Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

downloader-UA.h [CLOSED]

Started by melint , May 05 2008 09:04 AM

  • This topic is locked This topic is locked

#1
melint
Posted 05 May 2008 - 09:04 AM

melint

    Member

  • Member
  • PipPipPip
  • 166 posts
i need help removing a trojan, mcafee found it, but i'm not having any luck removing it...please help
  • 0

Advertisements

#2
Mike
Posted 05 May 2008 - 09:24 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi melint,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
melint
Posted 06 May 2008 - 09:45 AM

melint

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 166 posts
here are the two pages that came up

Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-06 10:32:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
91: 2008-05-06 15:32:20 UTC - RP1253 - Deckard's System Scanner Restore Point
90: 2008-05-05 16:35:32 UTC - RP1252 - System Checkpoint
89: 2008-05-04 14:44:00 UTC - RP1251 - System Checkpoint
88: 2008-05-03 13:48:21 UTC - RP1250 - System Checkpoint
87: 2008-05-02 01:04:57 UTC - RP1249 - System Checkpoint


-- First Restore Point --
1: 2008-02-07 08:31:53 UTC - RP1163 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 86% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:06 AM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Documents and Settings\Owner\Application Data\Real\Update\setup\setup.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\temp1.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.yahoo.c...4u?page=gn_card
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: .protected
O4 - Global Startup: MRI_DISABLED
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZRxdm429YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Vegas Villa Online Casino - {AFCA8905-936B-4aeb-A99C-6B35F596B7A3} - C:\Program Files\vegasvilla\casinogame.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=https://home.peoplepc.com/home/
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1137619853437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142183594984
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.micro...n7/DLHelper.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O18 - Protocol: bw+0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Filter hijack: text/html - {D55E80B0-433D-442F-A524-060DEA41DEE0} - C:\WINDOWS\system32\icda0wpw5.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\o4nsle571h.dll (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 22500 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S0 FOPN - c:\windows\system32\drivers\fopn.sys (file missing)
S3 ggsemc (Sony Ericsson USB Flash Driver) - c:\windows\system32\drivers\ggsemc.sys <Not Verified; Sony Ericsson Mobile Communications; Gordon's Gate>
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ptssvc - c:\program files\kodak\kodak picture transfer software\ptssvc.exe <Not Verified; KODAK; KODAK PTS service>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

S2 Network Monitor - c:\program files\network monitor\netmon.exe service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-06 and 2008-05-06 -----------------------------

2008-05-06 10:39:35 0 d-------- C:\Program Files\Trend Micro
2008-05-02 19:38:26 25472 --a------ C:\WINDOWS\system32\drivers\pca-firewall.sys
2008-05-02 19:38:08 0 d-------- C:\Documents and Settings\ken\Application Data\PC-Antispyware
2008-05-02 19:35:56 0 d-------- C:\Program Files\PC-Antispyware
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\winlogonpc.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\thun32.dll
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\thun.dll
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\temp#01.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\taack.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\taack.dat
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\ssvchost.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\ssvchost.com
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\ssurf022.dll
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\sncntr.exe
2008-05-01 20:42:07 0 d-------- C:\WINDOWS\system32\smp
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\regm64.dll
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\regc64.dll
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\psoft1.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\psof1.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\ps1.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\netode.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\mwin32.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\mtr2.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\msvchost.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\msnbho.dll
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\msgp.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\medup020.dll
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\medup012.dll
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\hxiwlgpm.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\hxiwlgpm.dat
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\hoproxy.dll
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\h@tkeysh@@k.dll
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\dpcproxy.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\system32\bsva-egihsg52.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-05-01 20:42:07 4096 --a------ C:\WINDOWS\a.bat
2008-05-01 20:42:07 0 d-------- C:\Program Files\Inet Delivery
2008-05-01 20:42:06 4096 --a------ C:\WINDOWS\winsystem.exe
2008-05-01 20:42:06 4096 --a------ C:\WINDOWS\system32\WINWGPX.EXE
2008-05-01 20:42:06 4096 --a------ C:\WINDOWS\system32\winsystem.exe
2008-05-01 20:42:06 4096 --a------ C:\WINDOWS\system32\vcatchpi.dll
2008-05-01 20:42:06 4096 --a------ C:\WINDOWS\system32\vbsys2.dll
2008-05-01 20:42:06 4096 --a------ C:\WINDOWS\system32\sysreq.exe
2008-05-01 20:42:06 4096 --a------ C:\WINDOWS\system32\Rundl1.exe
2008-05-01 20:42:06 4096 --a------ C:\WINDOWS\system32\newsd32.exe
2008-05-01 20:42:06 4096 --a------ C:\WINDOWS\system32\mssecu.exe
2008-05-01 20:42:06 4096 --a------ C:\WINDOWS\system32\emesx.dll
2008-05-01 20:42:06 4096 --a------ C:\WINDOWS\system32\bdn.com
2008-05-01 20:42:06 4096 --a------ C:\WINDOWS\system32\awtoolb.dll
2008-05-01 20:42:06 4096 --a------ C:\WINDOWS\system32\anticipator.dll
2008-05-01 20:42:06 4096 --a------ C:\WINDOWS\system32\akttzn.exe
2008-05-01 20:42:06 4096 --a------ C:\WINDOWS\mssecu.exe
2008-05-01 20:42:06 0 d-------- C:\WINDOWS\mslagent
2008-05-01 20:42:06 4096 --a------ C:\WINDOWS\bdn.com
2008-05-01 20:42:06 0 d-------- C:\Program Files\akl
2008-05-01 20:41:47 98304 --a------ C:\WINDOWS\system32\dshujwhq.exe
2008-05-01 20:41:47 0 d-------- C:\Documents and Settings\All Users\Application Data\fmjqpsdi
2008-05-01 20:41:37 102400 --a------ C:\WINDOWS\xbaqktfv.exe
2008-05-01 20:41:37 94208 --a------ C:\WINDOWS\spwoqbmv.exe
2008-05-01 20:41:37 307200 --a------ C:\WINDOWS\qadovnel.dll
2008-05-01 20:41:37 311296 --a------ C:\WINDOWS\bdkpfxqw.dll
2008-04-26 20:31:43 0 d-------- C:\Documents and Settings\ken\Shared
2008-04-26 20:30:42 0 d-------- C:\Documents and Settings\ken\Incomplete
2008-04-26 20:29:58 0 d-------- C:\Documents and Settings\ken\Application Data\LimeWire
2008-04-23 21:57:58 0 d-------- C:\Program Files\DivX
2008-04-11 08:05:23 0 d-------- C:\Documents and Settings\ken\Application Data\Real
2008-04-10 07:44:33 0 d-------- C:\Documents and Settings\ken\Application Data\PC Suite


-- Find3M Report ---------------------------------------------------------------

2008-04-10 16:48:15 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2008-04-05 21:55:16 1409 --a------ C:\WINDOWS\zysaxyczld.exe
2008-04-05 21:55:16 3072 --a------ C:\WINDOWS\zysaoxcjiy.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-04 08:07:05 0 d-------- C:\Documents and Settings\Owner\Application Data\Nokia
2008-04-04 08:05:23 0 d-------- C:\Documents and Settings\Owner\Application Data\PC Suite
2008-04-04 08:03:04 0 d-------- C:\Program Files\DIFX
2008-04-04 08:01:13 0 d-------- C:\Program Files\Common Files\Nokia
2008-04-04 08:01:11 0 d-------- C:\Program Files\Common Files\PCSuite
2008-04-04 08:01:09 0 d-a------ C:\Program Files\Common Files
2008-04-04 08:00:57 0 d-------- C:\Program Files\Nokia
2008-04-04 07:58:55 0 d-------- C:\Program Files\PC Connectivity Solution
2008-03-31 16:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 16:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-31 16:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 16:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 16:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-03-27 09:50:09 0 d-------- C:\Program Files\Motorola Phone Tools
2008-03-27 09:47:42 0 d-------- C:\Program Files\Avanquest update
2008-03-21 15:30:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 15:28:54 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 15:28:54 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 15:28:20 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 10:57:57 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [07/08/2005 06:18 PM]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [08/10/2005 12:49 PM]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [08/11/2005 10:02 PM]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [09/22/2005 06:29 PM]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [01/11/2006 12:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/21/2006 06:51 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/12/2005 02:04 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [05/19/2005 07:38 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [03/07/2007 12:06 AM]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [12/10/2007 10:12 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
.protected [5/2/2008 7:38:28 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Setup]
C:\WINDOWS\system32\o4nsle571h.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Program Files\IncrediMail\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
\Program\

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
??? ?

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
??? ?

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopSignSystemProtect]
"C:\Program Files\Acceleration Software\StopSignProducts\SystemProtect\stopsignprotect.exe" /Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tracker]
C:\Program Files\MySoftware\MyInvoices\tracker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 www.qoolaid.com
127.0.0.1 www.qoologic.com
127.0.0.1 www.CLKPrecision.com
127.0.0.1 www.urllogic.com
127.0.0.1 www.clkoptimizer.com
127.0.0.1 www.isearch.com
127.0.0.1 isearch.com
127.0.0.1 www.idownload.com

55 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-06 10:42:22 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.80GHz
Percentage of Memory in Use: 80%
Physical Memory (total/avail): 255.53 MiB / 51.1 MiB
Pagefile Memory (total/avail): 618.7 MiB / 283.22 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.15 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 70.29 GiB total, 26.45 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800JB-00FMA0 - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 4.23 GiB
\PARTITION1 (bootable) - Installable File System - 70.29 GiB - C:

\\.\PHYSICALDRIVE1 - HP Photosmart C4180 USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntivirusOverride is set.
FirewallOverride is set.

AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\juno\\bin\\juno.exe"="C:\\Program Files\\juno\\bin\\juno.exe:*:Enabled:Juno"
"C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"="C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe:*:Disabled:backWeb-7288971"
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Disabled:Logitech Desktop Messenger"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"="C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\WINDOWS\\SYSTEM32\\rk.exe"="C:\\WINDOWS\\SYSTEM32\\rk.exe:*:Enabled:rk.exe"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"="C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe:*:Enabled:Acrobat Reader 5.0"
"C:\\Program Files\\Acceleration Software\\Anti-Virus\\stopsignav.exe"="C:\\Program Files\\Acceleration Software\\Anti-Virus\\stopsignav.exe:*:Disabled:Stop-Sign Threat Scanner GUI"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-ZE8CXVR8TT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\YOUR-ZE8CXVR8TT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program files\PC-Doctor for Windows XP\WINDSAPI;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner
  • 0

#4
Mike
Posted 06 May 2008 - 01:00 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi melint,

Please follow my instructions in the order they were given, if you come across something you don't understand or don't feel comfortable doing, don't hesitate to ask and I will get you sorted out :)

Very Important!

You have a backdoor trojan installed on your computer.
Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again.
It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure.
Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. When should I re-format?

If you choose to reformat please let me know in your next post, if not please proceed with the fix.

Step 1. Running SDFix

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

Step 2. Combofix

Please go here to install and download the Recovery Console.

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

In your next reply

Report from SDFix (step1)
Report from Combofix (step2, located in C:\Combofix.txt)
A new Hijack This log after running the above tools.
  • 0

#5
melint
Posted 13 May 2008 - 11:08 AM

melint

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 166 posts
here are the 3 reports you requested....thanks for your help


SDFix: Version 1.181
Run by Owner on Tue 05/13/2008 at 10:58 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Owner\Desktop\SDFix

Checking Services :

Name :
Network Monitor

Path :
C:\Program Files\Network Monitor\netmon.exe service

Network Monitor - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\CLOUDSIM.EXE - Deleted
C:\Documents and Settings\ken\Start Menu\Programs\Startup\.protected - Deleted
C:\WINDOWS\.protected - Deleted
C:\WINDOWS\SYSTEM32\drivers\etc\.protected - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted
C:\WINDOWS\mslagent\2_mslagent.dll - Deleted
C:\WINDOWS\mslagent\mslagent.exe - Deleted
C:\WINDOWS\mslagent\uninstall.exe - Deleted
C:\WINDOWS\system32\smp\msrc.exe - Deleted
C:\Program Files\akl\akl.dll - Deleted
C:\Program Files\akl\akl.exe - Deleted
C:\Program Files\akl\uninstall.exe - Deleted
C:\Program Files\akl\unsetup.exe - Deleted
C:\Program Files\Inet Delivery\inetdl.exe - Deleted
C:\Program Files\Inet Delivery\intdel.exe - Deleted
C:\Program Files\MediaVideoCodec\install.ico - Deleted
C:\Program Files\MediaVideoCodec\MediaVideoCodec.ocx - Deleted
C:\Program Files\MediaVideoCodec\Uninstall.exe - Deleted
C:\WINDOWS\a.bat - Deleted
C:\WINDOWS\base64.tmp - Deleted
C:\WINDOWS\bdkpfxqw.dll - Deleted
C:\WINDOWS\bdn.com - Deleted
C:\WINDOWS\binret.exe - Deleted
C:\WINDOWS\FVProtect.exe - Deleted
C:\WINDOWS\iTunesMusic.exe - Deleted
C:\WINDOWS\mssecu.exe - Deleted
C:\WINDOWS\qadovnel.dll - Deleted
C:\WINDOWS\spwoqbmv.exe - Deleted
C:\WINDOWS\system32\akttzn.exe - Deleted
C:\WINDOWS\system32\anticipator.dll - Deleted
C:\WINDOWS\system32\awtoolb.dll - Deleted
C:\WINDOWS\system32\bdn.com - Deleted
C:\WINDOWS\system32\bsva-egihsg52.exe - Deleted
C:\WINDOWS\system32\cmd.com - Deleted
C:\WINDOWS\system32\dpcproxy.exe - Deleted
C:\WINDOWS\system32\emesx.dll - Deleted
C:\WINDOWS\system32\h@tkeysh@@k.dll - Deleted
C:\WINDOWS\system32\hoproxy.dll - Deleted
C:\WINDOWS\system32\hxiwlgpm.dat - Deleted
C:\WINDOWS\system32\hxiwlgpm.exe - Deleted
C:\WINDOWS\system32\medup012.dll - Deleted
C:\WINDOWS\system32\medup020.dll - Deleted
C:\WINDOWS\system32\msgp.exe - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\msnbho.dll - Deleted
C:\WINDOWS\system32\mssecu.exe - Deleted
C:\WINDOWS\system32\msvchost.exe - Deleted
C:\WINDOWS\system32\mtr2.exe - Deleted
C:\WINDOWS\system32\mwin32.exe - Deleted
C:\WINDOWS\system32\netode.exe - Deleted
C:\WINDOWS\system32\netstat.com - Deleted
C:\WINDOWS\system32\newsd32.exe - Deleted
C:\WINDOWS\system32\ping.com - Deleted
C:\WINDOWS\system32\ps1.exe - Deleted
C:\WINDOWS\system32\psof1.exe - Deleted
C:\WINDOWS\system32\psoft1.exe - Deleted
C:\WINDOWS\system32\regc64.dll - Deleted
C:\WINDOWS\system32\regedit.com - Deleted
C:\WINDOWS\system32\regm64.dll - Deleted
C:\WINDOWS\system32\Rundl1.exe - Deleted
C:\WINDOWS\system32\sncntr.exe - Deleted
C:\WINDOWS\system32\ssurf022.dll - Deleted
C:\WINDOWS\system32\ssvchost.com - Deleted
C:\WINDOWS\system32\ssvchost.exe - Deleted
C:\WINDOWS\system32\sysreq.exe - Deleted
C:\WINDOWS\system32\taack.dat - Deleted
C:\WINDOWS\system32\taack.exe - Deleted
C:\WINDOWS\system32\taskkill.com - Deleted
C:\WINDOWS\system32\tasklist.com - Deleted
C:\WINDOWS\system32\temp#01.exe - Deleted
C:\WINDOWS\system32\thun.dll - Deleted
C:\WINDOWS\system32\thun32.dll - Deleted
C:\WINDOWS\system32\tracert.com - Deleted
C:\WINDOWS\system32\VBIEWER.OCX - Deleted
C:\WINDOWS\system32\vbsys2.dll - Deleted
C:\WINDOWS\system32\vcatchpi.dll - Deleted
C:\WINDOWS\system32\winlogonpc.exe - Deleted
C:\WINDOWS\system32\winsystem.exe - Deleted
C:\WINDOWS\system32\WINWGPX.EXE - Deleted
C:\WINDOWS\Uninst2.htm - Deleted
C:\WINDOWS\Unist1.htm - Deleted
C:\WINDOWS\userconfig9x.dll - Deleted
C:\WINDOWS\Web\def.htm - Deleted
C:\WINDOWS\winsystem.exe - Deleted
C:\WINDOWS\xbaqktfv.exe - Deleted
C:\WINDOWS\zip1.tmp - Deleted
C:\WINDOWS\zip2.tmp - Deleted
C:\WINDOWS\zip3.tmp - Deleted
C:\WINDOWS\zipped.tmp - Deleted



Folder C:\Program Files\akl - Removed
Folder C:\Program Files\Inet Delivery - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\MediaVideoCodec - Removed
Folder C:\Program Files\Network Monitor - Removed
Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed
Folder C:\WINDOWS\mslagent - Removed
Folder C:\WINDOWS\system32\smp - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 11:23:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\juno\\bin\\juno.exe"="C:\\Program Files\\juno\\bin\\juno.exe:*:Enabled:Juno"
"C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"="C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe:*:Disabled:backWeb-7288971"
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Disabled:Logitech Desktop Messenger"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"="C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\WINDOWS\\SYSTEM32\\rk.exe"="C:\\WINDOWS\\SYSTEM32\\rk.exe:*:Enabled:rk.exe"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"="C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe:*:Enabled:Acrobat Reader 5.0"
"C:\\Program Files\\Acceleration Software\\Anti-Virus\\stopsignav.exe"="C:\\Program Files\\Acceleration Software\\Anti-Virus\\stopsignav.exe:*:Disabled:Stop-Sign Threat Scanner GUI"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\DOCUME~1\Owner\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 21 Jul 2001 94,784 ..SH. --- "C:\WINDOWS\twain.dll"
Wed 4 Aug 2004 50,688 ..SH. --- "C:\WINDOWS\twain_32.dll"
Wed 4 Aug 2004 54,784 A.SH. --- "C:\WINDOWS\SYSTEM32\msvcirt.dll"
Wed 4 Aug 2004 413,696 A.SH. --- "C:\WINDOWS\SYSTEM32\msvcp60.dll"
Wed 4 Aug 2004 343,040 A.SH. --- "C:\WINDOWS\SYSTEM32\msvcrt.dll"
Wed 4 Aug 2004 11,776 ..SH. --- "C:\WINDOWS\SYSTEM32\regsvr32.exe"
Tue 8 Mar 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 4 Aug 2004 1,028,096 A.SH. --- "C:\Program Files\juno\bin\mfc42.dll"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Thu 27 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT5.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT3.tmp"
Fri 2 May 2008 589,824 A.SH. --- "C:\Deckard\System Scanner\backup\WINDOWS\temp\5szznu4b.TMP"
Fri 2 May 2008 616,448 A.SH. --- "C:\Deckard\System Scanner\backup\WINDOWS\temp\smfmby08.TMP"
Tue 8 Mar 2005 4,348 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Thu 10 Mar 2005 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 8 Mar 2005 400 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"
Thu 10 Mar 2005 1,536 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2lic.bak"

Finished!




ComboFix 08-05-12.1 - Owner 2008-05-13 11:42:04.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2006
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2006\Contact customer support.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2006\Uninstall WinAntiVirus Pro 2006.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2006\WinAntiVirus Pro 2006 Manual.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2006\WinAntiVirus Pro 2006.lnk
C:\Documents and Settings\Owner\Application Data\WinAntiVirus Pro 2006
C:\Program Files\Common Files\inetget
C:\Program Files\Common Files\vcclient
C:\Program Files\Common Files\vcclient\ClientUpdater.bat
C:\Program Files\Common Files\vcclient\ICSharpCode.SharpZipLib.dll
C:\Program Files\Common Files\vcclient\temp.txt
C:\Program Files\Common Files\vcclient\VCClient.exe.config
C:\Program Files\Common Files\vcclient\VCUpdate.exe.config
C:\Program Files\Common Files\vcclient\Version.txt
C:\Program Files\Common Files\winantivirus pro 2006
C:\Program Files\Common Files\windows
C:\Program Files\Common Files\windows\AutoIt3.exe
C:\Program Files\Common Files\windows\autoitscript.au3
C:\Program Files\Common Files\windows\psapi.dll
C:\Program Files\Common Files\windows\request.html
C:\Program Files\eqadvice
C:\Program Files\eqadvice\hf.txt
C:\Program Files\eqadvice\sf.txt
C:\Program Files\eqadvice\Uninstall.exe
C:\Program Files\fcadvice
C:\Program Files\fcadvice\patterns.dat
C:\Program Files\fcadvice\Uninstall.exe
C:\Program Files\outlook
C:\Program Files\PC-Cleaner
C:\Program Files\PC-Cleaner\com\pcsd.dll
C:\Program Files\PC-Cleaner\PC-Cleaner.db
C:\Program Files\PC-Cleaner\PC-Cleaner.exe
C:\Program Files\PC-Cleaner\pccleaner.pkg
C:\Program Files\PC-Cleaner\program.info
C:\Program Files\PC-Cleaner\Uninstall.exe
C:\Program Files\toolbar888
C:\Program Files\toolbar888\basis.xml
C:\Program Files\toolbar888\basis.xmlold
C:\Program Files\toolbar888\icons.bmp
C:\Program Files\toolbar888\installed.html
C:\Program Files\toolbar888\logo.bmp
C:\Program Files\toolbar888\ToolBar888.crc
C:\Program Files\toolbar888\version.txt
C:\Program Files\winantivirus pro 2006
C:\Program Files\winantivirus pro 2006\ASupdater.dat
C:\Program Files\winantivirus pro 2006\AWBase\database\enemies.dat
C:\Program Files\winantivirus pro 2006\AWBase\vbpv.dat
C:\Program Files\winantivirus pro 2006\bdcore.dll
C:\Program Files\winantivirus pro 2006\bnlink.dat
C:\Program Files\winantivirus pro 2006\bpupdater.dat
C:\Program Files\winantivirus pro 2006\history.db
C:\Program Files\winantivirus pro 2006\img\button.gif
C:\Program Files\winantivirus pro 2006\img\button2.gif
C:\Program Files\winantivirus pro 2006\img\header.gif
C:\Program Files\winantivirus pro 2006\img\logo.gif
C:\Program Files\winantivirus pro 2006\img\spacer.gif
C:\Program Files\winantivirus pro 2006\img\top_line.gif
C:\Program Files\winantivirus pro 2006\img\top1.jpg
C:\Program Files\winantivirus pro 2006\img\top2.jpg
C:\Program Files\winantivirus pro 2006\InstHelp.exe
C:\Program Files\winantivirus pro 2006\lapv.dat
C:\Program Files\winantivirus pro 2006\libfn.dll
C:\Program Files\winantivirus pro 2006\License.rtf
C:\Program Files\winantivirus pro 2006\online.url
C:\Program Files\winantivirus pro 2006\PGBase\vbpv.dat
C:\Program Files\winantivirus pro 2006\PGupdater.dat
C:\Program Files\winantivirus pro 2006\plugins.htm
C:\Program Files\winantivirus pro 2006\plugins\ace.xmd
C:\Program Files\winantivirus pro 2006\plugins\adsntfs.xmd
C:\Program Files\winantivirus pro 2006\plugins\alz.xmd
C:\Program Files\winantivirus pro 2006\plugins\arc.xmd
C:\Program Files\winantivirus pro 2006\plugins\arj.xmd
C:\Program Files\winantivirus pro 2006\plugins\bach.xmd
C:\Program Files\winantivirus pro 2006\plugins\bzip2.xmd
C:\Program Files\winantivirus pro 2006\plugins\cab.xmd
C:\Program Files\winantivirus pro 2006\plugins\ceva_dll.cvd
C:\Program Files\winantivirus pro 2006\plugins\ceva_emu.cvd
C:\Program Files\winantivirus pro 2006\plugins\ceva_vfs.cvd
C:\Program Files\winantivirus pro 2006\plugins\cevakrnl.cvd
C:\Program Files\winantivirus pro 2006\plugins\cevakrnl.ivd
C:\Program Files\winantivirus pro 2006\plugins\cevakrnl.rvd
C:\Program Files\winantivirus pro 2006\plugins\cevakrnl.xmd
C:\Program Files\winantivirus pro 2006\plugins\cevarknl.rvd
C:\Program Files\winantivirus pro 2006\plugins\chm.xmd
C:\Program Files\winantivirus pro 2006\plugins\cpio.xmd
C:\Program Files\winantivirus pro 2006\plugins\cran.cvd
C:\Program Files\winantivirus pro 2006\plugins\cran.ivd
C:\Program Files\winantivirus pro 2006\plugins\cran.xmd
C:\Program Files\winantivirus pro 2006\plugins\dbx.xmd
C:\Program Files\winantivirus pro 2006\plugins\docfile.xmd
C:\Program Files\winantivirus pro 2006\plugins\e_spyw.ivd
C:\Program Files\winantivirus pro 2006\plugins\emalware.cvd
C:\Program Files\winantivirus pro 2006\plugins\emalware.ivd
C:\Program Files\winantivirus pro 2006\plugins\emalware.xmd
C:\Program Files\winantivirus pro 2006\plugins\epoc.xmd
C:\Program Files\winantivirus pro 2006\plugins\gzip.xmd
C:\Program Files\winantivirus pro 2006\plugins\ha.xmd
C:\Program Files\winantivirus pro 2006\plugins\hlp.xmd
C:\Program Files\winantivirus pro 2006\plugins\hpe.cvd
C:\Program Files\winantivirus pro 2006\plugins\hpe.xmd
C:\Program Files\winantivirus pro 2006\plugins\hqx.xmd
C:\Program Files\winantivirus pro 2006\plugins\html.xmd
C:\Program Files\winantivirus pro 2006\plugins\imp.xmd
C:\Program Files\winantivirus pro 2006\plugins\inno.xmd
C:\Program Files\winantivirus pro 2006\plugins\instyler.xmd
C:\Program Files\winantivirus pro 2006\plugins\iso.xmd
C:\Program Files\winantivirus pro 2006\plugins\java.cvd
C:\Program Files\winantivirus pro 2006\plugins\java.xmd
C:\Program Files\winantivirus pro 2006\plugins\jpeg.xmd
C:\Program Files\winantivirus pro 2006\plugins\lha.xmd
C:\Program Files\winantivirus pro 2006\plugins\lnk.xmd
C:\Program Files\winantivirus pro 2006\plugins\mbox.xmd
C:\Program Files\winantivirus pro 2006\plugins\mbx.xmd
C:\Program Files\winantivirus pro 2006\plugins\mdx.xmd
C:\Program Files\winantivirus pro 2006\plugins\mdx_97.cvd
C:\Program Files\winantivirus pro 2006\plugins\mdx_97.ivd
C:\Program Files\winantivirus pro 2006\plugins\mdx_w95.cvd
C:\Program Files\winantivirus pro 2006\plugins\mdx_x95.cvd
C:\Program Files\winantivirus pro 2006\plugins\mdx_xf.cvd
C:\Program Files\winantivirus pro 2006\plugins\mime.xmd
C:\Program Files\winantivirus pro 2006\plugins\mso.xmd
C:\Program Files\winantivirus pro 2006\plugins\na.cvd
C:\Program Files\winantivirus pro 2006\plugins\na.xmd
C:\Program Files\winantivirus pro 2006\plugins\nelf.cvd
C:\Program Files\winantivirus pro 2006\plugins\nelf.xmd
C:\Program Files\winantivirus pro 2006\plugins\nsis.xmd
C:\Program Files\winantivirus pro 2006\plugins\objd.xmd
C:\Program Files\winantivirus pro 2006\plugins\pdf.xmd
C:\Program Files\winantivirus pro 2006\plugins\pst.xmd
C:\Program Files\winantivirus pro 2006\plugins\rar.xmd
C:\Program Files\winantivirus pro 2006\plugins\regscan.cvd
C:\Program Files\winantivirus pro 2006\plugins\rpm.xmd
C:\Program Files\winantivirus pro 2006\plugins\rtf.xmd
C:\Program Files\winantivirus pro 2006\plugins\rup.cvd
C:\Program Files\winantivirus pro 2006\plugins\rup.xmd
C:\Program Files\winantivirus pro 2006\plugins\sdx.cvd
C:\Program Files\winantivirus pro 2006\plugins\sdx.ivd
C:\Program Files\winantivirus pro 2006\plugins\sdx.xmd
C:\Program Files\winantivirus pro 2006\plugins\sfx.xmd
C:\Program Files\winantivirus pro 2006\plugins\swf.xmd
C:\Program Files\winantivirus pro 2006\plugins\tar.xmd
C:\Program Files\winantivirus pro 2006\plugins\td0.xmd
C:\Program Files\winantivirus pro 2006\plugins\thebat.xmd
C:\Program Files\winantivirus pro 2006\plugins\tnef.xmd
C:\Program Files\winantivirus pro 2006\plugins\unpack.cvd
C:\Program Files\winantivirus pro 2006\plugins\unpack.ivd
C:\Program Files\winantivirus pro 2006\plugins\unpack.xmd
C:\Program Files\winantivirus pro 2006\plugins\update.txt
C:\Program Files\winantivirus pro 2006\plugins\uudecode.xmd
C:\Program Files\winantivirus pro 2006\plugins\ve.cvd
C:\Program Files\winantivirus pro 2006\plugins\ve.ivd
C:\Program Files\winantivirus pro 2006\plugins\ve.xmd
C:\Program Files\winantivirus pro 2006\plugins\vedata.cvd
C:\Program Files\winantivirus pro 2006\plugins\viza.xmd
C:\Program Files\winantivirus pro 2006\plugins\wise.xmd
C:\Program Files\winantivirus pro 2006\plugins\xishield.xmd
C:\Program Files\winantivirus pro 2006\plugins\z.xmd
C:\Program Files\winantivirus pro 2006\plugins\zip.xmd
C:\Program Files\winantivirus pro 2006\plugins\zoo.xmd
C:\Program Files\winantivirus pro 2006\ps.dat
C:\Program Files\winantivirus pro 2006\pv.dat
C:\Program Files\winantivirus pro 2006\sqlite3.dll
C:\Program Files\winantivirus pro 2006\sr.log
C:\Program Files\winantivirus pro 2006\st.dat
C:\Program Files\winantivirus pro 2006\Summary.rtf
C:\Program Files\winantivirus pro 2006\support.url
C:\Program Files\winantivirus pro 2006\unins000.dat
C:\Program Files\winantivirus pro 2006\uninstall.ico
C:\Program Files\winantivirus pro 2006\UninstallPage.html
C:\Program Files\winantivirus pro 2006\up.dat
C:\Program Files\winantivirus pro 2006\update.log
C:\Program Files\winantivirus pro 2006\updater.dat
C:\Program Files\winantivirus pro 2006\vbpv.dat
C:\Program Files\winantivirus pro 2006\worldmap.swf
C:\WINDOWS\appatc~1
C:\WINDOWS\config.ini
C:\WINDOWS\dh.ini
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\IA
C:\WINDOWS\libbz2.dll
C:\WINDOWS\mywallpaper.bmp
C:\WINDOWS\system32\av.cpl
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cv3wanv28.exe
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\nt68rrtc12.sys
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\tpuninstall.exe
C:\WINDOWS\system32\wintit.exe
C:\WINDOWS\teller2.chk
C:\WINDOWS\win32073419-1407562006.exe
C:\WINDOWS\zysalwhkkw.exe
C:\WINDOWS\zysaoxcjiy.exe
C:\WINDOWS\zysapghucv.exe
C:\WINDOWS\zysaxyczld.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN
-------\Service_FOPN


((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-09 09:38 . 2008-05-09 09:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-09 09:38 . 2008-05-09 09:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-09 09:25 . 2008-05-09 09:25 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-09 09:22 . 2008-05-09 03:59 <DIR> d-------- C:\SDFix
2008-05-07 12:34 . 2008-05-07 12:42 <DIR> d-------- C:\Documents and Settings\ken\Application Data\PC-Cleaner
2008-05-06 10:39 . 2008-05-06 10:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-06 10:31 . 2008-05-06 10:31 <DIR> d-------- C:\Deckard
2008-05-02 19:38 . 2008-05-02 19:43 <DIR> d-------- C:\Documents and Settings\ken\Application Data\PC-Antispyware
2008-05-02 19:38 . 2008-05-02 19:38 25,472 --a------ C:\WINDOWS\SYSTEM32\drivers\pca-firewall.sys
2008-05-02 19:35 . 2008-05-02 19:44 <DIR> d-------- C:\Program Files\PC-Antispyware
2008-05-01 20:41 . 2008-05-01 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fmjqpsdi
2008-04-26 20:31 . 2008-05-05 11:19 <DIR> d-------- C:\Documents and Settings\ken\Shared
2008-04-26 20:30 . 2008-04-29 21:57 <DIR> d-------- C:\Documents and Settings\ken\Incomplete
2008-04-26 20:29 . 2008-04-27 13:56 <DIR> d-------- C:\Documents and Settings\ken\Application Data\LimeWire
2008-04-23 21:57 . 2008-04-23 21:59 <DIR> d-------- C:\Program Files\DivX
2008-04-23 21:56 . 2008-04-23 21:59 324 --a------ C:\WINDOWS\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 12:44 --------- d-----w C:\Documents and Settings\ken\Application Data\PC Suite
2008-04-04 13:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Nokia
2008-04-04 13:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\PC Suite
2008-04-04 13:03 --------- d-----w C:\Program Files\DIFX
2008-04-04 13:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-04 13:01 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-04 13:01 --------- d-----w C:\Program Files\Common Files\Nokia
2008-04-04 13:00 --------- d-----w C:\Program Files\Nokia
2008-04-04 12:58 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-04 12:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\SYSTEM32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\SYSTEM32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2008-03-27 14:50 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-03-27 14:49 92,064 ----a-w C:\Documents and Settings\Owner\mqdmmdm.sys
2008-03-27 14:49 9,232 ----a-w C:\Documents and Settings\Owner\mqdmmdfl.sys
2008-03-27 14:49 79,328 ----a-w C:\Documents and Settings\Owner\mqdmserd.sys
2008-03-27 14:49 66,656 ----a-w C:\Documents and Settings\Owner\mqdmbus.sys
2008-03-27 14:49 6,208 ----a-w C:\Documents and Settings\Owner\mqdmcmnt.sys
2008-03-27 14:49 5,936 ----a-w C:\Documents and Settings\Owner\mqdmwhnt.sys
2008-03-27 14:49 4,048 ----a-w C:\Documents and Settings\Owner\mqdmcr.sys
2008-03-27 14:49 25,600 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2008-03-27 14:49 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2008-03-27 14:47 --------- d-----w C:\Program Files\Avanquest update
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\SYSTEM32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\SYSTEM32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\SYSTEM32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\SYSTEM32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2008-03-19 15:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 15:56 22,768 ----a-w C:\WINDOWS\system32\drivers\usbsermpt.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2008-03-01 23:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2006-05-10 19:17 836 ----a-w C:\Documents and Settings\Owner\Application Data\ViewerApp.dat
2001-07-22 02:45 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 06:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 06:56 54,784 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 06:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 06:56 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll
2004-08-04 06:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 00:06 5181440]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
AutoPlay.exe [2001-08-27 15:52:06 36864]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-08-27 15:52:06 36864]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2005-02-10 22:32 473920 C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--------- 2001-08-07 18:36 90112 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 03:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-12-14 11:07 176128 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--------- 1998-05-07 11:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--------- 2001-08-07 19:25 143360 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
--a------ 2005-03-29 17:39 192555 C:\Program Files\IncrediMail\bin\IncMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-11-07 04:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-11-07 16:41 8192 C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-03-07 00:06 5181440 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-05-19 19:38 1957888 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2007-12-10 10:12 695808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-06-21 18:51 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopSignSystemProtect]
C:\Program Files\Acceleration Software\StopSignProducts\SystemProtect\stopsignprotect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 14:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-07-12 14:04 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tracker]
--a------ 2004-09-17 04:45 118784 C:\Program Files\MySoftware\MyInvoices\tracker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2004-03-18 09:33 892928 C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\juno\\bin\\juno.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 11:54:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\drivers\KodakCCS.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
.
**************************************************************************
.
Completion time: 2008-05-13 12:03:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-13 17:03:42

Pre-Run: 28,239,462,400 bytes free
Post-Run: 28,435,378,176 bytes free

448 --- E O F --- 2008-04-09 08:08:03Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:38 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.yahoo.c...4u?page=gn_card
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: MRI_DISABLED
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZRxdm429YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Vegas Villa Online Casino - {AFCA8905-936B-4aeb-A99C-6B35F596B7A3} - C:\Program Files\vegasvilla\casinogame.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' me
  • 0

#6
Mike
Posted 14 May 2008 - 07:08 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there melint,

Let's get started again,

Optional

You have LimeWire installed. These are Peer to Peer programs. These types of programs are very dangerous as you literally allow anyone to access your computer. Please read Dangers of P2P.

If you wish to uninstall them please go to Start >Control Panel > Add or Remove Programs an uninstall:

LimeWire

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Documents and Settings\ken\Application Data\LimeWire
C:\Program Files\LimeWire

Step 1. Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
Step 2. Making a CFscript

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\drivers\pca-firewall.sys

Folder::
C:\Documents and Settings\ken\Application Data\PC-Cleaner
C:\Documents and Settings\ken\Application Data\PC-Antispyware
C:\Program Files\PC-Antispyware
C:\Documents and Settings\All Users\Application Data\fmjqpsdi

Driver::
pca-firewall

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Step 3. Running MalwareByte's Anti-Malware

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 4. Running Kaspersky Online Virusscaner

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

In your next reply

Please post the log from comobfix, MalwareBytes' Anti-Malware and Kaspersky.
Please post a new hijack this log.
Also give me an update on how your computers running, are you experiencing any more problems? If so what?

Your logs got cut off last time, it may be that these logs will not fit in only one reply, please spread them out over multiple replies if needed (don't worry about raising your post count :))

Edited by Mike, 14 May 2008 - 07:09 AM.

  • 0

#7
melint
Posted 14 May 2008 - 10:17 AM

melint

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 166 posts
here is the 1st report....i will do them in segments so they don't get cutoff...thanks



ComboFix 08-05-12.1 - Owner 2008-05-14 10:55:31.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\drivers\pca-firewall.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\fmjqpsdi
C:\Documents and Settings\All Users\Application Data\fmjqpsdi\zazkrejc.exe
C:\Documents and Settings\ken\Application Data\PC-Antispyware
C:\Documents and Settings\ken\Application Data\PC-Antispyware\config.xml
C:\Documents and Settings\ken\Application Data\PC-Antispyware\Sites.bl
C:\Documents and Settings\ken\Application Data\PC-Cleaner
C:\Documents and Settings\ken\Application Data\PC-Cleaner\log.dat
C:\Documents and Settings\ken\Application Data\PC-Cleaner\settings.dat
C:\Program Files\PC-Antispyware
C:\Program Files\PC-Antispyware\PC-Antispyware.db
C:\Program Files\PC-Antispyware\PC-Antispyware.exe
C:\Program Files\PC-Antispyware\pcantispyware.pkg
C:\Program Files\PC-Antispyware\program.info
C:\Program Files\PC-Antispyware\Uninstall.exe
C:\WINDOWS\SYSTEM32\drivers\pca-firewall.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN


((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-14 10:48 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-05-14 10:46 . 2008-05-14 10:48 <DIR> d-------- C:\Program Files\Java
2008-05-14 10:45 . 2008-05-14 10:45 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-09 09:25 . 2008-05-09 09:25 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-09 09:22 . 2008-05-09 03:59 <DIR> d-------- C:\SDFix
2008-05-06 10:39 . 2008-05-06 10:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-06 10:31 . 2008-05-06 10:31 <DIR> d-------- C:\Deckard
2008-04-26 20:31 . 2008-05-05 11:19 <DIR> d-------- C:\Documents and Settings\ken\Shared
2008-04-26 20:30 . 2008-04-29 21:57 <DIR> d-------- C:\Documents and Settings\ken\Incomplete
2008-04-23 21:57 . 2008-04-23 21:59 <DIR> d-------- C:\Program Files\DivX
2008-04-23 21:56 . 2008-04-23 21:59 324 --a------ C:\WINDOWS\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 15:25 --------- d-----w C:\Program Files\Common Files\Real
2008-05-14 15:24 --------- d-----w C:\Program Files\MySpace
2008-04-10 12:44 --------- d-----w C:\Documents and Settings\ken\Application Data\PC Suite
2008-04-04 13:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Nokia
2008-04-04 13:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\PC Suite
2008-04-04 13:03 --------- d-----w C:\Program Files\DIFX
2008-04-04 13:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-04 13:01 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-04 13:01 --------- d-----w C:\Program Files\Common Files\Nokia
2008-04-04 13:00 --------- d-----w C:\Program Files\Nokia
2008-04-04 12:58 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-04 12:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-03-27 14:50 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-03-27 14:49 92,064 ----a-w C:\Documents and Settings\Owner\mqdmmdm.sys
2008-03-27 14:49 9,232 ----a-w C:\Documents and Settings\Owner\mqdmmdfl.sys
2008-03-27 14:49 79,328 ----a-w C:\Documents and Settings\Owner\mqdmserd.sys
2008-03-27 14:49 66,656 ----a-w C:\Documents and Settings\Owner\mqdmbus.sys
2008-03-27 14:49 6,208 ----a-w C:\Documents and Settings\Owner\mqdmcmnt.sys
2008-03-27 14:49 5,936 ----a-w C:\Documents and Settings\Owner\mqdmwhnt.sys
2008-03-27 14:49 4,048 ----a-w C:\Documents and Settings\Owner\mqdmcr.sys
2008-03-27 14:49 25,600 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys
2008-03-27 14:49 22,768 ----a-w C:\Documents and Settings\Owner\usbsermpt.sys
2008-03-27 14:47 --------- d-----w C:\Program Files\Avanquest update
2008-03-19 15:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 15:56 22,768 ----a-w C:\WINDOWS\system32\drivers\usbsermpt.sys
2006-05-10 19:17 836 ----a-w C:\Documents and Settings\Owner\Application Data\ViewerApp.dat
2001-07-22 02:45 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 06:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 06:56 54,784 --sha-w C:\WINDOWS\SYSTEM32\msvcirt.dll
2004-08-04 06:56 413,696 --sha-w C:\WINDOWS\SYSTEM32\msvcp60.dll
2004-08-04 06:56 343,040 --sha-w C:\WINDOWS\SYSTEM32\msvcrt.dll
2004-08-04 06:56 11,776 --sh--w C:\WINDOWS\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-13_12.02.34.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 16:52:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 16:04:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-09 08:06:23 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-05-14 08:05:12 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-04-09 08:06:23 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-05-14 08:05:12 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-04-09 08:06:23 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-05-14 08:05:12 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-04-09 08:06:22 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-05-14 08:05:12 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-04-09 08:06:23 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-05-14 08:05:12 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-04-09 08:06:24 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-05-14 08:05:12 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-04-09 08:06:24 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-05-14 08:05:13 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-04-09 08:06:24 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-05-14 08:05:13 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-04-09 08:06:22 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-05-14 08:05:12 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-04-09 08:06:22 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-05-14 08:05:12 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-04-09 08:06:24 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-05-14 08:05:13 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-04-09 08:06:22 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-05-14 08:05:12 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-04-09 08:06:21 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-05-14 08:05:12 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-03-25 04:50:25 554,008 ------w C:\WINDOWS\SYSTEM32\dllcache\dao360.dll
+ 2008-03-25 04:50:28 518,944 ------w C:\WINDOWS\SYSTEM32\dllcache\msexch40.dll
+ 2008-03-25 04:50:30 326,432 ------w C:\WINDOWS\SYSTEM32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:34 1,516,568 ------w C:\WINDOWS\SYSTEM32\dllcache\msjet40.dll
+ 2008-03-25 04:50:40 355,112 ------w C:\WINDOWS\SYSTEM32\dllcache\msjetol1.dll
+ 2008-03-27 08:12:54 151,583 ------w C:\WINDOWS\SYSTEM32\dllcache\msjint40.dll
+ 2008-03-25 04:50:42 60,192 ------w C:\WINDOWS\SYSTEM32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 248,608 ------w C:\WINDOWS\SYSTEM32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:44 219,936 ------w C:\WINDOWS\SYSTEM32\dllcache\msltus40.dll
+ 2008-03-25 04:50:45 355,104 ------w C:\WINDOWS\SYSTEM32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:47 432,928 ------w C:\WINDOWS\SYSTEM32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:49 322,336 ------w C:\WINDOWS\SYSTEM32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:52 559,904 ------w C:\WINDOWS\SYSTEM32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:55 264,992 ------w C:\WINDOWS\SYSTEM32\dllcache\mstext40.dll
+ 2008-03-25 04:50:57 838,432 ------w C:\WINDOWS\SYSTEM32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:58 621,344 ------w C:\WINDOWS\SYSTEM32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58 355,104 ------w C:\WINDOWS\SYSTEM32\dllcache\msxbde40.dll
- 2005-11-10 17:27:06 49,248 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-03-25 06:28:39 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2005-11-10 17:27:16 49,250 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-03-25 06:28:43 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
- 2005-11-10 19:03:54 127,078 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2008-03-25 07:37:01 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
- 2004-08-04 06:56:44 512,029 ----a-w C:\WINDOWS\SYSTEM32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\SYSTEM32\msexch40.dll
- 2004-08-04 06:56:44 319,517 ----a-w C:\WINDOWS\SYSTEM32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\SYSTEM32\msexcl40.dll
- 2004-08-04 06:56:44 1,507,356 ----a-w C:\WINDOWS\SYSTEM32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\SYSTEM32\msjet40.dll
- 2004-07-17 17:34:48 358,976 ------w C:\WINDOWS\SYSTEM32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ------w C:\WINDOWS\SYSTEM32\msjetoledb40.dll
- 2004-08-04 06:56:44 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
+ 2008-03-27 08:12:54 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
- 2004-08-04 06:56:44 53,279 ----a-w C:\WINDOWS\SYSTEM32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\SYSTEM32\msjter40.dll
- 2004-08-04 06:56:44 241,693 ----a-w C:\WINDOWS\SYSTEM32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\SYSTEM32\msjtes40.dll
- 2004-08-04 06:56:44 213,023 ----a-w C:\WINDOWS\SYSTEM32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\SYSTEM32\msltus40.dll
- 2004-08-04 06:56:44 348,189 ----a-w C:\WINDOWS\SYSTEM32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\SYSTEM32\mspbde40.dll
- 2004-08-04 06:56:44 421,919 ----a-w C:\WINDOWS\SYSTEM32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\SYSTEM32\msrd2x40.dll
- 2004-08-04 06:56:44 315,423 ----a-w C:\WINDOWS\SYSTEM32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\SYSTEM32\msrd3x40.dll
- 2004-08-04 06:56:44 552,989 ----a-w C:\WINDOWS\SYSTEM32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\SYSTEM32\msrepl40.dll
- 2004-08-04 06:56:44 258,077 ----a-w C:\WINDOWS\SYSTEM32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\SYSTEM32\mstext40.dll
- 2004-08-04 06:56:46 831,519 ----a-w C:\WINDOWS\SYSTEM32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\SYSTEM32\mswdat10.dll
- 2004-08-04 06:56:46 614,429 ----a-w C:\WINDOWS\SYSTEM32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\SYSTEM32\mswstr10.dll
- 2004-08-04 06:56:46 348,189 ----a-w C:\WINDOWS\SYSTEM32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\SYSTEM32\msxbde40.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05 212992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
AutoPlay.exe [2001-08-27 15:52:06 36864]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-08-27 15:52:06 36864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20 73728]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
--a------ 2005-02-10 22:32 473920 C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--------- 2001-08-07 18:36 90112 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 03:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-12-14 11:07 176128 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--------- 1998-05-07 11:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--------- 2001-08-07 19:25 143360 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
--a------ 2005-03-29 17:39 192555 C:\Program Files\IncrediMail\bin\IncMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-11-07 04:50 19968 C:\WINDOWS\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-11-07 16:41 8192 C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-05-19 19:38 1957888 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2007-12-10 10:12 695808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopSignSystemProtect]
C:\Program Files\Acceleration Software\StopSignProducts\SystemProtect\stopsignprotect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tracker]
--a------ 2004-09-17 04:45 118784 C:\Program Files\MySoftware\MyInvoices\tracker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2004-03-18 09:33 892928 C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\juno\\bin\\juno.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"C:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=


.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 11:06:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\drivers\KodakCCS.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\PROGRA~1\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\SYSTEM32\fxssvc.exe
C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2008-05-14 11:15:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 16:15:00
ComboFix2.txt 2008-05-13 17:03:56

Pre-Run: 28,234,518,528 bytes free
Post-Run: 28,217,802,752 bytes free

325 --- E O F --- 2008-05-14 08:05:16
  • 0

#8
melint
Posted 14 May 2008 - 10:19 AM

melint

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 166 posts
here is the new hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:58 AM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\fxssvc.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.yahoo.c...4u?page=gn_card
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: MRI_DISABLED
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZRxdm429YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Vegas Villa Online Casino - {AFCA8905-936B-4aeb-A99C-6B35F596B7A3} - C:\Program Files\vegasvilla\casinogame.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=https://home.peoplepc.com/home/
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1137619853437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142183594984
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.micro...n7/DLHelper.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O18 - Protocol: bw+0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {ACAA0787-B950-4418-8582-D052FA5FC45D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 20808 bytes
  • 0

#9
melint
Posted 14 May 2008 - 10:35 AM

melint

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 166 posts
mbam log

Malwarebytes' Anti-Malware 1.12
Database version: 748

Scan type: Quick Scan
Objects scanned: 40385
Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ysb.ysbobj (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ysb.ysbobj.1 (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbtinstie.hbinstobj (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbtinstie.hbinstobj.1 (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mirar_dummy_ats.mirar_dummy_ats1 (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mirar_dummy_ats.mirar_dummy_ats1.1 (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8a0dcbdb-6e20-489c-9041-c1e8a0352e75} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{10e42047-deb9-4535-a118-b3f6ec39b807} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\PC-Antispyware (Rogue.PC-Antispyware) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\PC-Cleaner\Register PC-Cleaner.lnk (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\PC-Cleaner\Start PC-Cleaner.lnk (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\PC-Cleaner\Uninstall PC-Cleaner.lnk (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\PC-Antispyware\PC-Antispyware Uninstall.lnk (Rogue.PC-Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\PC-Antispyware\PC-Antispyware.lnk (Rogue.PC-Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\ken\Desktop\PC-Cleaner.lnk (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
  • 0

#10
melint
Posted 14 May 2008 - 10:56 AM

melint

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 166 posts
i am having trouble using kaspersky online scanner....i go to the site and click the free online scan button, but the new window that opens up doesn't have any accept button i am running explorer 7 ....please advise
  • 0

#11
Mike
Posted 15 May 2008 - 12:49 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi melint,

Please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):
Please note that the entry in red is optional. If you did not install People PC willingly, please fix this along with the other entries.
The entry in green is a program that looks suspicious, you may remove the Hijack This line anyways as the file it points to no longer exsists, but if you had not installed Vegas Villa please remove the items listed in green.

O4 - Global Startup: MRI_DISABLED
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZRxdm429YYUS
O9 - Extra button: Vegas Villa Online Casino - {AFCA8905-936B-4aeb-A99C-6B35F596B7A3} - C:\Program Files\vegasvilla\casinogame.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=https://home.peoplepc.com/home/
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...p1.0.0.15-3.cab
O24 - Desktop Component 0: (no name) - (no file)

Now please close all open windows except HJT and press "Fix checked".

Go to start > control panel > Add or Remove Programs and Uninstall if present:

People PC
FunWeb Products
MyWebSearch
VegasVilla

And delete this folder : C:\Program Files\vegasvilla

I would also like an uninstall list, so if you could please

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Since you couldn't run Kaspersky please try running F-Secure Online Scanner.
  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient



In your next reply:

Please post me the uninstall list and the F-Secure log along with a new hijackthis log.
Also tell me how your computer is running, if you are experiencing any problems please describe what they are for me.
  • 0

#12
Mike
Posted 25 May 2008 - 03:04 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP