer IE-Plugin - {C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F} - C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: UltraEdit Toolbar - {4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} - C:\PROGRA~1\UE_TOO~1\UE_TOO~1.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ClipCache Pro.lnk = C:\Program Files\ClipCache\clipc.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1198525903984
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://vpn-portal.v...ble/iewiper.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 10245 bytes


ComboFix 08-05-01.3 - DEFAULT 2008-05-02 19:26:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.400 [GMT -4:00]
Running from: C:\Documents and Settings\DEFAULT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\DEFAULT\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\amsixmpq.dll
C:\WINDOWS\system32\auiqpqqx.dll
C:\WINDOWS\system32\awdrhgyg.dll
C:\WINDOWS\system32\bkmvxklo.ini
C:\WINDOWS\system32\dgolyxme.ini
C:\WINDOWS\system32\dmsgrgjg.dll
C:\WINDOWS\system32\elvwrgxv.dll
C:\WINDOWS\system32\fbdeohey.dll
C:\WINDOWS\system32\fgdfubnc.ini
C:\WINDOWS\system32\fxlqvyro.dll
C:\WINDOWS\system32\hxyftsgm.ini
C:\WINDOWS\system32\ihfxfsae.ini
C:\WINDOWS\system32\jkwluter.dll
C:\WINDOWS\system32\kywxjtnw.dll
C:\WINDOWS\system32\ljwnjneq.dll
C:\WINDOWS\system32\mjiguxog.dll
C:\WINDOWS\system32\nekopugx.ini
C:\WINDOWS\system32\nfkkvnrk.dll
C:\WINDOWS\system32\ocfsterp.dll
C:\WINDOWS\system32\pabsevqg.dll
C:\WINDOWS\system32\pceqnomn.dll
C:\WINDOWS\system32\ppieqvyo.dll
C:\WINDOWS\system32\PVCccccf.ini
C:\WINDOWS\system32\PVCccccf.ini2
C:\WINDOWS\system32\qenjnwjl.ini
C:\WINDOWS\system32\qrgkmtyg.ini
C:\WINDOWS\system32\retulwkj.ini2
C:\WINDOWS\system32\retulwkj.tmp
C:\WINDOWS\system32\SuBHNUtv.ini
C:\WINDOWS\system32\SuBHNUtv.ini2
C:\WINDOWS\system32\trjvsjhh.dll
C:\WINDOWS\system32\vekplxxe.dll
C:\WINDOWS\system32\vtUNHBuS.dll
C:\WINDOWS\system32\wihvthxg.dll
C:\WINDOWS\system32\wnncrddc.dll
C:\WINDOWS\system32\xgupoken.dll
C:\WINDOWS\system32\xtjpaeav.dll
C:\WINDOWS\system32\yehoedbf.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.

2008-04-29 13:53 . 2008-04-29 13:53 <DIR> d-------- C:\Documents and Settings\Annie\Application Data\SiteAdvisor
2008-04-27 22:11 . 2008-04-27 22:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-27 22:00 . 2008-04-27 22:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-27 21:38 . 2008-05-02 19:38 11,085 --a------ C:\WINDOWS\system32\Config.MPF
2008-04-27 21:37 . 2008-04-30 23:29 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-04-27 21:37 . 2008-04-27 21:37 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-04-27 21:37 . 2008-04-28 02:22 <DIR> d-------- C:\Documents and Settings\DEFAULT\Application Data\SiteAdvisor
2008-04-27 21:34 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-04-27 21:32 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-04-27 21:31 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-04-27 21:31 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-04-27 21:31 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-04-27 21:31 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-04-27 21:31 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-04-27 21:30 . 2008-04-27 21:30 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-27 21:29 . 2008-04-30 05:46 <DIR> d-------- C:\Program Files\McAfee
2008-04-27 21:29 . 2008-04-27 21:31 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-27 19:20 . 2008-04-27 19:21 <DIR> d-------- C:\Documents and Settings\Jamie\Application Data\AVG7
2008-04-27 12:58 . 2008-04-27 12:58 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-27 11:31 . 2008-04-27 11:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-27 11:31 . 2008-04-27 11:54 <DIR> d-------- C:\Documents and Settings\DEFAULT\Application Data\AVG7
2008-04-27 10:57 . 2008-04-27 11:00 211 --a------ C:\WINDOWS\wininit.ini
2008-04-27 10:10 . 2008-04-27 10:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-27 10:10 . 2008-04-27 10:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-27 08:53 . 2008-04-27 22:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-27 08:53 . 2008-04-27 22:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-27 08:27 . 2008-04-27 08:27 94,784 --a------ C:\WINDOWS\system32\mgstfyxh.dll_old
2008-04-27 08:25 . 2008-05-02 19:13 109,747 --a------ C:\WINDOWS\BM2ba72237.xml
2008-04-25 20:11 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-04-25 20:11 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-04-25 20:11 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-04-25 20:11 . 2007-05-31 19:30 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-04-25 20:11 . 2007-05-31 19:29 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2008-04-25 20:10 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2008-04-25 20:10 . 2008-04-25 20:10 319 --a------ C:\WINDOWS\game.ini
2008-04-25 19:56 . 2008-04-25 19:56 <DIR> d-------- C:\Program Files\Activision
2008-04-20 11:54 . 2008-04-20 11:55 <DIR> d-------- C:\Program Files\NoteBurner
2008-04-20 11:54 . 2007-05-16 11:42 13,440 --a------ C:\WINDOWS\system32\drivers\ntcdrdrv.sys
2008-04-20 08:16 . 2008-04-20 08:16 <DIR> d-------- C:\Psfonts
2008-04-20 08:16 . 2008-04-20 08:16 <DIR> d-------- C:\Program Files\Finale Viewer
2008-04-20 08:16 . 2008-04-20 08:16 631 --a------ C:\WINDOWS\winiini.fin
2008-04-17 06:45 . 2008-05-02 19:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-17 06:45 . 2008-04-17 06:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-17 06:31 . 2008-04-17 06:31 <DIR> d-------- C:\Program Files\Roni Music
2008-04-15 18:31 . 2008-04-15 18:31 670 --a------ C:\WINDOWS\eReg.dat
2008-04-13 03:17 . 2008-04-13 03:17 <DIR> dr-h----- C:\Documents and Settings\Jamie\Application Data\SecuROM
2008-04-12 20:19 . 2008-04-27 19:23 <DIR> d-------- C:\Program Files\Steam
2008-04-12 02:50 . 2008-04-12 02:50 <DIR> d-------- C:\Program Files\OpenAL
2008-04-12 02:46 . 2008-04-12 02:46 <DIR> d-------- C:\Program Files\Atari
2008-04-08 21:08 . 2008-04-09 23:32 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-04-08 06:33 . 2008-04-09 23:30 <DIR> d-------- C:\Program Files\GNU
2008-04-07 18:59 . 2008-04-07 18:59 <DIR> d-------- C:\Program Files\Ubisoft
2008-04-02 20:49 . 2008-04-20 10:40 <DIR> d-------- C:\Program Files\Mp3tag
2008-04-02 20:49 . 2008-04-02 20:54 <DIR> d-------- C:\Documents and Settings\DEFAULT\Application Data\Mp3tag
2008-04-02 20:17 . 2008-04-02 20:17 <DIR> d-------- C:\Program Files\Safari
2008-04-02 20:16 . 2008-04-02 20:16 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 23:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-02 23:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-28 02:56 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-04-28 02:33 --------- d-----w C:\Program Files\ESET
2008-04-28 01:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-28 01:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-27 14:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 00:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-20 13:27 --------- d-----w C:\Documents and Settings\DEFAULT\Application Data\LimeWire
2008-04-19 17:38 --------- d-----w C:\Documents and Settings\Jamie\Application Data\LimeWire
2008-04-15 22:24 --------- d-----w C:\Program Files\EA GAMES
2008-04-14 01:16 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-13 13:57 --------- d-----w C:\Program Files\Password Safe
2008-04-11 10:26 --------- d-----w C:\Program Files\Google
2008-04-10 03:32 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4
2008-04-05 14:10 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-04-03 00:16 --------- d-----w C:\Program Files\iTunes
2008-04-03 00:13 --------- d-----w C:\Program Files\QuickTime
2008-03-30 17:24 --------- d-----w C:\Program Files\Suntelia
2008-03-30 17:24 --------- d-----w C:\Program Files\SoundNet
2008-03-30 13:39 --------- d-----w C:\Program Files\LimeWire
2008-03-24 19:28 --------- d-----w C:\Program Files\hp deskjet 930c series
2008-03-24 19:28 --------- d-----w C:\Program Files\Hewlett-Packard
2008-03-24 19:26 --------- d-----w C:\Program Files\Hp
2008-03-16 15:08 --------- d-----w C:\Program Files\7-Zip
2008-03-16 15:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-13 20:52 71,176 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
2008-03-13 20:52 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
2008-03-13 20:52 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
2008-03-13 20:44 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-03-13 20:43 40,456 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-03-10 19:07 --------- d-----w C:\Program Files\OGPlanet
2008-03-07 11:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-03-07 04:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-06 11:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-05 11:35 --------- d-----w C:\Program Files\Java
2008-03-03 23:17 --------- d-----w C:\Documents and Settings\Annie\Application Data\Symantec
2008-03-02 16:00 --------- d-----w C:\Documents and Settings\Jamie\Application Data\Symantec
2008-03-02 13:19 --------- d-----w C:\Program Files\4shared Uploader
2008-03-02 13:19 --------- d-----w C:\Documents and Settings\DEFAULT\Application Data\4shared Uploader
2008-03-02 12:43 --------- d-----w C:\Program Files\MP3 Splitter & Joiner Pro
2005-10-28 22:28 0 ----a-w C:\Documents and Settings\DEFAULT\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F}]
2008-01-12 12:38 1198592 --a------ C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-24 16:07 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 11:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 11:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 11:10 114688]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-10 18:36 8740864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 03:46 196608]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 13:01 1037736]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 18:30 45632]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 09:56 236016]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-16 08:49 29744]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 20:36 196608]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [ ]
"NoteBurner"="C:\Program Files\NoteBurner\VTBurnerGUI.exe" [2008-02-25 11:01 4345856]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 17:57 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 08:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2007-12-24 23:44:47 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfFVOif]
khfFVOif.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Annie^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=C:\Documents and Settings\Annie\Start Menu\Programs\Startup\Anapod Manager.lnk
backup=C:\WINDOWS\pss\Anapod Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^DEFAULT^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=C:\Documents and Settings\DEFAULT\Start Menu\Programs\Startup\Anapod Manager.lnk
backup=C:\WINDOWS\pss\Anapod Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"C:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"C:\\Nexon\\MapleStory\\MapleStory.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142Pace.exe"=
"C:\\Program Files\\MusicBrainz Picard\\picard.exe"=
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"C:\\Program Files\\Atari\\ArmA\\arma.exe"=
"C:\\Program Files\\Steam\\SteamApps\\[email protected]\\half-life\\hl.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys [2007-05-16 11:42]
R1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 15:05]
R3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 15:05]
S3 dump_wmimmc;dump_wmimmc;C:\Nexon\MapleStory\GameGuard\dump_wmimmc.sys []
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-01-17 23:51]
S3 GoogleDesktopManager-010108-205858;Google Desktop Manager 5.7.801.1629;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-16 08:49]
S3 se3ebus;Sony Ericsson Device 062 (WDM);C:\WINDOWS\system32\DRIVERS\se3ebus.sys [2006-09-19 13:42]
S3 se3emdfl;Sony Ericsson Device 062 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se3emdfl.sys [2006-09-19 13:42]
S3 se3emdm;Sony Ericsson Device 062 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se3emdm.sys [2006-09-19 13:43]
S3 se3emgmt;Sony Ericsson Device 062 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se3emgmt.sys [2006-09-19 13:43]
S3 se3eobex;Sony Ericsson Device 062 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se3eobex.sys [2006-09-19 13:44]
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []
S3 z520bus;Sony Ericsson 520 driver (WDM);C:\WINDOWS\system32\DRIVERS\z520bus.sys [2005-07-26 12:13]
S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\z520mdfl.sys [2005-07-26 12:15]
S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\z520mdm.sys [2005-07-26 12:15]
S3 z520mgmt;Sony Ericsson 520 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\z520mgmt.sys [2005-07-26 12:16]
S3 z520obex;Sony Ericsson 520 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\z520obex.sys [2005-07-26 12:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ddfdda5-bd79-11dc-b0c6-001320cb8803}]
\Shell\AutoRun\command - E:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0509276-47d1-11da-a0b9-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd060249-5b1b-11da-a9ea-806d6172696f}]
\Shell\AutoRun\command - D:\install.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 00:02:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-28 01:30:52 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-01 05:02:34 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 19:38:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 8

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
-> ?:\WINDOWS\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\ClipCache\clipc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-02 19:47:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-02 23:47:09

Pre-Run: 151,592,345,600 bytes free
Post-Run: 152,677,785,600 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

339 --- E O F --- 2008-04-08 18:15:11


Note that since Combofix ran, I have removed Mcafee and Installed Kapersky, which is why you still see references to Mcafee in combofix.txt

Many thanks.
  • 0

#4
greyknight17
Posted 03 May 2008 - 06:33 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you uninstall Eset/NOD32 yet? If not, uninstall it now. There's still some remnants left behind if you uninstalled it. Same applies to AVG Antivirus. Did you have this installed before? Since you have Kaspersky Antivirus installed, make sure you uninstalled that also.

Open up C:\WINDOWS\wininit.ini in notepad and copy/paste the contents of that file here. Then delete all the contents in that file and copy/paste the below two lines into it and save it:

[rename]
nul=

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINDOWS\system32\mgstfyxh.dll_old
C:\WINDOWS\BM2ba72237.xml
C:\WINDOWS\winiini.fin
C:\WINDOWS\system32\drivers\epfw.sys
C:\WINDOWS\system32\drivers\epfwtdi.sys
C:\WINDOWS\system32\drivers\epfwndis.sys
C:\WINDOWS\system32\drivers\easdrv.sys
C:\WINDOWS\system32\drivers\eamon.sys
Folder::
C:\Documents and Settings\All Users\Application Data\ESET
C:\Program Files\ESET
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfFVOif]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#5
Alanpfds
Posted 04 May 2008 - 07:56 AM

Alanpfds

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hello again:

First of all, I have followed these instructions and the logs/files you asked for are below. Unfortunately, I have now lost my internet connection completely, and attempting to use XP's "Repair Connection" function doesn't work. When I do so, I get the following error message:

"Windows could not finish repairing the problem becuase the following action accnot be completed:
Failed to query TCP/IP setting of the connection. Cannot proceed.

For assistance, contact the person who manages your network."


FYI, I've attached a screen capture from the Device Manager of the current state of my network drivers. There are some "Eset" things still there if that helps you.

Here is the Winit.ini file contents before running Combofix, as per your request:

[rename]
c:\tempjunk3638.tmp=C:\WINDOWS\system32\bujololv.dll_old
nul=c:\tempjunk9815.tmp
c:\tempjunk4985.tmp=C:\WINDOWS\system32\dbogtjrj.dll_old
c:\tempjunk9815.tmp=C:\WINDOWS\system32\fccccCVP.dll_old

And here is the Combofix log from the run I did this morning:

ComboFix 08-05-01.3 - DEFAULT 2008-05-04 8:34:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.596 [GMT -4:00]
Running from: C:\Documents and Settings\DEFAULT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\DEFAULT\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM2ba72237.xml
C:\WINDOWS\system32\drivers\eamon.sys
C:\WINDOWS\system32\drivers\easdrv.sys
C:\WINDOWS\system32\drivers\epfw.sys
C:\WINDOWS\system32\drivers\epfwndis.sys
C:\WINDOWS\system32\drivers\epfwtdi.sys
C:\WINDOWS\system32\mgstfyxh.dll_old
C:\WINDOWS\winiini.fin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\ESET
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\FND1.NFI
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\EpfwUser.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\httpblk.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Antispam\asdata.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Antispam\sc1.bin.full.2007.12.11.08.15.44
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Antispam\sc2.bin.full.2005.02.11.04.44.13
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Antispam\sc5.bin.full.2007.01.28.16.09.00
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Charon\CACHE.NDB
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Charon\FND0.NFI
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Charon\FND1.NFI
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\EHttpSrv.xml
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\epfwdata.bin
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\EpfwTemp.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\EpfwUser.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\httpblk.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Installer\d24.msi
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\epfwlog.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\eScan\ndl132.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\eScan\ndl32203.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\virlog.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\warnlog.dat
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\base_nonnups\0_3_0_nod161C.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\continuous\nod0FE5.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\continuous\nod2FCD.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\continuous\nod3EB6.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\continuous\nod55DB.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\continuous\nod5E3C.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\em000_32_l0.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\em001_32_l0.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\em001_32_l1.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\em002_32_l1.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\em003_32_l0.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\em003_32_l1.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\em003_32_l2.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\em004_32_l0.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\em004_32_l1.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\em005_32_l0.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\em005_32_l1.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\em005_32_l2.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\em008_32_l0.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\em008_32_l1.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\em010_32_l0.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\em010_32_l1.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_89.202.157.135\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_89.202.157.136\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_89.202.157.137\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_89.202.157.138\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_89.202.157.139\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u21.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u23.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u24.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u30.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u31.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u32.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u33.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u34.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u35.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u36.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u37.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u38.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u39.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u40.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u41.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u42.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u43.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u44.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u45.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u46.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u47.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u48.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_u49.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\http_update.eset.com\update.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\lastupd.ver
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\nod02C0.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\reverse\nod2D20.nup
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Updfiles\upd.ver
C:\Program Files\ESET
C:\WINDOWS\BM2ba72237.xml
C:\WINDOWS\system32\drivers\eamon.sys
C:\WINDOWS\system32\drivers\easdrv.sys
C:\WINDOWS\system32\drivers\epfw.sys
C:\WINDOWS\system32\drivers\epfwndis.sys
C:\WINDOWS\system32\drivers\epfwtdi.sys
C:\WINDOWS\winiini.fin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_eamon
-------\Legacy_easdrv
-------\Legacy_epfw
-------\Legacy_epfwtdi
-------\Service_eamon
-------\Service_easdrv
-------\Service_epfw
-------\Service_Epfwndis
-------\Service_epfwtdi


((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-05-03 11:29 . 2008-05-03 11:29 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-03 11:29 . 2008-05-04 08:42 5,888,544 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-03 11:29 . 2008-05-03 11:33 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-03 11:29 . 2008-05-03 11:33 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-03 11:29 . 2008-05-04 08:40 80,936 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-03 11:29 . 2008-05-04 08:42 27,936 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-03 11:29 . 2008-05-04 08:40 3,620 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-03 11:04 . 2008-05-03 11:11 <DIR> d-------- C:\kav
2008-05-03 10:31 . 2008-05-03 11:22 <DIR> d-------- C:\Program Files\COMODO
2008-05-03 10:31 . 2008-05-03 11:22 <DIR> d-------- C:\Documents and Settings\DEFAULT\Application Data\Comodo
2008-05-03 10:02 . 2008-05-03 10:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-03 10:02 . 2008-05-04 08:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-02 23:47 . 2008-05-02 23:48 <DIR> d-------- C:\Documents and Settings\TEMP
2008-05-02 22:40 . 2008-05-02 22:40 <DIR> d-------- C:\Documents and Settings\DEFAULT\Application Data\Digsby
2008-05-02 22:38 . 2008-05-02 22:39 <DIR> d-------- C:\Program Files\Digsby
2008-05-02 21:41 . 2008-05-02 21:41 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-05-02 21:40 . 2008-05-02 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-05-02 21:40 . 2008-05-02 21:41 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-05-02 21:39 . 2004-04-27 05:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-05-02 21:33 . 2008-05-02 22:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-02 21:33 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-02 20:59 . 2008-05-02 20:59 <DIR> d-------- C:\VundoFix Backups
2008-05-02 20:47 . 2008-05-03 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-27 22:11 . 2008-04-27 22:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-27 22:00 . 2008-04-27 22:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-27 10:57 . 2008-04-27 11:00 211 --a------ C:\WINDOWS\wininit.ini.bak
2008-04-27 10:57 . 2008-05-04 08:31 14 --a------ C:\WINDOWS\wininit.ini
2008-04-27 10:10 . 2008-04-27 10:10 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-27 10:10 . 2008-04-27 10:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-27 08:53 . 2008-05-02 22:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-27 08:53 . 2008-05-02 22:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-25 20:11 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-04-25 20:11 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-04-25 20:11 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-04-25 20:11 . 2007-05-31 19:30 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-04-25 20:11 . 2007-05-31 19:29 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2008-04-25 20:10 . 2007-01-24 15:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2008-04-25 20:10 . 2008-04-25 20:10 319 --a------ C:\WINDOWS\game.ini
2008-04-25 19:56 . 2008-04-25 19:56 <DIR> d-------- C:\Program Files\Activision
2008-04-20 11:54 . 2008-04-20 11:55 <DIR> d-------- C:\Program Files\NoteBurner
2008-04-20 11:54 . 2007-05-16 11:42 13,440 --a------ C:\WINDOWS\system32\drivers\ntcdrdrv.sys
2008-04-20 08:16 . 2008-04-20 08:16 <DIR> d-------- C:\Psfonts
2008-04-20 08:16 . 2008-04-20 08:16 <DIR> d-------- C:\Program Files\Finale Viewer
2008-04-17 06:45 . 2008-05-04 08:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-17 06:45 . 2008-04-17 06:45 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-17 06:31 . 2008-04-17 06:31 <DIR> d-------- C:\Program Files\Roni Music
2008-04-15 18:31 . 2008-04-15 18:31 670 --a------ C:\WINDOWS\eReg.dat
2008-04-13 03:17 . 2008-04-13 03:17 <DIR> dr-h----- C:\Documents and Settings\Jamie\Application Data\SecuROM
2008-04-12 20:19 . 2008-05-03 23:58 <DIR> d-------- C:\Program Files\Steam
2008-04-12 02:50 . 2008-04-12 02:50 <DIR> d-------- C:\Program Files\OpenAL
2008-04-12 02:46 . 2008-04-12 02:46 <DIR> d-------- C:\Program Files\Atari
2008-04-08 21:08 . 2008-04-09 23:32 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-04-08 06:33 . 2008-04-09 23:30 <DIR> d-------- C:\Program Files\GNU
2008-04-07 18:59 . 2008-04-07 18:59 <DIR> d-------- C:\Program Files\Ubisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 03:16 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-03 03:49 --------- d-----w C:\Program Files\Google
2008-05-03 02:33 --------- d-----w C:\Program Files\IDM Computer Solutions
2008-05-03 02:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-03 00:09 --------- d-----w C:\Program Files\LimeWire
2008-05-03 00:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-03 00:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-04-28 02:56 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-04-27 14:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 00:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-20 14:40 --------- d-----w C:\Program Files\Mp3tag
2008-04-20 13:27 --------- d-----w C:\Documents and Settings\DEFAULT\Application Data\LimeWire
2008-04-19 17:38 --------- d-----w C:\Documents and Settings\Jamie\Application Data\LimeWire
2008-04-15 22:24 --------- d-----w C:\Program Files\EA GAMES
2008-04-13 13:57 --------- d-----w C:\Program Files\Password Safe
2008-04-10 03:32 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4
2008-04-05 14:10 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-04-03 00:54 --------- d-----w C:\Documents and Settings\DEFAULT\Application Data\Mp3tag
2008-04-03 00:16 --------- d-----w C:\Program Files\iTunes
2008-04-03 00:16 --------- d-----w C:\Program Files\iPod
2008-04-03 00:13 --------- d-----w C:\Program Files\QuickTime
2008-03-30 17:24 --------- d-----w C:\Program Files\Suntelia
2008-03-30 17:24 --------- d-----w C:\Program Files\SoundNet
2008-03-24 19:28 --------- d-----w C:\Program Files\hp deskjet 930c series
2008-03-24 19:28 --------- d-----w C:\Program Files\Hewlett-Packard
2008-03-24 19:26 --------- d-----w C:\Program Files\Hp
2008-03-16 15:08 --------- d-----w C:\Program Files\7-Zip
2008-03-16 15:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-10 19:07 --------- d-----w C:\Program Files\OGPlanet
2008-03-07 04:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-06 11:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-05 11:35 --------- d-----w C:\Program Files\Java
2005-10-28 22:28 0 ----a-w C:\Documents and Settings\DEFAULT\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-05-02_19.46.54.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-02 23:43:33 299,008 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\4dacba5947f877cba823612ae3f3e82d\WindowsFormsIntegration.ni.dll
- 2008-05-02 23:37:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-04 12:42:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-17 10:44:25 102,400 ----a-r C:\WINDOWS\Installer\{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}\iTunesIco.exe
+ 2008-05-03 03:29:02 102,400 ----a-r C:\WINDOWS\Installer\{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}\iTunesIco.exe
- 2008-05-02 23:13:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-04 02:52:32 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-02 23:13:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-04 02:52:32 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-02 23:13:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-04 02:52:32 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-31 17:41:16 110,096 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2007-12-28 23:51:04 195,344 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-12-13 17:28:40 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2008-02-08 22:35:42 23,604 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-02-08 22:37:44 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
- 2008-04-14 01:14:50 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
+ 2008-05-04 03:15:27 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
+ 2008-05-03 03:48:01 107,820 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
- 2003-08-29 02:40:22 62,560 ----a-w C:\WINDOWS\system32\vsdata.dll
+ 2008-04-03 01:07:40 83,432 ----a-w C:\WINDOWS\system32\vsdata.dll
- 2003-08-29 02:40:26 189,792 ----a-w C:\WINDOWS\system32\vsdatant.sys
+ 2008-04-03 01:08:00 394,952 ----a-w C:\WINDOWS\system32\vsdatant.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5D07EB6-BBCE-4DAE-ACBB-D13A8D28CB1F}]
2008-01-12 12:38 1198592 --a------ C:\Program Files\Tracker Software\PDF-XChange Viewer\pdf-viewer\PDFXCviewIEPlugin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-05-02 21:41 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-05-02 21:41 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-24 16:07 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 11:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 11:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 11:10 114688]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-10 18:36 8740864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 03:46 196608]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 13:01 1037736]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 18:30 45632]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 09:56 236016]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 20:36 196608]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 08:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2007-12-24 23:44:47 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Annie^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=C:\Documents and Settings\Annie\Start Menu\Programs\Startup\Anapod Manager.lnk
backup=C:\WINDOWS\pss\Anapod Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^DEFAULT^Start Menu^Programs^Startup^Anapod Manager.lnk]
path=C:\Documents and Settings\DEFAULT\Start Menu\Programs\Startup\Anapod Manager.lnk
backup=C:\WINDOWS\pss\Anapod Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"C:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"C:\\Nexon\\MapleStory\\MapleStory.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142Pace.exe"=
"C:\\Program Files\\MusicBrainz Picard\\picard.exe"=
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"C:\\Program Files\\Atari\\ArmA\\arma.exe"=
"C:\\Program Files\\Steam\\SteamApps\\[email protected]\\half-life\\hl.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\kav\\kis\\setup.exe"=
"C:\\kav\\kav7\\setup.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

R0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys [2007-05-16 11:42]
R1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 15:05]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 15:05]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-01-17 23:51]
S3 se3ebus;Sony Ericsson Device 062 (WDM);C:\WINDOWS\system32\DRIVERS\se3ebus.sys [2006-09-19 13:42]
S3 se3emdfl;Sony Ericsson Device 062 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se3emdfl.sys [2006-09-19 13:42]
S3 se3emdm;Sony Ericsson Device 062 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se3emdm.sys [2006-09-19 13:43]
S3 se3emgmt;Sony Ericsson Device 062 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se3emgmt.sys [2006-09-19 13:43]
S3 se3eobex;Sony Ericsson Device 062 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se3eobex.sys [2006-09-19 13:44]
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []
S3 z520bus;Sony Ericsson 520 driver (WDM);C:\WINDOWS\system32\DRIVERS\z520bus.sys [2005-07-26 12:13]
S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\z520mdfl.sys [2005-07-26 12:15]
S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\z520mdm.sys [2005-07-26 12:15]
S3 z520mgmt;Sony Ericsson 520 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\z520mgmt.sys [2005-07-26 12:16]
S3 z520obex;Sony Ericsson 520 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\z520obex.sys [2005-07-26 12:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ddfdda5-bd79-11dc-b0c6-001320cb8803}]
\Shell\AutoRun\command - E:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0509276-47d1-11da-a0b9-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd060249-5b1b-11da-a9ea-806d6172696f}]
\Shell\AutoRun\command - D:\install.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 00:02:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 08:42:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 8

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\ClipCache\clipc.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-04 8:51:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-04 12:51:46
ComboFix2.txt 2008-05-02 23:47:14

Pre-Run: 153,115,844,608 bytes free
Post-Run: 153,230,712,832 bytes free

394 --- E O F --- 2008-04-08 18:15:11

Attached Thumbnails

  • problems.jpg

  • 0

#6
greyknight17
Posted 04 May 2008 - 12:32 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Don't know how they are related, but see if this will fix the internet connection issue.

Download WinsockFix at http://www.greyknigh.../WinsockFix.zip and unzip it. Then double-click on WinsockFix.exe to run it. Click on the Fix button.

If that doesn't fix the issue, try installing Eset back to see if it helps.

Delete this file:

C:\WINDOWS\wininit.ini.bak

Is everything running ok now?
  • 0

#7
greyknight17
Posted 11 May 2008 - 08:12 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP