Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Bagle infection - please help! [RESOLVED]

Started by teacup , May 27 2008 02:55 PM

  • This topic is locked This topic is locked

#1
teacup
Posted 27 May 2008 - 02:55 PM

teacup

    Member

  • Member
  • PipPip
  • 17 posts
Started getting a lot of Blue screens this weekend, and finding my antivirus had been killed, I finally managed to get the Kaspersky online scan to tell me I had a Bagle infection before it froze up.

After reading some of the other threads on bagle infections, and going through the initial process in the FAQ (ATF Cleaner worked fine, MBAM found nothing before freezing while search 'extra areas and heuristics', couldn't get SuperAntiSpyware or the Panda scan to run)
I've managed (just!) to get DSS to run and give me a log file. dss.exe was renamed to wert.exe in one of my attempts to get it to run.

Any help would be very much appreciated!

David


Deckard's System Scanner v20071014.68
Run by Teacup on 2008-05-27 21:40:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Teacup.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:40:58, on 27/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Windows\vVX6000.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Kontiki\KHost.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\WTablet\TabUserW.exe
C:\Windows\system32\werfault.exe
C:\Windows\system32\Taskmgr.exe
C:\Users\Backup\Desktop\wert.exe
C:\Users\Backup\Desktop\Teacup.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\Windows\vVX6000.exe
O4 - HKLM\..\Run: [MyScreenCam] C:\Program Files\My Screen Cam\scrcam.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [EntaTool] "C:\Users\Teacup\Desktop\Desktop\EntaToolv0-6d\EntaTool.exe" /hide
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Realtime Monitor] C:\Program Files\CA\eTrust Antivirus\realmon.exe -s
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /silentRetrials /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: DigiGuide TV Guide.lnk = C:\Program Files\DigiGuide TV Guide\Client.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: hueyTray.lnk = C:\Program Files\Pantone\huey\hueyTray.exe
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O13 - Gopher Prefix:
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://fasthelp.dns....oad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Kwari.xLoader - Unknown owner - C:\Users\Teacup\AppData\Local\Micro.exe (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\Windows\system32\Tablet.exe

--
End of file - 13241 bytes

-- Files created between 2008-04-27 and 2008-05-27 -----------------------------

2008-05-27 19:42:55 0 d-------- C:\Users\All Users\WindowsSearch
2008-05-27 18:57:55 0 d-------- C:\Program Files\Trend Micro
2008-05-27 18:56:32 0 d-------- C:\fsaua.data
2008-05-27 18:01:11 0 d-------- C:\Users\All Users\Malwarebytes
2008-05-27 18:01:11 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-27 01:55:06 0 d-------- C:\kav
2008-05-27 01:31:59 0 --a------ C:\xx16
2008-05-27 01:31:59 0 --a------ C:\xx15
2008-05-27 01:31:59 0 --a------ C:\xx14
2008-05-27 01:31:59 0 --a------ C:\xx13
2008-05-27 01:31:59 0 --a------ C:\xx12
2008-05-27 01:30:38 0 --a------ C:\xx9
2008-05-27 01:30:38 0 --a------ C:\xx8
2008-05-27 01:30:38 0 --a------ C:\xx7
2008-05-27 01:30:38 0 --a------ C:\xx11
2008-05-27 01:30:38 0 --a------ C:\xx10
2008-05-27 01:27:58 0 --a------ C:\xx6
2008-05-27 01:27:58 0 --a------ C:\xx5
2008-05-27 01:27:58 0 --a------ C:\xx4
2008-05-27 01:27:58 0 --a------ C:\xx3
2008-05-27 01:27:58 0 --a------ C:\xx2
2008-05-27 01:21:59 0 d-------- C:\Users\Backup_2\.housecall6.6
2008-05-27 01:11:54 0 d-------- C:\Users\Teacup\.housecall6.6
2008-05-27 00:50:53 0 d-------- C:\Users\All Users\Kaspersky Lab
2008-05-27 00:50:51 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-05-26 01:07:12 0 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-26 01:07:04 0 d-------- C:\Program Files\DVDVideoSoft
2008-05-26 00:41:12 0 d-------- C:\Program Files\AviSynth 2.5
2008-05-26 00:41:09 0 d-------- C:\Program Files\Red Kawa
2008-05-25 20:17:04 73216 --a------ C:\Windows\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-05-25 18:24:59 0 d-------- C:\Program Files\Easy Duplicate Finder
2008-05-25 16:20:56 0 d-------- C:\Program Files\Common Files\Acronis
2008-05-22 23:48:45 0 d-------- C:\Users\All Users\Musicnotes
2008-05-18 23:53:22 0 d-------- C:\Program Files\MozyHome
2008-05-17 00:37:22 0 d-------- C:\Program Files\Trials 2 Second Edition
2008-05-11 11:55:22 302 --a------ C:\Windows\system32\gmsblist.dll
2008-05-11 11:54:42 111104 --a------ C:\Windows\system32\midas.dll <Not Verified; Inprise Corporation; Midas support DLL>
2008-05-11 11:54:41 0 d-------- C:\gsak
2008-05-08 18:43:10 0 d-------- C:\logs3
2008-05-07 00:32:39 0 d-------- C:\Program Files\GeoSetter
2008-05-02 18:05:00 0 d-------- C:\Program Files\Flock
2008-04-29 21:13:59 0 d-------- C:\Users\All Users\TrackMania United
2008-04-29 20:27:13 0 d-------- C:\Users\All Users\TrackMania


-- Find3M Report ---------------------------------------------------------------

2008-05-27 20:51:57 12 --a------ C:\Windows\bthservsdp.dat
2008-05-27 20:36:40 0 d-------- C:\Users\Teacup\AppData\Roaming\WTablet
2008-05-27 18:01:18 0 d-------- C:\Users\Teacup\AppData\Roaming\Malwarebytes
2008-05-27 18:00:54 0 d-------- C:\Users\Teacup\AppData\Roaming\Download Manager
2008-05-26 23:34:06 0 d-------- C:\Users\Teacup\AppData\Roaming\JDiskReport
2008-05-26 19:35:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-26 17:44:05 0 d-------- C:\Users\Teacup\AppData\Roaming\Acronis
2008-05-26 01:07:12 0 d-------- C:\Program Files\Common Files
2008-05-25 20:07:53 0 d--h----- C:\Users\Teacup\AppData\Roaming\m
2008-05-25 15:31:29 0 d-------- C:\Users\Teacup\AppData\Roaming\InstallShield Installation Information
2008-05-25 15:28:55 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-25 15:28:16 0 d-------- C:\Program Files\P.H.L.O.P
2008-05-25 15:27:35 0 d-------- C:\Program Files\NFR
2008-05-25 15:27:27 0 d-------- C:\Program Files\MPDemo
2008-05-25 15:23:30 0 d-------- C:\Program Files\eMusic Download Manager
2008-05-25 15:19:33 0 d-------- C:\Program Files\Steam
2008-05-25 15:17:04 0 d-------- C:\Program Files\Azureus
2008-05-23 21:01:21 0 d-------- C:\Program Files\DigiGuide TV Guide
2008-05-21 17:38:04 0 d-------- C:\Program Files\FlashGet
2008-05-21 03:00:22 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-14 00:54:56 0 d-------- C:\Program Files\Windows Mail
2008-05-12 22:05:23 0 d-------- C:\Program Files\Flickr Uploadr
2008-05-10 22:39:14 0 d-------- C:\Users\Teacup\AppData\Roaming\GARMIN
2008-05-08 18:43:29 0 d-------- C:\Program Files\Kontiki
2008-05-07 00:40:45 0 d-------- C:\Users\Teacup\AppData\Roaming\GeoSetter
2008-05-02 18:05:35 0 d-------- C:\Users\Teacup\AppData\Roaming\Flock
2008-05-02 18:05:25 0 d-------- C:\Program Files\Opera
2008-04-24 00:46:03 0 d-------- C:\Users\Teacup\AppData\Roaming\Adobe
2008-04-21 18:45:50 0 d-------- C:\Program Files\Apple Software Update
2008-04-19 23:13:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-14 23:33:56 0 d-------- C:\Program Files\Memory-Map
2008-04-14 22:49:35 1663 --a------ C:\printersettings
2008-04-13 13:48:33 0 d-------- C:\Program Files\iTunes
2008-04-13 13:48:29 0 d-------- C:\Program Files\iPod
2008-04-13 13:47:07 0 d-------- C:\Program Files\QuickTime
2008-04-09 00:46:02 6213632 --a------ C:\Windows\system32\microdem.exe <Not Verified; PETMAR Trilobite Breeding Ranch; >
2008-03-29 17:18:15 0 d-------- C:\Program Files\Google
2008-03-29 14:32:58 0 d-------- C:\Users\Teacup\AppData\Roaming\Pantone
2008-03-29 14:19:19 0 d-------- C:\Program Files\Pantone
2008-03-24 01:53:42 7 --a------ C:\Windows\INI2=No
2008-03-24 01:53:42 7 --a------ C:\Windows\INI1=No
2008-03-24 00:17:03 174 --ahs---- C:\Program Files\desktop.ini
2008-03-23 17:14:08 37888 --a------ C:\Windows\system32\rar.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\Windows\JM\JMInsIDE.exe" [30/10/2006 20:44]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [21/03/2007 13:00]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [28/05/2007 10:14]
"XboxStat"="C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [26/09/2007 18:05]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [17/05/2007 15:45]
"VX6000"="C:\Windows\vVX6000.exe" [10/04/2007 15:46]
"MyScreenCam"="C:\Program Files\My Screen Cam\scrcam.exe" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 08:00]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [04/12/2007 03:07]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [27/02/2008 17:56]
"RtHDVCpl"="RtHDVCpl.exe" [23/03/2007 19:04 C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [18/12/2007 20:55]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [18/12/2007 20:55]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [18/12/2007 20:55]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" []
"EntaTool"="C:\Users\Teacup\Desktop\Desktop\EntaToolv0-6d\EntaTool.exe" [20/07/2007 23:06]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [16/10/2006 21:12]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [16/10/2006 21:17]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [16/10/2006 21:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [19/01/2008 08:33]
"Realtime Monitor"="C:\Program Files\CA\eTrust Antivirus\realmon.exe" [27/05/2008 21:35]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [23/07/2007 10:33]
"@"="" []
"kdx"="C:\Program Files\Kontiki\KHost.exe" [27/02/2008 17:56]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [19/01/2008 08:33]

C:\Users\Teacup\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
DigiGuide TV Guide.lnk - C:\Program Files\DigiGuide TV Guide\Client.exe [9/8/2007 4:06:38 PM]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [8/24/2007 5:45:42 AM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
hueyTray.lnk - C:\Program Files\Pantone\huey\hueyTray.exe [3/29/2008 2:19:26 PM]
MozyHome Status.lnk - C:\Program Files\MozyHome\mozystat.exe [5/18/2008 11:53:23 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\Windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{974d5f1f-0b87-11dc-aaeb-001a4d40a1fa}]
AutoRun\command- L:\CaptureNXSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0a16974-5b07-11dc-b854-001a4d40a1fa}]
AutoRun\command- H:\LaunchU3.exe -a

*Newly Created Service* - SROSA

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-27 21:41:25 ------------


Edited by teacup, 27 May 2008 - 02:59 PM.

  • 0

Advertisements

#2
Rorschach112
Posted 27 May 2008 - 03:41 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Don't put the logs in quotes


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Click here to use the F-Secure Online Scanner
  • Then click the Start Scanning button below.
  • You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and copy and paste what's present under results in your next reply.

  • 0

#3
teacup
Posted 28 May 2008 - 11:49 AM

teacup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi, thanks alot for helping.

I've ran combofix, and the log is shown below, as well as the Hijackthis log. I had to leave Kaspersky to run overnight and Windows decided to restart the system to install updates so I'm currently running it again.


ComboFix 08-05-27.4 - Teacup 2008-05-27 23:27:36.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2144 [GMT 1:00]
Running from: C:\Users\Teacup\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Users\Teacup\AppData\Roaming\m
C:\Users\Teacup\AppData\Roaming\m\data.oct
C:\Users\Teacup\AppData\Roaming\m\list.oct
C:\Users\Teacup\AppData\Roaming\m\shared
C:\Users\Teacup\AppData\Roaming\m\shared\000-094 - Application Development with IBM WebSphere Integration Developer 6.0.1.zip
C:\Users\Teacup\AppData\Roaming\m\shared\131 Ice Cream Maker Recipes 1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\3D Topicscape Pro 1.59.zip
C:\Users\Teacup\AppData\Roaming\m\shared\646-057 - Cisco Storage Sales Specialist (CSSS) Practice Test Questions 1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Ad Buster 1.1.2.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Advanced_Grapher_2.11.zip
C:\Users\Teacup\AppData\Roaming\m\shared\AGUTA PAD Submitter 1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Amadis AVI DIVX XVID to DVD Creator 1.0.4.zip
C:\Users\Teacup\AppData\Roaming\m\shared\AngeliaSync 1.1.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Antares_PasSafe_Password_Manager_2.0_(Cracked).zip
C:\Users\Teacup\AppData\Roaming\m\shared\ATSA Chat 1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Auto Surround Panner DirectX [Key+Serial].zip
C:\Users\Teacup\AppData\Roaming\m\shared\B&G_Calculator_1.10.zip
C:\Users\Teacup\AppData\Roaming\m\shared\BackupXfer_for_Palm_1.2d1.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Bitdefender.Antivirus.Plus.Version.10.Fr.+.Serial.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Blowsearch_Toolbar_2.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Boggle_2.1.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Cardlabel 1.32.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Churches_1.1_[Key+Serial].zip
C:\Users\Teacup\AppData\Roaming\m\shared\CL_Program_Editor_1.5_build_1091.zip
C:\Users\Teacup\AppData\Roaming\m\shared\CobraSoft Pop Up Stopper 2.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\CyberSky_3.3.zip
C:\Users\Teacup\AppData\Roaming\m\shared\dArt North Pole Screensaver 1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\DBDiff Squared 3.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\DigiGenius_Video_to_iPod_Converter_3.6.7.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Document2PDF_Pilot_1.4.2.191.zip
C:\Users\Teacup\AppData\Roaming\m\shared\DVD_Pro_5.0.1_With_Crack.zip
C:\Users\Teacup\AppData\Roaming\m\shared\DzSoft_PHP_Editor_4.1.1.2_Key+Serial.zip
C:\Users\Teacup\AppData\Roaming\m\shared\e-Daily_Assistant_1.0_(Key).zip
C:\Users\Teacup\AppData\Roaming\m\shared\EasyPattern Helper 2.8.zip
C:\Users\Teacup\AppData\Roaming\m\shared\EasyPhotoImager 1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Excel_Viewer_OCX_2.1.39_[Cracked].zip
C:\Users\Teacup\AppData\Roaming\m\shared\Excel_XML_Open_&_Import_Software_1.1_[Key+Serial].zip
C:\Users\Teacup\AppData\Roaming\m\shared\Expense Book Plus 2.5.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Fatman_ScreenMate_1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\FirmTools_Album_Creator_Basic_3.5.zip
C:\Users\Teacup\AppData\Roaming\m\shared\FolderBox 1.2.zip
C:\Users\Teacup\AppData\Roaming\m\shared\FolderMagic_1.0_(Patch).zip
C:\Users\Teacup\AppData\Roaming\m\shared\Font Matching Tool 1.5.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Free_XP_Style_Icons_0.1.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Gas_Calculator_1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Gmail_Explorer_1.1.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Hearts_of_Iron_1.05_patch_(Asian).zip
C:\Users\Teacup\AppData\Roaming\m\shared\Hot_Rod_American_Street_Drag_1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\iStateSoft Property Manager 2.5.zip
C:\Users\Teacup\AppData\Roaming\m\shared\JJ_Reminder_1.20.zip
C:\Users\Teacup\AppData\Roaming\m\shared\John_Gould_Hummingbirds_1.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Kauai Hotels Screensaver 1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Kernel_SQL_Recovery_7.07.01.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Keygen.Kaspersky.Internet.Security.6.0.0.300.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Ladybug_Jigsaw_Puzzle_130pc.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Legion_Windows_NT_patch.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Linera Uninstall Manager Lite 1.2.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Lyrics Hunter 2.0 Beta 6.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Magic_Garden_Screensaver_1.0_Key+Serial.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Math_Solver_1.2.11.56_(Serial).zip
C:\Users\Teacup\AppData\Roaming\m\shared\MB_Free_Taurus_Astrology_1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Mexico_Postal_Code_Database_(Gold_Edition)_September_2006.zip
C:\Users\Teacup\AppData\Roaming\m\shared\MiniDiary 3.12 (Cracked).zip
C:\Users\Teacup\AppData\Roaming\m\shared\Morning_Glory_1.0.14.zip
C:\Users\Teacup\AppData\Roaming\m\shared\MySwissAlps_Active_Desktop_1024x768_1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Nemesis_Player_1.1_Beta.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Net-Regulator Personal 1.1.5.269.zip
C:\Users\Teacup\AppData\Roaming\m\shared\NirCmd 2.1.0.182.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Nod32.2.7.español.+.fix.2.1.+.nodlogin.(por.Aguja).updated-fixed.Release.11-2006.zip
C:\Users\Teacup\AppData\Roaming\m\shared\NTFSDOS Professional 4.01.zip
C:\Users\Teacup\AppData\Roaming\m\shared\NTP Digital Clock 1.0.001.zip
C:\Users\Teacup\AppData\Roaming\m\shared\ObjectMapper_.NET_1.80.1811.0_[Serial].zip
C:\Users\Teacup\AppData\Roaming\m\shared\Oh Christmas Tree Demo Screensaver 1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\One_Click_Turkish_Dictionary_0.2.zip
C:\Users\Teacup\AppData\Roaming\m\shared\OrangeCD Player 6.2.3.12503.zip
C:\Users\Teacup\AppData\Roaming\m\shared\PAPAROACH Script 1.2.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Pariah_single-player_demo.zip
C:\Users\Teacup\AppData\Roaming\m\shared\PayPunchWeb_Enterprise_3.2.21_KeyGen.zip
C:\Users\Teacup\AppData\Roaming\m\shared\PC TimeWatch 1.5.0.8.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Personal_Finance_Quizzes_1.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Plastic Flash Template 1.0 build 2007.01.11.zip
C:\Users\Teacup\AppData\Roaming\m\shared\PopSurfer 1.1 (With Crack).zip
C:\Users\Teacup\AppData\Roaming\m\shared\PQ DVD to iPhone Video Converter Suite 1.0 Build 01.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Presto!_PhotoAlbum_1.55_[With_Crack].zip
C:\Users\Teacup\AppData\Roaming\m\shared\Proxy Finder Pro 2.20.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Puzzlers_Cave_Crossword_Compiler_1.0.2.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Quick_Calculator_2.1.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Radio_Station_Plus_3.1.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Riffster_Lite_Free_Edition_2318.zip
C:\Users\Teacup\AppData\Roaming\m\shared\RIPStrike_Back_1.6.zip
C:\Users\Teacup\AppData\Roaming\m\shared\River_Past_Audio_Converter_Pro_7.5.zip
C:\Users\Teacup\AppData\Roaming\m\shared\RiyazStudio 1.20.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Scott's Box Shot Maker 4.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\SearchGun_1.3_(Key+Serial).zip
C:\Users\Teacup\AppData\Roaming\m\shared\Smoooth_Deep_Breathing_Assistant_3.1.1_Key+Serial.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Snaptune_One_1.0.61025.2.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Soft191 Process Viewer 1.00.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Sothink_Flash_Player_1.0_build_70604.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Speak-to-Mail_1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\SS_System_Cleaner_2.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\SSH_Explorer_1.7_(With_Crack).zip
C:\Users\Teacup\AppData\Roaming\m\shared\Student_Organizer_5.1.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Studiomatics_1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Stupid_Invaders_updated_demo.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Surveillance Scan II 1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\SWF Debug Remover 2.0.1.zip
C:\Users\Teacup\AppData\Roaming\m\shared\swProp2 1.1.zip
C:\Users\Teacup\AppData\Roaming\m\shared\The Howard Stern Widget 1.1.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Tree_MDI_3.65.zip
C:\Users\Teacup\AppData\Roaming\m\shared\TuFtp_1.40.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Twin_Files_(Lite)_1.3.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Unreal_Tournament_2003_-_Starfall_deathmatch_map.zip
C:\Users\Teacup\AppData\Roaming\m\shared\vCAP Calendar Server 1.9.0 beta.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Visual_Basic_for_Kids_2.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Visually_Safe_1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Wavosaur_1.0.0.9000.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Web_Sweeper_2.0_(With_Crack).zip
C:\Users\Teacup\AppData\Roaming\m\shared\webcamXP_PRO_TRIAL_2007_4.00.500_Beta.zip
C:\Users\Teacup\AppData\Roaming\m\shared\WebM8 U3 1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Weight Converter 1.0.0.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\Whizlabs_OCP_9i_(1Z0-033)_Kit_6.0.1_[Crack].zip
C:\Users\Teacup\AppData\Roaming\m\shared\Winscore_2007_Rev_3.zip
C:\Users\Teacup\AppData\Roaming\m\shared\WizzTones_2.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\X10Net_1.0_Build_22.12.zip
C:\Users\Teacup\AppData\Roaming\m\shared\XPSecurity 2005c.zip
C:\Users\Teacup\AppData\Roaming\m\shared\XSizer_1.3.zip
C:\Users\Teacup\AppData\Roaming\m\shared\ZiNE_Secure_Archiving_Lite_1.0.zip
C:\Users\Teacup\AppData\Roaming\m\shared\ZPaint 1.4.zip
C:\Users\Teacup\AppData\Roaming\m\srvlist.oct
C:\Windows\system32\ban_list.txt
C:\Windows\system32\drivers\downld
C:\Windows\system32\drivers\downld\1263108.exe
C:\Windows\system32\drivers\downld\1269255.exe
C:\Windows\system32\drivers\downld\1324900.exe
C:\Windows\system32\drivers\downld\1473289.exe
C:\Windows\system32\drivers\downld\1477969.exe
C:\Windows\system32\drivers\downld\14893290.exe
C:\Windows\system32\drivers\downld\14897315.exe
C:\Windows\system32\drivers\downld\14928858.exe
C:\Windows\system32\drivers\downld\14992054.exe
C:\Windows\system32\drivers\downld\15004410.exe
C:\Windows\system32\drivers\downld\15014425.exe
C:\Windows\system32\drivers\downld\15122175.exe
C:\Windows\system32\drivers\downld\15154919.exe
C:\Windows\system32\drivers\downld\15161362.exe
C:\Windows\system32\drivers\downld\15405863.exe
C:\Windows\system32\drivers\downld\15416050.exe
C:\Windows\system32\drivers\downld\15417532.exe
C:\Windows\system32\drivers\downld\15421681.exe
C:\Windows\system32\drivers\downld\266465.exe
C:\Windows\system32\drivers\downld\29430259.exe
C:\Windows\system32\drivers\downld\29435797.exe
C:\Windows\system32\drivers\downld\29456654.exe
C:\Windows\system32\drivers\downld\29462036.exe
C:\Windows\system32\drivers\downld\295216.exe
C:\Windows\system32\drivers\downld\29613310.exe
C:\Windows\system32\drivers\downld\29641578.exe
C:\Windows\system32\drivers\downld\29648333.exe
C:\Windows\system32\drivers\downld\321206.exe
C:\Windows\system32\drivers\downld\339005.exe
C:\Windows\system32\drivers\downld\371157.exe
C:\Windows\system32\drivers\downld\371485.exe
C:\Windows\system32\drivers\downld\384199.exe
C:\Windows\system32\drivers\downld\391921.exe
C:\Windows\system32\drivers\downld\392248.exe
C:\Windows\system32\drivers\downld\396648.exe
C:\Windows\system32\drivers\downld\399752.exe
C:\Windows\system32\drivers\downld\401000.exe
C:\Windows\system32\drivers\downld\404432.exe
C:\Windows\system32\drivers\downld\44054853.exe
C:\Windows\system32\drivers\downld\44057661.exe
C:\Windows\system32\drivers\downld\44084088.exe
C:\Windows\system32\drivers\downld\44092465.exe
C:\Windows\system32\drivers\downld\44316826.exe
C:\Windows\system32\drivers\downld\44330726.exe
C:\Windows\system32\drivers\downld\44338198.exe
C:\Windows\system32\drivers\downld\464290.exe
C:\Windows\system32\drivers\downld\467706.exe
C:\Windows\system32\drivers\downld\468845.exe
C:\Windows\system32\drivers\downld\475678.exe
C:\Windows\system32\drivers\downld\476473.exe
C:\Windows\system32\drivers\downld\477675.exe
C:\Windows\system32\drivers\downld\481263.exe
C:\Windows\system32\drivers\downld\485038.exe
C:\Windows\system32\drivers\downld\557516.exe
C:\Windows\system32\drivers\downld\567032.exe
C:\Windows\system32\drivers\downld\571525.exe
C:\Windows\system32\drivers\downld\58805232.exe
C:\Windows\system32\drivers\downld\58809849.exe
C:\Windows\system32\drivers\downld\58867211.exe
C:\Windows\system32\drivers\downld\58877647.exe
C:\Windows\system32\drivers\downld\58885728.exe
C:\Windows\system32\drivers\downld\610556.exe
C:\Windows\system32\drivers\downld\6629122.exe
C:\Windows\system32\drivers\downld\6630058.exe
C:\Windows\system32\drivers\downld\6631914.exe
C:\Windows\system32\drivers\downld\6637577.exe
C:\Windows\system32\drivers\downld\665937.exe
C:\Windows\system32\drivers\downld\678339.exe
C:\Windows\system32\drivers\downld\680507.exe
C:\Windows\system32\drivers\downld\685327.exe
C:\Windows\system32\drivers\downld\73292420.exe
C:\Windows\system32\drivers\downld\73389983.exe
C:\Windows\system32\drivers\downld\73441526.exe
C:\Windows\system32\drivers\downld\73457142.exe
C:\Windows\system32\drivers\downld\73461463.exe
C:\Windows\system32\drivers\hldrrr.exe
C:\Windows\system32\drivers\mdelk.exe
C:\Windows\system32\drivers\srosa.sys
C:\Windows\system32\mdelk.exe
C:\Windows\system32\wintems.exe

----- BITS: Possible infected sites -----

hxxp://tabularasa.patcher.ncsoft.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 19:42 . 2008-05-27 19:42 <DIR> d-------- C:\Users\All Users\WindowsSearch
2008-05-27 19:42 . 2008-05-27 19:42 <DIR> d-------- C:\ProgramData\WindowsSearch
2008-05-27 19:01 . 2008-05-27 19:01 <DIR> d-------- C:\Deckard
2008-05-27 18:57 . 2008-05-27 18:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 18:56 . 2008-05-27 18:56 <DIR> d-------- C:\fsaua.data
2008-05-27 18:01 . 2008-05-27 18:01 <DIR> d-------- C:\Users\Teacup\AppData\Roaming\Malwarebytes
2008-05-27 18:01 . 2008-05-27 18:01 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-05-27 18:01 . 2008-05-27 18:01 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-05-27 18:01 . 2008-05-27 18:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-27 18:01 . 2008-05-05 20:46 27,048 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-05-27 18:01 . 2008-05-05 20:46 15,864 --a------ C:\Windows\System32\drivers\mbam.sys
2008-05-27 18:00 . 2008-05-27 18:00 <DIR> d-------- C:\Users\Teacup\AppData\Roaming\Download Manager
2008-05-27 01:55 . 2008-05-27 01:55 <DIR> d-------- C:\kav
2008-05-27 01:47 . 2008-05-27 01:47 <DIR> dr------- C:\Windows\System32\config\systemprofile\Documents
2008-05-27 01:31 . 2008-05-27 01:31 0 --a------ C:\xx16
2008-05-27 01:31 . 2008-05-27 01:31 0 --a------ C:\xx15
2008-05-27 01:31 . 2008-05-27 01:31 0 --a------ C:\xx14
2008-05-27 01:31 . 2008-05-27 01:31 0 --a------ C:\xx13
2008-05-27 01:31 . 2008-05-27 01:31 0 --a------ C:\xx12
2008-05-27 01:30 . 2008-05-27 01:30 0 --a------ C:\xx9
2008-05-27 01:30 . 2008-05-27 01:30 0 --a------ C:\xx8
2008-05-27 01:30 . 2008-05-27 01:30 0 --a------ C:\xx7
2008-05-27 01:30 . 2008-05-27 01:30 0 --a------ C:\xx11
2008-05-27 01:30 . 2008-05-27 01:30 0 --a------ C:\xx10
2008-05-27 01:27 . 2008-05-27 20:06 <DIR> d-------- C:\Windows\System32\config\systemprofile\.housecall6.6
2008-05-27 01:27 . 2008-05-27 01:27 0 --a------ C:\xx6
2008-05-27 01:27 . 2008-05-27 01:27 0 --a------ C:\xx5
2008-05-27 01:27 . 2008-05-27 01:27 0 --a------ C:\xx4
2008-05-27 01:27 . 2008-05-27 01:27 0 --a------ C:\xx3
2008-05-27 01:27 . 2008-05-27 01:27 0 --a------ C:\xx2
2008-05-27 01:21 . 2008-05-27 01:23 <DIR> d-------- C:\Users\Backup_2\.housecall6.6
2008-05-27 01:17 . 2008-05-27 01:17 <DIR> d-------- C:\Users\Backup_2\AppData\Roaming\Pantone
2008-05-27 01:11 . 2008-05-27 01:13 <DIR> d-------- C:\Users\Teacup\.housecall6.6
2008-05-27 00:50 . 2008-05-27 00:50 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-05-27 00:50 . 2008-05-27 00:50 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-05-27 00:50 . 2008-05-27 00:50 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-05-26 17:44 . 2008-05-26 17:44 <DIR> d-------- C:\Users\Teacup\AppData\Roaming\Acronis
2008-05-26 01:07 . 2008-05-26 01:07 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-05-26 01:07 . 2008-05-26 01:07 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-26 00:41 . 2008-05-26 00:41 <DIR> d-------- C:\Program Files\Red Kawa
2008-05-26 00:41 . 2008-05-26 00:41 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-05-25 21:25 . 2008-05-27 21:38 54,156 --ah----- C:\Windows\QTFont.qfn
2008-05-25 21:25 . 2008-05-25 21:25 1,409 --a------ C:\Windows\QTFont.for
2008-05-25 20:17 . 2008-05-25 20:17 249,856 --------- C:\Windows\Setup1.exe
2008-05-25 20:17 . 2008-05-25 20:17 73,216 --a------ C:\Windows\ST6UNST.EXE
2008-05-25 18:24 . 2008-05-25 18:25 <DIR> d-------- C:\Program Files\Easy Duplicate Finder
2008-05-25 16:20 . 2008-05-25 18:06 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-05-22 23:48 . 2008-05-22 23:48 <DIR> d-------- C:\Users\All Users\Musicnotes
2008-05-22 23:48 . 2008-05-22 23:48 <DIR> d-------- C:\ProgramData\Musicnotes
2008-05-22 23:47 . 2007-04-23 13:12 343,216 --a------ C:\Windows\System32\KeyHelp.ocx
2008-05-18 23:53 . 2008-05-18 23:53 <DIR> d-------- C:\Program Files\MozyHome
2008-05-18 23:53 . 2008-05-15 20:08 53,752 --a------ C:\Windows\System32\drivers\mozy.sys
2008-05-18 23:53 . 2008-05-26 22:01 6,466 --a------ C:\Windows\mozy.blk
2008-05-18 23:53 . 2008-05-26 22:01 68 --a------ C:\Windows\mozy.flt
2008-05-17 00:37 . 2008-05-17 00:37 <DIR> d-------- C:\Program Files\Trials 2 Second Edition
2008-05-17 00:37 . 2007-10-12 15:14 3,734,536 --a------ C:\Windows\System32\d3dx9_36.dll
2008-05-11 11:55 . 2007-02-16 11:55 302 --a------ C:\Windows\System32\gmsblist.dll
2008-05-11 11:54 . 2008-05-11 18:30 <DIR> d-------- C:\gsak
2008-05-11 11:54 . 2000-01-24 06:01 111,104 --a------ C:\Windows\System32\midas.dll
2008-05-11 11:54 . 2005-11-22 22:20 7,348 --a------ C:\Windows\SDENSX.UDF
2008-05-10 22:39 . 2008-05-10 22:39 <DIR> d-------- C:\Users\Teacup\AppData\Roaming\GARMIN
2008-05-08 18:43 . 2008-05-08 18:43 <DIR> d-------- C:\logs3
2008-05-07 00:32 . 2008-05-07 00:40 <DIR> d-------- C:\Users\Teacup\AppData\Roaming\GeoSetter
2008-05-07 00:32 . 2008-05-07 00:32 <DIR> d-------- C:\Program Files\GeoSetter
2008-05-03 01:58 . 2008-05-03 01:58 <DIR> d-------- C:\Users\Backup\AppData\Roaming\FlashGet
2008-05-02 18:05 . 2008-05-02 18:05 <DIR> d-------- C:\Users\Teacup\AppData\Roaming\Flock
2008-05-02 18:05 . 2008-05-25 15:23 <DIR> d-------- C:\Program Files\Flock
2008-04-29 21:13 . 2008-04-29 22:26 <DIR> d-------- C:\Users\All Users\TrackMania United
2008-04-29 21:13 . 2008-04-29 22:26 <DIR> d-------- C:\ProgramData\TrackMania United
2008-04-29 20:27 . 2008-05-03 18:48 <DIR> d-------- C:\Users\All Users\TrackMania
2008-04-29 20:27 . 2008-05-03 18:48 <DIR> d-------- C:\ProgramData\TrackMania

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 22:34 --------- d-----w C:\ProgramData\Kontiki
2008-05-27 22:33 --------- d-----w C:\Users\Teacup\AppData\Roaming\WTablet
2008-05-27 21:01 --------- d-----w C:\ProgramData\eMule
2008-05-27 20:46 --------- d-----w C:\Program Files\DigiGuide TV Guide
2008-05-27 20:37 --------- d-----w C:\Users\Backup\AppData\Roaming\WTablet
2008-05-27 19:31 --------- d-----w C:\Users\Backup_2\AppData\Roaming\WTablet
2008-05-26 22:34 --------- d-----w C:\Users\Teacup\AppData\Roaming\JDiskReport
2008-05-26 18:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-26 18:35 --------- d-----w C:\ProgramData\Media Center Programs
2008-05-25 17:07 395,744 ----a-w C:\Windows\system32\drivers\timntr.sys
2008-05-25 17:07 39,264 ----a-w C:\Windows\system32\drivers\tifsfilt.sys
2008-05-25 17:06 114,048 ----a-w C:\Windows\system32\drivers\snapman.sys
2008-05-25 14:31 --------- d-----w C:\Users\Teacup\AppData\Roaming\InstallShield Installation Information
2008-05-25 14:28 --------- d-----w C:\Program Files\P.H.L.O.P
2008-05-25 14:28 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-25 14:27 --------- d-----w C:\Program Files\NFR
2008-05-25 14:27 --------- d-----w C:\Program Files\MPDemo
2008-05-25 14:23 --------- d-----w C:\Program Files\eMusic Download Manager
2008-05-25 14:19 --------- d-----w C:\Program Files\Steam
2008-05-25 14:17 --------- d-----w C:\Program Files\Azureus
2008-05-21 16:38 --------- d-----w C:\Program Files\FlashGet
2008-05-21 02:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-13 23:54 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-13 23:54 --------- d-----w C:\Program Files\Windows Mail
2008-05-12 21:05 --------- d-----w C:\Program Files\Flickr Uploadr
2008-05-08 17:43 --------- d-----w C:\Program Files\Kontiki
2008-05-02 17:05 --------- d-----w C:\Program Files\Opera
2008-04-21 17:45 --------- d-----w C:\Program Files\Apple Software Update
2008-04-19 22:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-14 22:33 --------- d-----w C:\Program Files\Memory-Map
2008-04-14 22:15 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2008-04-14 22:06 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2008-04-13 12:48 --------- d-----w C:\Program Files\iTunes
2008-04-13 12:48 --------- d-----w C:\Program Files\iPod
2008-04-13 12:47 --------- d-----w C:\Program Files\QuickTime
2008-03-31 19:11 --------- d-----w C:\Users\Backup\AppData\Roaming\Pantone
2008-03-29 16:18 --------- d-----w C:\Program Files\Google
2008-03-29 13:32 --------- d-----w C:\Users\Teacup\AppData\Roaming\Pantone
2008-03-29 13:19 --------- d-----w C:\Program Files\Pantone
2008-03-23 23:17 174 --sha-w C:\Program Files\desktop.ini
2008-01-09 01:02 22,328 ----a-w C:\Users\Teacup\AppData\Roaming\PnkBstrK.sys
2007-11-13 22:56 20 ---h--w C:\Users\All Users\PKP_DLeh.DAT
2007-11-13 22:56 20 ---h--w C:\ProgramData\PKP_DLeh.DAT
2007-09-30 20:21 27,525 ----a-w C:\Users\dbuttre\AppData\Roaming\nvModes.dat
2007-09-23 10:41 0 ---h--w C:\Users\All Users\PKP_DLds.DAT
2007-09-23 10:41 0 ---h--w C:\ProgramData\PKP_DLds.DAT
2007-06-23 16:47 20 ---h--w C:\Users\All Users\PKP_DLbz.DAT
2007-06-23 16:47 20 ---h--w C:\ProgramData\PKP_DLbz.DAT
2007-06-10 17:01 20 ---h--w C:\Users\All Users\PKP_DLec.DAT
2007-06-10 17:01 20 ---h--w C:\ProgramData\PKP_DLec.DAT
2007-11-24 18:09 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007112420071125\index.dat
2007-12-03 18:08 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007112620071203\index.dat
2007-12-03 18:08 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120320071204\index.dat
2007-12-04 17:39 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120420071205\index.dat
2007-12-06 23:50 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120620071207\index.dat
2007-12-07 14:59 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120720071208\index.dat
2007-12-09 13:46 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120920071210\index.dat
2007-12-24 12:46 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007121720071224\index.dat
2008-01-07 20:12 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007122420071231\index.dat
2008-01-14 20:33 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011420080115\index.dat
2008-01-15 18:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011520080116\index.dat
2008-01-16 18:19 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011620080117\index.dat
2008-01-17 18:14 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011720080118\index.dat
2008-01-18 18:29 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011820080119\index.dat
2008-01-19 12:25 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011920080120\index.dat
2008-01-20 22:42 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012020080121\index.dat
2008-01-28 21:43 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012820080129\index.dat
2008-01-29 17:48 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012920080130\index.dat
2008-01-30 17:35 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008013020080131\index.dat
2008-01-31 17:34 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008013120080201\index.dat
2008-02-01 17:38 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008020120080202\index.dat
2008-02-02 12:04 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008020220080203\index.dat
2008-02-03 12:39 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008020320080204\index.dat
2008-02-25 10:44 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008021820080225\index.dat
2008-02-25 18:17 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008022520080226\index.dat
2008-02-26 10:59 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008022620080227\index.dat
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@={747E722C-CB46-4A9D-BDFE-192AAD5099B1}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@={EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4A9D-BDFE-192AAD5099B1}]
2008-05-15 20:09 2393392 --a------ C:\Program Files\MozyHome\mozyshell.dll

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}]
2008-05-15 20:09 2393392 --a------ C:\Program Files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 08:33 125952]
"Realtime Monitor"="C:\Program Files\CA\eTrust Antivirus\realmon.exe" [2008-05-27 23:29 504080]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2007-07-23 10:33 5803368]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 17:56 1032376]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 08:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\Windows\JM\JMInsIDE.exe" [2006-10-30 20:44 36864]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 13:00 174872]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 10:14 528384]
"XboxStat"="C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 18:05 734264]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 15:45 279912]
"VX6000"="C:\Windows\vVX6000.exe" [2007-04-10 15:46 996712]
"MyScreenCam"="C:\Program Files\My Screen Cam\scrcam.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [2007-12-04 03:07 61440]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 17:56 1032376]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 19:04 4423680 C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-18 20:55 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-18 20:55 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-18 20:55 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" [ ]
"EntaTool"="C:\Users\Teacup\Desktop\Desktop\EntaToolv0-6d\EntaTool.exe" [2007-07-20 23:06 303104]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-16 21:12 1164912]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 21:17 1941784]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 21:13 87584]

C:\Users\Teacup\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
DigiGuide TV Guide.lnk - C:\Program Files\DigiGuide TV Guide\Client.exe [9/8/2007 4:06:38 PM 180224]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [8/24/2007 5:45:42 AM 101784]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
hueyTray.lnk - C:\Program Files\Pantone\huey\hueyTray.exe [3/29/2008 2:19:26 PM 901120]
MozyHome Status.lnk - C:\Program Files\MozyHome\mozystat.exe [5/18/2008 11:53:23 PM 1914160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"vidc.iv32"= C:\Windows\system32\ir32_32.dll
"vidc.iv31"= C:\Windows\system32\ir32_32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\Windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3018700875-756917214-4125846603-1000]
"EnableNotificationsRef"=dword:00000006

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3018700875-756917214-4125846603-1003]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3018700875-756917214-4125846603-1006]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{18BDF8B2-297B-41ED-B785-4456C4C35F0E}"= UDP:C:\Program Files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe:Supreme Commander
"{7F191103-DA52-4A8B-994F-CF3B20D80ED9}"= TCP:C:\Program Files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe:Supreme Commander
"{8ED78554-DAF7-4C6A-A489-5A660ED02118}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{9B02CA99-573B-4871-A8C8-A12BF8B1ED6A}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{63B0B5A3-97FD-4933-8888-5EC7A29994C3}"= UDP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{3C60C82B-AF6A-44CB-8975-8C9D5C1A0493}"= TCP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{CCB576D5-DBF5-40C6-92A2-537AA5093BCA}"= Disabled:UDP:3703:Adobe Version Cue CS3 Server
"{69477381-72CD-46D4-BEC0-B513DA95BC75}"= Disabled:UDP:3704:Adobe Version Cue CS3 Server
"{54DE8F49-6021-4A93-8616-E8A5FCB76F6E}"= Disabled:UDP:50900:Adobe Version Cue CS3 Server
"{48EE45D7-D6A6-48AF-9E0F-46D4A48BD469}"= Disabled:UDP:50901:Adobe Version Cue CS3 Server
"{7E6E8870-7F18-45CE-8224-3A87D5DD0839}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{4785F4DB-55D4-494A-A9D9-E925E5F9097E}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{FA010D46-165A-4454-BDB2-2D7900DBED48}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{BB9C8FB1-4E73-4567-A68A-D3112724C75E}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FA7CBF35-A07A-47E0-A9D7-50C20535E862}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{461787F7-1521-4122-B621-1BC60DAA28C8}C:\\program files\\world of warcraft\\backgrounddownloader.exe"= UDP:C:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"UDP Query User{07F74CBF-B916-460D-8BAD-D7416A5BD19D}C:\\program files\\world of warcraft\\backgrounddownloader.exe"= TCP:C:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"TCP Query User{5FE214F2-AC23-4207-86B9-525F0494BEB6}C:\\program files\\world of warcraft\\repair.exe"= UDP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{3F95654F-1281-489A-B008-2C1322E4FFCC}C:\\program files\\world of warcraft\\repair.exe"= TCP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"TCP Query User{9193A6E3-7CBB-42DC-873D-9ABE4D39CC24}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{9841163A-2F93-44BE-82DB-F4B99B5EF1A7}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{5B7A00E7-2B54-451B-B366-5A378F41A311}"= UDP:23486:az
"TCP Query User{8DEFD4B0-634E-4A79-8A5A-0005FFF2CA67}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{4ED61228-C7A0-4357-A2E6-B3E774AB461D}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"{1867AF51-F149-4540-B0F6-AF33971442D0}"= Disabled:UDP:C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"{7360D78F-4FAF-4346-8E47-334F006198F0}"= Disabled:TCP:C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"TCP Query User{06E6C814-219F-4963-9F3C-AA6D4B7233B4}C:\\program files\\trackmania nations eswc\\tmnationseswc.exe"= UDP:C:\program files\trackmania nations eswc\tmnationseswc.exe:TmNationsESWC
"UDP Query User{1C5CB88E-34AF-4FC8-B982-6499E1C5E4FD}C:\\program files\\trackmania nations eswc\\tmnationseswc.exe"= TCP:C:\program files\trackmania nations eswc\tmnationseswc.exe:TmNationsESWC
"TCP Query User{B1A3F406-5339-47F7-A78F-FA812145B7A4}C:\\program files\\steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"= UDP:C:\program files\steam\steamapps\[email protected]\counter-strike source\hl2.exe:hl2
"UDP Query User{5BE0DE14-55D0-4897-AE8D-21AF7E7EFA03}C:\\program files\\steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"= TCP:C:\program files\steam\steamapps\[email protected]\counter-strike source\hl2.exe:hl2
"TCP Query User{B81AB4F5-686E-4BB5-B9E5-073F43D01F0F}C:\\ut2003\\system\\ut2003.exe"= UDP:C:\ut2003\system\ut2003.exe:UT2003
"UDP Query User{DE240339-6278-42D1-AF37-AF8F5C428B3A}C:\\ut2003\\system\\ut2003.exe"= TCP:C:\ut2003\system\ut2003.exe:UT2003
"{92046C7E-6146-4F4E-90B0-FFC7C1B7D9EA}"= UDP:C:\Program Files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"{93FD8633-9D90-4A50-9D4E-1A448F3197E6}"= TCP:C:\Program Files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"{6B560FD2-6288-4D9D-86BE-FF4964D42598}"= UDP:C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{3B03B7E4-23F2-4B26-B38E-535441EBFA2F}"= TCP:C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{BEA3D129-6890-4FA7-9E15-FD33D3393768}"= UDP:C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{45287821-1A28-445E-8E9C-2CE6B836B2A3}"= TCP:C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{8BE4C0CB-59FA-4D70-9969-932C4A0D8BAD}"= UDP:C:\Program Files\Microsoft Office Communicator\communicator.exe:Microsoft Office Communicator 2007
"{8EFBEB31-9C73-4F7C-87D8-6BD4E2702788}"= TCP:C:\Program Files\Microsoft Office Communicator\communicator.exe:Microsoft Office Communicator 2007
"{1928BBA8-81FD-4279-BF3F-212C6D3617CE}"= UDP:C:\Program Files\Microsoft Office Communicator\communicator.exe:Communicator
"{4E8311DB-5FD0-4DD2-9D09-E84A693C104F}"= TCP:C:\Program Files\Microsoft Office Communicator\communicator.exe:Communicator
"TCP Query User{325BF7F9-9721-49BC-B66D-23B8E2D210BA}C:\\users\\teacup\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= UDP:C:\users\teacup\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"UDP Query User{0DB2E8C9-5D60-4E6F-8626-DCE802447E5C}C:\\users\\teacup\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= TCP:C:\users\teacup\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"TCP Query User{75EC61A2-4ECF-476B-B316-EA0B4BB547F2}C:\\program files\\autodesk\\maya2008\\bin\\maya.exe"= UDP:C:\program files\autodesk\maya2008\bin\maya.exe:Maya
"UDP Query User{38E6771D-3F5C-4A86-A1D7-4BDC9F0E792C}C:\\program files\\autodesk\\maya2008\\bin\\maya.exe"= TCP:C:\program files\autodesk\maya2008\bin\maya.exe:Maya
"TCP Query User{132E4993-E899-47F9-8EF3-DCD104D6D78F}C:\\program files\\flashget\\flashget.exe"= UDP:C:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{8D708B08-C9B0-43D1-BCBF-8858DBA0D016}C:\\program files\\flashget\\flashget.exe"= TCP:C:\program files\flashget\flashget.exe:FlashGet
"TCP Query User{1D761CD4-4DA7-416F-B17F-58DB06FB6454}C:\\program files\\steam\\steam.exe"= UDP:C:\program files\steam\steam.exe:Steam
"UDP Query User{531ADF73-460D-4668-A1C4-294D6EF1B1B3}C:\\program files\\steam\\steam.exe"= TCP:C:\program files\steam\steam.exe:Steam
"TCP Query User{3B7688ED-AB6B-42BF-9D32-EF345E512F52}C:\\program files\\thq\\dawn of war\\w40k.exe"= UDP:C:\program files\thq\dawn of war\w40k.exe:W40K
"UDP Query User{0DC3396F-9179-44A8-ABF0-47D556B73ED5}C:\\program files\\thq\\dawn of war\\w40k.exe"= TCP:C:\program files\thq\dawn of war\w40k.exe:W40K
"TCP Query User{3E51C875-37E3-4026-B4B3-272023FA5451}C:\\users\\teacup\\appdata\\local\\micro forte\\kwari\\kwari_launcher.exe.part.1"= UDP:C:\users\teacup\appdata\local\micro forte\kwari\kwari_launcher.exe.part.1:kwari_launcher.exe.part.1
"UDP Query User{C598DB01-F87B-46BC-86CD-B60C90228541}C:\\users\\teacup\\appdata\\local\\micro forte\\kwari\\kwari_launcher.exe.part.1"= TCP:C:\users\teacup\appdata\local\micro forte\kwari\kwari_launcher.exe.part.1:kwari_launcher.exe.part.1
"TCP Query User{6266E821-F617-4C95-886C-B78495226262}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{81C97655-3250-4F94-914F-B56A2601080E}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{8C3442FA-6D2A-4408-B15D-82E03938181B}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{06D9E3D7-F7A3-456E-A69A-1BD3D241427C}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{6F0D7DB8-352D-49A9-BF15-079D552C11EF}C:\\aeriagames\\12sky\\twelvesky.exe"= UDP:C:\aeriagames\12sky\twelvesky.exe:TwelveSky
"UDP Query User{0D4E321B-AD2F-4B75-A8D5-559D25CDDA29}C:\\aeriagames\\12sky\\twelvesky.exe"= TCP:C:\aeriagames\12sky\twelvesky.exe:TwelveSky
"TCP Query User{34943C87-20FF-40B7-AAA2-FB25C81F5B73}C:\\program files\\steam\\steamapps\\[email protected]\\team fortress 2\\hl2.exe"= UDP:C:\program files\steam\steamapps\[email protected]\team fortress 2\hl2.exe:hl2
"UDP Query User{4F415124-4E46-4832-947C-7595970C364D}C:\\program files\\steam\\steamapps\\[email protected]\\team fortress 2\\hl2.exe"= TCP:C:\program files\steam\steamapps\[email protected]\team fortress 2\hl2.exe:hl2
"TCP Query User{E7400F46-DA85-431F-9A76-E296F770D10E}C:\\program files\\steam\\steamapps\\[email protected]\\day of defeat source\\hl2.exe"= UDP:C:\program files\steam\steamapps\[email protected]\day of defeat source\hl2.exe:hl2
"UDP Query User{F4859058-E9DC-4CE7-8CE0-ACD64B6D42A7}C:\\program files\\steam\\steamapps\\[email protected]\\day of defeat source\\hl2.exe"= TCP:C:\program files\steam\steamapps\[email protected]\day of defeat source\hl2.exe:hl2
"{021A1887-AE38-4F27-8002-4EDAA85D32F4}"= UDP:L:\games\SettlersVI\base\bin\Settlers6.exe:THE SETTLERS - Rise of an Empire
"{F107FA13-EF2E-4B03-9A9A-A3FA40ABD27F}"= TCP:L:\games\SettlersVI\base\bin\Settlers6.exe:THE SETTLERS - Rise of an Empire
"{97BF3F98-879C-4ED0-B6E2-3DA19181E87A}"= UDP:Q:\Crysis\Bin32\Crysis.exe:Crysis_32
"{DBCED2A4-1A49-470C-B63F-00C2754ACB33}"= TCP:Q:\Crysis\Bin32\Crysis.exe:Crysis_32
"{1EC83135-3718-474D-8A58-4D2DC96B1062}"= UDP:Q:\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{A4622FAC-8136-41A5-B57A-24F7D58C77E4}"= TCP:Q:\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{F91A78E6-505F-44F9-9645-E6C186C2A7DA}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{B304E257-54AA-47D6-92EE-85F78C87BFAC}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{FA7D5919-060F-480E-AD40-75057B806D6E}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{8B8FB35A-DD4F-427C-9AA9-C12AC3D0514D}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{BDDAD19D-5E05-4FC4-B372-4B7522035589}"= UDP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{559CE9BE-22D9-4AE2-969A-F6FDBE64AC71}"= TCP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{752CD407-5B6B-4863-A1B5-27F19710C13A}"= UDP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{9E8E19E6-4F55-4616-9C0E-A11C2B6E17AD}"= TCP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{D9668FE8-8086-4BBB-B985-C9F57F1BC9A2}"= UDP:Q:\ut3\Binaries\UT3.exe:Unreal Tournament 3
"{588267D2-93E7-4C78-895D-71F8F5F36ABC}"= TCP:Q:\ut3\Binaries\UT3.exe:Unreal Tournament 3
"TCP Query User{50C85E55-2007-46B3-A4C5-3EDE00B3D6C7}C:\\program files\\microsoft lifecam\\lifeexp.exe"= UDP:C:\program files\microsoft lifecam\lifeexp.exe:LifeExp.exe
"UDP Query User{872F0BEB-A94B-46FE-A8EE-5109C2A7075E}C:\\program files\\microsoft lifecam\\lifeexp.exe"= TCP:C:\program files\microsoft lifecam\lifeexp.exe:LifeExp.exe
"{D8327333-C35E-416E-93A6-B721770351DE}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4DF67023-04D2-45F8-AED9-09EACD2D9608}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{49124406-D4CB-4BD4-A4C1-8358B0080874}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{D29180BD-1320-43B0-8D17-21841F8EF4D4}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{DB0E8B5B-798E-48FF-8F40-0F271FFF0117}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{4F115BED-BB21-46DA-92EF-11EEE06030DB}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{E064BF92-C93B-4366-89EC-523B3C363AB0}"= Disabled:UDP:C:\Program Files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{EEC3B38E-7133-43AC-925B-6F2334DFFCB2}"= Disabled:TCP:C:\Program Files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{AA69FF85-8860-46E3-AD09-5B0D1CD32BD2}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{B4786107-6B46-4F54-9503-ABE76A0CF4FF}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{B9876473-803E-4CE4-9605-63D4EA7512F4}Q:\\tmunitedforever\\tmforever.exe"= UDP:Q:\tmunitedforever\tmforever.exe:TmForever
"UDP Query User{FDCA6782-2962-478A-9829-A2A1B5802B30}Q:\\tmunitedforever\\tmforever.exe"= TCP:Q:\tmunitedfore
  • 0

#4
Rorschach112
Posted 28 May 2008 - 12:12 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you attach the ComboFix log as it is too big

Wait till Kaspersky and F-Secure logs are ready though as it is easier for me if you post all the logs in the one go
  • 0

#5
teacup
Posted 29 May 2008 - 01:14 AM

teacup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Combofix log attached, and the hijackthis log from afterwards.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:07:51, on 28/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WTablet\TabUserW.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Windows\vVX6000.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Kontiki\KHost.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Pantone\huey\hueyTray.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\DigiGuide TV Guide\digiguide.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Backup\Desktop\woo.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\Windows\vVX6000.exe
O4 - HKLM\..\Run: [MyScreenCam] C:\Program Files\My Screen Cam\scrcam.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [EntaTool] "C:\Users\Teacup\Desktop\Desktop\EntaToolv0-6d\EntaTool.exe" /hide
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Realtime Monitor] C:\Program Files\CA\eTrust Antivirus\realmon.exe -s
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /silentRetrials /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: DigiGuide TV Guide.lnk = C:\Program Files\DigiGuide TV Guide\Client.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: hueyTray.lnk = C:\Program Files\Pantone\huey\hueyTray.exe
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O13 - Gopher Prefix:
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://fasthelp.dns....oad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Kwari.xLoader - Unknown owner - C:\Users\Teacup\AppData\Local\Micro.exe (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\Windows\system32\Tablet.exe

--
End of file - 13222 bytes

Attached Files


  • 0

#6
teacup
Posted 29 May 2008 - 01:17 AM

teacup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Kaspersky log attached, and the F-secure log below.

Thanks alot.


Scanning Report
Wednesday, May 28, 2008 18:25:13 - 23:01:07

Computer name: KEARNEY
Scanning type: Scan system for malware, rootkits
Target: C:\ F:\ L:\ N:\ Q:\
Result: 5 malware found
Backdoor.Win32.Robobot.ab (virus)

* F:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\DOCUMENTS\INSTALL.EXE (Renamed)

Suspicious_F.gen (virus)

* F:\PROGRAM FILES\DVD CLONE FACTORY\PATCH.EXE (Submitted)

Tracking Cookie (spyware)

* System

Trojan-Downloader.Win32.Apropo.u (virus)

* F:\DOCUMENTS AND SETTINGS\LAURA.DAVID\LOCAL SETTINGS\TEMP\AUTOUPDATE0\AUTO_UPDATE_INSTALL.EXE (Renamed & Submitted)

W32/Malware (virus)

* F:\DOWNLOADS\KMD1.EXE (Submitted)

Statistics
Scanned:

* Files: 418541
* System: 5121
* Not scanned: 459

Actions:

* Disinfected: 0
* Renamed: 2
* Deleted: 0
* None: 3
* Submitted: 3

Files not scanned:

* ??P]AGEFILE.SYS C:\WINDOWS\TEMP\HLKTMP
* C:\WINDOWS\TEMP\HSPERFDATA_SYSTEM\2268
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
* C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
* C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
* C:\WINDOWS\CSC\V2.0.6\TEMP\EA-{1E1F8841-281D-11DD-BA7D-001A4D40A1FA}
* C:\USERS\TEACUP\APPDATA\LOCAL\MICROSOFT\INPUTPERSONALIZATION\INKSTORE.MDB
* C:\USERS\BACKUP_2\APPDATA\LOCAL\TEMP\HSPERFDATA_BACKUP_2\3032
* C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\287FA97A2D2491C937D4B2600E724166_2BA9F730-5009-4D5E-B1F8-964A7DCA38D6
* C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\332A49E19D1849264AC1A88CA4F374A2_2BA9F730-5009-4D5E-B1F8-964A7DCA38D6
* C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D707FCB568DBB15A8FF8EA2D07015235_2BA9F730-5009-4D5E-B1F8-964A7DCA38D6
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\287FA97A2D2491C937D4B2600E724166_2BA9F730-5009-4D5E-B1F8-964A7DCA38D6
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\332A49E19D1849264AC1A88CA4F374A2_2BA9F730-5009-4D5E-B1F8-964A7DCA38D6
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D707FCB568DBB15A8FF8EA2D07015235_2BA9F730-5009-4D5E-B1F8-964A7DCA38D6
* C:\DECKARD\SYSTEM SCANNER\20080527214025\BACKUP\WINDOWS\TEMP\HSPERFDATA_SYSTEM\2616
* C:\BOOT\BCD
* F:\PAGEFILE.SYS
* F:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\007B213490A94F0A39742F24FF1CA61C_DF53BCA2-E72C-419C-B393-55E5F3E44861
* F:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\013DDE03CC6BE690DFACF11F8F34325F_DF53BCA2-E72C-419C-B393-55E5F3E44861
* F:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\01C17D3D908F714623F1F50F6F2E29ED_DF53BCA2-E72C-419C-B393-55E5F3E44861
* F:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\01C3F3F1F94F1B8E451D7D268E871843_DF53BCA2-E72C-419C-B393-55E5F3E44861
* F:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0217E1BB6E40441D6053EEB37252D5D8_DF53BCA2-E72C-419C-B393-55E5F3E44861
* F:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\02B2F3DE3868FD06047737CCF9AA52E1_DF53BCA2-E72C-419C-B393-55E5F3E44861
* F:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\03B15B0CFEDBE2A1FD7E62A493C95AA1_DF53BCA2-E72C-419C-B393-55E5F3E44861
* F:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\03B4D610F1916B4C4A49E86BD55C16CD_DF53BCA2-E72C-419C-B393-55E5F3E44861
* F:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\03E4883D27CAFFAE489ED900470DDD42_DF53BCA2-E72C-419C-B393-55E5F3E44861
* F:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\04E1E82BCC303767E7824DE4899680F0_DF53BCA2-E72C-419C-B393-55E5F3E44861
* F:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\072C6610D330EC19C02E54FD89AA742C_DF53BCA2-E72C-419C-B393-55E5F3E44861
* F:\DOCUMENTS AND SETTINGS\<???
* C:\PAGEFILE.SYS
* C:\WINDOWS\TEMP\HLKTMP
* C:\WINDOWS\TEMP\HSPERFDATA_SYSTEM\2268
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WI?;?K??

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-05-28
* F-Secure AVP: 7.0.171, 2008-05-28
* F-Secure Pegasus: 1.20.0, 2008-04-15

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Attached Files

  • Attached File  kap.txt   314.56KB   190 downloads

Edited by teacup, 29 May 2008 - 01:18 AM.

  • 0

#7
Rorschach112
Posted 29 May 2008 - 06:21 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Lot of malware to remove


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\xx16
C:\xx15
C:\xx14
C:\xx13
C:\xx12
C:\xx9
C:\xx8
C:\xx7
C:\xx11
C:\xx10
C:\xx6
C:\xx5
C:\xx4
C:\xx3
C:\xx2
C:\Program Files\CA\eTrust Antivirus\realmon.exe
F:\Documents and Settings\All Users.WINDOWS\Documents\INSTALL.0XE
F:\Documents and Settings\Laura.DAVID\Local Settings\Temp\pop_eu.exe
F:\Documents and Settings\Laura.DAVID\Local Settings\Temp\THI1FD0.tmp
F:\Documents and Settings\Laura.DAVID\Local Settings\Temp\update_12.exe
F:\Documents and Settings\teacup\Desktop\fgf160.exe
F:\Downloads\cnbar.exe
F:\Downloads\CNET-audiogalaxy0605.exe
F:\Downloads\proxyi.exe
F:\Downloads\sysreset253(1).exe
F:\Program Files\FlashGet\BACKUP\cd_install277.exe
F:\Program Files\Sysreset\mirc.exe
F:\WINDOWS\system32\qvdrljyeu.exe
F:\WINDOWS\Temp\install_msgskinner.exe
L:\CaptureNXSetup.exe
H:\LaunchU3.exe

Folder::
C:\Program Files\Common Files\BOONTY Shared
F:\Documents and Settings\Laura.DAVID\Local Settings\Temp\AutoUpdate0

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{974d5f1f-0b87-11dc-aaeb-001a4d40a1fa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0a16974-5b07-11dc-b854-001a4d40a1fa}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Realtime Monitor"=-

Driver::
Boonty Games
Kwari.xLoader

SysRst::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also post a new HijackThis log
  • 0

#8
teacup
Posted 29 May 2008 - 11:49 AM

teacup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thanks, but I'm getting a Blue screen of death, with the error that "a process or service crucial to operation has been unexpectadly terminated or shut down". Combofix gives the disclaimer, backs up the registry, then displays 'scanning for infected files' for a couple of seconds before the bsod. The system then reboots, and there is no log at c:\combofix.txt.

Any ideas?

Edited by teacup, 29 May 2008 - 11:50 AM.

  • 0

#9
Rorschach112
Posted 29 May 2008 - 05:30 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you do it in Safe Mode

Tell me how that goes
  • 0

#10
teacup
Posted 29 May 2008 - 05:50 PM

teacup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Just gave that a try, and got the exact same thing.
  • 0

Advertisements

#11
Rorschach112
Posted 29 May 2008 - 06:33 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to delete:
C:\xx16
C:\xx15
C:\xx14
C:\xx13
C:\xx12
C:\xx9
C:\xx8
C:\xx7
C:\xx11
C:\xx10
C:\xx6
C:\xx5
C:\xx4
C:\xx3
C:\xx2
C:\Program Files\CA\eTrust Antivirus\realmon.exe
F:\Documents and Settings\All Users.WINDOWS\Documents\INSTALL.0XE
F:\Documents and Settings\Laura.DAVID\Local Settings\Temp\pop_eu.exe
F:\Documents and Settings\Laura.DAVID\Local Settings\Temp\THI1FD0.tmp
F:\Documents and Settings\Laura.DAVID\Local Settings\Temp\update_12.exe
F:\Documents and Settings\teacup\Desktop\fgf160.exe
F:\Downloads\cnbar.exe
F:\Downloads\CNET-audiogalaxy0605.exe
F:\Downloads\proxyi.exe
F:\Downloads\sysreset253(1).exe
F:\Program Files\FlashGet\BACKUP\cd_install277.exe
F:\Program Files\Sysreset\mirc.exe
F:\WINDOWS\system32\qvdrljyeu.exe
F:\WINDOWS\Temp\install_msgskinner.exe

Folders to delete:
C:\Program Files\Common Files\BOONTY Shared
F:\Documents and Settings\Laura.DAVID\Local Settings\Temp\AutoUpdate0

Registry keys to delete:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{974d5f1f-0b87-11dc-aaeb-001a4d40a1fa}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0a16974-5b07-11dc-b854-001a4d40a1fa}

Registry values to delete
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Realtime Monitor


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
  • 0

#12
teacup
Posted 29 May 2008 - 07:25 PM

teacup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Cool, that got somewhere but I got quite a few errors too.

Before avenger restarted the system I got errors for the registry keys, these came up in the log too.
After restarting I got alot of error boxes up with a title of 'Windows - no disk' and a message containing a load of hex addresses. They only had an OK button so I just clicked through them all and the avenger.txt log came up.

I noticed in the log that it couldn't delete one of the files because it was actually a folder, so I altered the script to just delete that folder and ran it again which did the trick. I also got the same 'Windows - no disk' errors up, but the log file shows that the folder was deleted.

On doing a normal restart I'm getting a windows 'Open With...' dialog coming up for "realmon.exe -s" I guess this is the service for my antivirus still trying to start it up even though its been deleted?

Anyway, the logs are below, and its time for sleep :)

Ta


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6001, Service Pack 1)
Fri May 30 01:46:42 2008

01:45:28: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{974d5f1f-0b87-11dc-aaeb-001a4d40a1fa}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
01:45:36: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0a16974-5b07-11dc-b854-001a4d40a1fa}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
01:46:17: Error: Invalid registry syntax in command:
"Registry values to delete"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
01:46:37: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Realtime Monitor"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\xx16" deleted successfully.
File "C:\xx15" deleted successfully.
File "C:\xx14" deleted successfully.
File "C:\xx13" deleted successfully.
File "C:\xx12" deleted successfully.
File "C:\xx9" deleted successfully.
File "C:\xx8" deleted successfully.
File "C:\xx7" deleted successfully.
File "C:\xx11" deleted successfully.
File "C:\xx10" deleted successfully.
File "C:\xx6" deleted successfully.
File "C:\xx5" deleted successfully.
File "C:\xx4" deleted successfully.
File "C:\xx3" deleted successfully.
File "C:\xx2" deleted successfully.
File "C:\Program Files\CA\eTrust Antivirus\realmon.exe" deleted successfully.
File "F:\Documents and Settings\All Users.WINDOWS\Documents\INSTALL.0XE" deleted successfully.
File "F:\Documents and Settings\Laura.DAVID\Local Settings\Temp\pop_eu.exe" deleted successfully.

Error: "F:\Documents and Settings\Laura.DAVID\Local Settings\Temp\THI1FD0.tmp" is a folder, not a file!
Deletion of file "F:\Documents and Settings\Laura.DAVID\Local Settings\Temp\THI1FD0.tmp" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

File "F:\Documents and Settings\Laura.DAVID\Local Settings\Temp\update_12.exe" deleted successfully.
File "F:\Documents and Settings\teacup\Desktop\fgf160.exe" deleted successfully.
File "F:\Downloads\cnbar.exe" deleted successfully.
File "F:\Downloads\CNET-audiogalaxy0605.exe" deleted successfully.
File "F:\Downloads\proxyi.exe" deleted successfully.
File "F:\Downloads\sysreset253(1).exe" deleted successfully.
File "F:\Program Files\FlashGet\BACKUP\cd_install277.exe" deleted successfully.
File "F:\Program Files\Sysreset\mirc.exe" deleted successfully.
File "F:\WINDOWS\system32\qvdrljyeu.exe" deleted successfully.
File "F:\WINDOWS\Temp\install_msgskinner.exe" deleted successfully.
Folder "C:\Program Files\Common Files\BOONTY Shared" deleted successfully.
Folder "F:\Documents and Settings\Laura.DAVID\Local Settings\Temp\AutoUpdate0" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.







Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "F:\Documents and Settings\Laura.DAVID\Local Settings\Temp\THI1FD0.tmp" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:24:15, on 30/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WTablet\TabUserW.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Windows\vVX6000.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Kontiki\KHost.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Pantone\huey\hueyTray.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\DigiGuide TV Guide\digiguide.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Teacup\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\Windows\vVX6000.exe
O4 - HKLM\..\Run: [MyScreenCam] C:\Program Files\My Screen Cam\scrcam.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [EntaTool] "C:\Users\Teacup\Desktop\Desktop\EntaToolv0-6d\EntaTool.exe" /hide
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Realtime Monitor] C:\Program Files\CA\eTrust Antivirus\realmon.exe -s
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /silentRetrials /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: DigiGuide TV Guide.lnk = C:\Program Files\DigiGuide TV Guide\Client.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: hueyTray.lnk = C:\Program Files\Pantone\huey\hueyTray.exe
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O13 - Gopher Prefix:
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://fasthelp.dns....oad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Boonty Games - Unknown owner - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Kwari.xLoader - Unknown owner - C:\Users\Teacup\AppData\Local\Micro.exe (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\Windows\system32\Tablet.exe

--
End of file - 13318 bytes
  • 0

#13
Rorschach112
Posted 30 May 2008 - 05:11 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Run ComboFix again and post the log
  • 0

#14
teacup
Posted 30 May 2008 - 11:31 AM

teacup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Combofix log attached.

Attached Files


Edited by teacup, 30 May 2008 - 11:32 AM.

  • 0

#15
Rorschach112
Posted 30 May 2008 - 11:50 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

No need to attach the log


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::

Folder::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Realtime Monitor"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{974d5f1f-0b87-11dc-aaeb-001a4d40a1fa}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d12eb66d-08ac-11dc-8713-806e6f6e6963}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0a16974-5b07-11dc-b854-001a4d40a1fa}]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also post a new HijackThis log

Edited by Rorschach112, 30 May 2008 - 11:50 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP