Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

WoW Password stolen, possible keylogger [CLOSED]

Started by Dome , Jun 17 2008 04:20 PM

  • This topic is locked This topic is locked

#1
Dome
Posted 17 June 2008 - 04:20 PM

Dome

    Member

  • Member
  • PipPip
  • 25 posts
Ive ran all the scans available after this predicament, i want to make sure if i got it or not, because i dont wanna risk it again

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:39 PM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\windows.ext
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\WebcamMax\wcmmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WebcamMaxMoniter] "C:\Program Files\WebcamMax\wcmmon.exe" /a
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-18\..\Run: [ctfmn1.exe] C:\WINDOWS\system32\111.ext (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctmon.exe] C:\WINDOWS\633341857211.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Shell] "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\shell32.dll",Control_RunDLL "C:\WINDOWS\TEMP\dat16.tmp" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmn1.exe] C:\WINDOWS\system32\111.ext (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193201011796
O16 - DPF: {77538FC7-CE52-4704-9865-494FE92BC320} (LaunchUBO.Ulit) - http://www.ultimateb...o/launchubo.OCX
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopet...v/GoPetsWeb.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8979 bytes
  • 0

Advertisements

#2
Chopin
Posted 21 June 2008 - 09:20 PM

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello Dome, it doesn't look like there's anything really horrible on there. Let's get a scan first.

1. Deckard's System Scanner
------------------------------------------------
Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close ALL open windows before running the scan.

Note: This program will clear your temporary files.

  • On the first run, Deckard's System Scanner will provide you with two warnings. Press "OK" and allow DSS to scan.
  • The entire scanning process will take about five minutes, often less.
  • During the scan you may get warnings about sigcheck.exe trying to access the Internet; please make sure you allow it to do so.
  • Your antivirus may also warn you about nircmd.exe; please make sure you do not delete nircmd.exe as it will cause DSS to malfunction.
  • Once the scan is complete, you will get two logfiles - a main.txt (which you see) and an extra.txt (which is minimized). Copy the contents of both into a reply.
On subsequent runs, DSS will only provide a significantly shortened main.txt and not an extra.txt.
  • 0

#3
Dome
Posted 22 June 2008 - 03:24 PM

Dome

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Nothing eh? The thing is, i did this scan right after my password was stolen for a second time, so i assumed i still had it <=/





Deckard's System Scanner v20071014.68
Run by Domebuddy on 2008-06-22 16:19:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-06-22 21:19:53 UTC - RP210 - Deckard's System Scanner Restore Point
2: 2008-06-22 10:25:40 UTC - RP209 - Installed DirectX
1: 2008-06-21 00:04:35 UTC - RP208 - Installed Fable - The Lost Chapters


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 3.94 GiB (less than 15%) free.


-- HijackThis (run as Domebuddy.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:05 PM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\windows.ext
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\WebcamMax\wcmmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Domebuddy\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Domebuddy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.digitalcybersoft.com/
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WebcamMaxMoniter] "C:\Program Files\WebcamMax\wcmmon.exe" /a
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmn1.exe] C:\WINDOWS\system32\111.ext (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctmon.exe] C:\WINDOWS\633341857211.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmn1.exe] C:\WINDOWS\system32\111.ext (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193201011796
O16 - DPF: {77538FC7-CE52-4704-9865-494FE92BC320} (LaunchUBO.Ulit) - http://www.ultimateb...o/launchubo.OCX
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopet...v/GoPetsWeb.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9106 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 CamthWDM (WebcamMax, WDM Video Capture) - c:\windows\system32\drivers\camthwdm.sys <Not Verified; YewSoft; Cam Theme>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 cdrmkaun - c:\docume~1\domebu~1\locals~1\temp\cdrmkaun.sys (file missing)
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 ezplay (VSO Software ezplay) - c:\windows\system32\drivers\ezplay.sys <Not Verified; VSO Software; ezplay driver>
S3 JL2005C (Dual Mode Camera) - c:\windows\system32\drivers\jl2005c.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S3 Imapi Helper - "c:\program files\alex feinman\iso recorder\imapihelper.exe" <Not Verified; Alex Feinman; ISO Recorder>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-22 04:40:00 262 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-06-16 20:18:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-22 and 2008-06-22 -----------------------------

2008-06-22 05:25:15 0 d-------- C:\WINDOWS\Logs
2008-06-22 05:24:59 0 d--h---c- C:\Documents and Settings\All Users\Application Data\{D2A9AAE9-BAF5-4CBE-8CC4-9314EE287B09}
2008-06-22 05:24:46 0 d-------- C:\Program Files\Utherverse Digital Inc
2008-06-22 02:29:07 0 d-------- C:\Documents and Settings\Domebuddy\Application Data\Macromedia
2008-06-21 19:38:11 0 d-------- C:\Program Files\Guitar Pro 5
2008-06-19 23:03:00 5632 --a------ C:\WINDOWS\system32\udcpm.dll <Not Verified; fCoder Group, Inc.; Universal Document Converter>
2008-06-19 23:02:56 0 dr------- C:\UDC Output Files
2008-06-19 23:02:56 0 d-------- C:\Program Files\Universal Document Converter
2008-06-19 16:50:19 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-06-19 16:38:33 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-19 16:37:20 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-19 16:37:20 0 d-------- C:\Documents and Settings\Domebuddy\Application Data\SUPERAntiSpyware.com
2008-06-18 23:12:52 0 dr-h----- C:\Documents and Settings\Domebuddy\Application Data\SecuROM
2008-06-18 14:15:05 0 d-------- C:\Documents and Settings\Domebuddy\Application Data\Viewpoint
2008-06-17 17:19:32 0 d-------- C:\Program Files\Trend Micro
2008-06-17 15:13:40 0 d-------- C:\Program Files\Electronic Arts
2008-06-17 14:44:40 0 d-------- C:\ProgramData
2008-06-17 14:44:36 2004 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-16 19:04:43 0 d-------- C:\Documents and Settings\Domebuddy\Application Data\Malwarebytes
2008-06-16 19:04:42 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 19:04:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-16 19:04:20 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-16 18:28:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-16 15:58:33 0 d-------- C:\Documents and Settings\Domebuddy\Application Data\SPORE Creature Creator
2008-06-16 14:00:23 0 d-------- C:\Documents and Settings\Domebuddy\Application Data\dyyno-vlc
2008-06-16 13:59:52 0 d-------- C:\Program Files\Dyyno
2008-06-12 14:15:14 20192 ---hs---- C:\WINDOWS\system32\vcrxfileju.dll
2008-06-11 15:30:57 228864 --a------ C:\WINDOWS\96435308487.exe
2008-06-11 15:00:08 6983 --a------ C:\WINDOWS\633341857211.exe
2008-06-11 15:00:07 37697 --a------ C:\WINDOWS\27531365669.exe
2008-06-09 17:26:43 0 d-------- C:\Program Files\MAME32k
2008-06-09 14:00:08 0 d-------- C:\Program Files\Common Files\plugin
2008-06-04 04:56:57 0 d-------- C:\Program Files\keyclone
2008-06-01 02:04:29 0 d-------- C:\Documents and Settings\Domebuddy\Application Data\Bamzooki
2008-06-01 02:01:44 0 d-------- C:\Program Files\BAMZOOKi
2008-05-22 19:37:01 0 d-------- C:\Program Files\Rockstar Games


-- Find3M Report ---------------------------------------------------------------

2008-06-22 16:19:46 0 d-------- C:\Documents and Settings\Domebuddy\Application Data\Xfire
2008-06-22 15:59:40 0 d-------- C:\Program Files\Steam
2008-06-22 05:14:32 0 d-------- C:\Documents and Settings\Domebuddy\Application Data\MegauploadToolbar
2008-06-20 19:15:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-19 16:35:43 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-19 14:22:37 0 d-------- C:\Program Files\Xfire
2008-06-18 23:08:33 0 d-------- C:\Documents and Settings\Domebuddy\Application Data\uTorrent
2008-06-17 19:05:52 0 d-------- C:\Documents and Settings\Domebuddy\Application Data\mIRC
2008-06-17 19:03:22 0 d-------- C:\Program Files\mIRC
2008-06-17 17:14:55 0 d-------- C:\Documents and Settings\Domebuddy\Application Data\Mozilla
2008-06-16 21:59:46 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-16 19:04:20 0 d-------- C:\Program Files\Common Files
2008-06-12 14:25:12 0 ---hs---- C:\Program Files\desktoq.ini
2008-06-09 16:46:36 0 d-------- C:\Program Files\zbattle.net
2008-06-09 13:59:23 83848 --a------ C:\WINDOWS\system32\spoolsv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-08 22:07:18 0 d-------- C:\Program Files\World of Warcraft
2008-06-08 11:22:31 0 d-------- C:\Program Files\FrostWire
2008-06-03 22:38:50 0 d-------- C:\Program Files\Warcraft III
2008-06-01 23:10:09 219 --a------ C:\Documents and Settings\Domebuddy\Application Data\BonsaiErrorLog.txt
2008-05-22 16:46:07 0 d-------- C:\Program Files\SystemRequirementsLab
2008-05-22 16:46:07 0 d-------- C:\Documents and Settings\Domebuddy\Application Data\SystemRequirementsLab
2008-05-09 18:21:10 0 d-------- C:\Program Files\Atari
2008-05-09 18:20:55 0 d-------- C:\Program Files\Three Rings Design
2008-05-09 18:20:27 0 d-------- C:\Program Files\WarZone
2008-05-09 18:19:37 0 d-------- C:\Documents and Settings\Domebuddy\Application Data\Lionhead Studios
2008-05-09 18:13:27 0 d-------- C:\Program Files\VSO
2008-05-09 18:13:26 0 d-------- C:\Documents and Settings\Domebuddy\Application Data\Vso
2008-05-09 18:13:26 33 --a------ C:\Documents and Settings\Domebuddy\Application Data\ezplay.log
2008-05-09 18:13:25 94208 --a------ C:\Documents and Settings\Domebuddy\Application Data\ezplay.sys <Not Verified; VSO Software; ezplay driver>
2008-05-09 18:13:25 1104 --a------ C:\Documents and Settings\Domebuddy\Application Data\ezplay.inf
2008-05-09 18:13:25 7861 --a------ C:\Documents and Settings\Domebuddy\Application Data\ezplay.cat
2008-05-09 18:13:24 47360 --a------ C:\Documents and Settings\Domebuddy\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-05-09 18:13:24 33 --a------ C:\Documents and Settings\Domebuddy\Application Data\pcouffin.log
2008-05-09 18:13:24 1144 --a------ C:\Documents and Settings\Domebuddy\Application Data\pcouffin.inf
2008-05-09 18:13:24 7887 --a------ C:\Documents and Settings\Domebuddy\Application Data\pcouffin.cat
2008-05-02 17:18:38 0 d-------- C:\Program Files\WolfQuest
2008-05-02 15:26:24 0 d-------- C:\Program Files\Realtek AC97
2008-05-02 15:22:51 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-04-25 16:34:57 0 d-------- C:\Program Files\Yahoo!
2008-04-24 17:14:49 0 d-------- C:\Program Files\Starcraft
2008-04-23 20:48:14 0 d-------- C:\Program Files\Veoh Networks
2008-04-22 19:21:42 0 d-------- C:\Documents and Settings\Domebuddy\Application Data\FrostWire
2008-04-06 13:35:57 78125 --a------ C:\WINDOWS\War3Unin.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
11/01/2007 05:52 PM 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
11/01/2007 05:52 PM 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [11/01/2007 05:52 PM 267592]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [01/21/2008 12:17 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/19/2007 09:16 PM]
"WebcamMaxMoniter"="C:\Program Files\WebcamMax\wcmmon.exe" [07/31/2007 07:55 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/03/2004 10:32 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/03/2004 10:31 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/03/2004 10:32 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/03/2004 10:32 PM]
"NvMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe" [03/03/2004 02:30 PM]
"SoundMan"="SOUNDMAN.EXE" [03/01/2006 04:22 PM C:\WINDOWS\soundman.exe]
"UDC Integration"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [09/18/2007 09:16 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [02/03/2008 09:40 AM]
"Steam"="c:\program files\steam\steam.exe" [03/28/2008 11:49 AM]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [12/22/2007 02:23 AM]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [04/18/2008 02:30 PM]
"@"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/20/2008 05:57 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmn1.exe"=C:\WINDOWS\system32\111.ext
"ctmon.exe"=C:\WINDOWS\633341857211.exe

C:\Documents and Settings\Domebuddy\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [6/2/2008 7:56:46 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2/3/2008 9:40:08 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0014D502-D7A2-456A-AE04-EB9ABF822FE4}"= C:\WINDOWS\TEMP\2ow.dll [ ]
"{E8606370-4F7A-4C2F-A39C-EDCDCC177924}"= C:\WINDOWS\system32\vcrxfileju.dll [06/16/2008 04:09 PM 20192]
"{0021C267-E883-4899-BD2E-1B6F926757E7}"= C:\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\bulmfiles.dll [ ]
"{C51C4AFB-2A3A-6C2E-BA41-C10F02760731}"= C:\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\xptcisylgfile.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06/20/2008 05:57 PM 77824]
"{00177B18-5DF9-42C3-916E-5EE7D13D09DC}"= C:\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\mssjfilejs.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 06/20/2008 05:57 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b87df148-0cea-11dd-9ac5-806d6172696f}]
AutoRun\command- D:\Autorun.exe root.ini




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8724 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-22 16:21:46 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ Processor 3100+
Percentage of Memory in Use: 41%
Physical Memory (total/avail): 1023.48 MiB / 599.61 MiB
Pagefile Memory (total/avail): 2460.13 MiB / 1994.98 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.85 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 114.49 GiB total, 3.94 GiB free.
D: is CDROM (CDFS)
E: is CDROM (CDFS)
F: is Fixed (NTFS) - 14.31 GiB total, 6.1 GiB free.

\\.\PHYSICALDRIVE0 - Maxtor 6Y120L0 - 114.49 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 114.49 GiB - C:

\\.\PHYSICALDRIVE1 - WDC AC315300D - 14.32 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 14.31 GiB - F:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is disabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Steam\\steamapps\\tuftoe\\source sdk base\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\tuftoe\\source sdk base\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\tuftoe\\source dedicated server\\srcds.exe"="C:\\Program Files\\Steam\\steamapps\\tuftoe\\source dedicated server\\srcds.exe:*:Enabled:srcds"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Sierra Online\\FreeStyle Street Basketball™\\FreeStyle.exe"="C:\\Program Files\\Sierra Online\\FreeStyle Street Basketball™\\FreeStyle.exe:*:Enabled:FreeStyle"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\NETAMIN\\UBO_2007\\game\\ubo.exe"="C:\\Program Files\\NETAMIN\\UBO_2007\\game\\ubo.exe:*:Enabled:UBOnline"
"C:\\Program Files\\NETAMIN\\Real Baseball\\patcher\\fc.exe"="C:\\Program Files\\NETAMIN\\Real Baseball\\patcher\\fc.exe:*:Enabled:Cal Ripken's Real Baseball SysAnalyzer"
"C:\\Program Files\\NETAMIN\\Real Baseball\\game\\RealBaseball.exe"="C:\\Program Files\\NETAMIN\\Real Baseball\\game\\RealBaseball.exe:*:Enabled:RealBaseball"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Documents and Settings\\Domebuddy\\Desktop\\zsneswv1.36\\ZSNESW.EXE"="C:\\Documents and Settings\\Domebuddy\\Desktop\\zsneswv1.36\\ZSNESW.EXE:*:Enabled:ZSNESW"
"C:\\Documents and Settings\\Domebuddy\\Desktop\\vbaserver\\vbalink.exe"="C:\\Documents and Settings\\Domebuddy\\Desktop\\vbaserver\\vbalink.exe:*:Enabled:vbalink"
"C:\\Documents and Settings\\Domebuddy\\Desktop\\vbalink180b0\\VisualBoyAdvance.exe"="C:\\Documents and Settings\\Domebuddy\\Desktop\\vbalink180b0\\VisualBoyAdvance.exe:*:Enabled:VisualBoyAdvance emulator"
"C:\\Program Files\\YVD\\YGO Virtual Desktop V086.exe"="C:\\Program Files\\YVD\\YGO Virtual Desktop V086.exe:*:Enabled:YGO Virtual Desktop Executable"
"C:\\Program Files\\Steam\\steamapps\\tuftoe\\garrysmod\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\tuftoe\\garrysmod\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\tuftoe\\team fortress classic\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\tuftoe\\team fortress classic\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Steam\\steamapps\\tuftoe\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\tuftoe\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Domebuddy\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JAKE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Domebuddy
LOGONSERVER=\\JAKE
MAYA_SCRIPT_PATH=C:\PROGRAM FILES\NATURALMOTION\ENDORPHIN 2.7.0 LEARNING EDITION\RESOURCES\THIRD PARTY\MAYA\SCRIPTS
MOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Documents and Settings\Domebuddy\Application Data\Mozilla\Firefox\Crash Reports
MOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exe
MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\crashreporter-override.ini
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0c00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
sourcesdk=c:\program files\steam\steamapps\tuftoe\sourcesdk
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DOMEBU~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\DOMEBU~1\LOCALS~1\Temp
USERDOMAIN=JAKE
USERNAME=Domebuddy
USERPROFILE=C:\Documents and Settings\Domebuddy
VProject=c:\program files\steam\steamapps\tuftoe\portal\portal
VS90COMNTOOLS=C:\Program Files\Microsoft Visual Studio 9.0\Common7\Tools\
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Domebuddy (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec /X{EFC1B35C-FFF2-41D8-A70A-CE6037F8040B}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AGEIA PhysX v7.07.24 --> MsiExec.exe /X{EFC1B35C-FFF2-41D8-A70A-CE6037F8040B}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Aliens vs. Predator 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EF79591-BF16-4CF8-8FF0-D8AD968228B1}\SETUP.EXE"
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Ask Toolbar --> rundll32 C:\PROGRA~1\AskSBar\bar\1.bin\AskSBar.dll,O
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x575c
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audiosurf --> "C:\Program Files\Steam\steam.exe" steam://uninstall/12900
BAMZOOKi v3.1 (build 204.173) --> "C:\Program Files\BAMZOOKi\unins000.exe"
Blaze Media Pro --> "C:\Documents and Settings\All Users\Application Data\{CFAB4006-0AE0-414D-866A-DCB2C46553CF}\setup_blazemp.exe" REMOVE=TRUE MODIFY=FALSE
Cal Ripken's Real Baseball Web Launcher 1.1.0.0 --> C:\Program Files\Netamin\Web Launcher\Uninstall.exe
Canon iP1600 --> C:\WINDOWS\system32\CNMCP75.exe "-PRINTERNAMECanon iP1600" "-HELPERDLLC:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll"
CloneDVD2 --> "C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD2"
Combined Community Codec Pack 2008-01-24 --> "C:\Program Files\Combined Community Codec Pack\unins000.exe"
Darkwind Client For Windows --> "C:\Program Files\Darkwind\unins000.exe"
Deer Hunter - The 2005 Season Demo --> "C:\Program Files\Atari\Deer Hunter 2005 Demo\unins000.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVDFab HD Decrypter 4.0.3.2 --> "C:\Program Files\DVDFab HD Decrypter 4\unins000.exe"
DyynoPlayer 0.8.6f --> C:\Program Files\Dyyno\Dyyno Player\uninstall.exe
Earth's Special Forces --> c:\program files\steam\steamapps\tuftoe\half-life\esf\Uninstall.exe
Fable - The Lost Chapters --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}
FableTLCMod - Fable Explorer --> "C:\Program Files\FableTLCMod\FableExplorer\Fable Explorer - Uninstaller.exe"
FLV Player 2.0, build 23 --> C:\Program Files\FLV Player\uninst.exe
Fraps (remove only) --> "C:\Fraps\uninstall.exe"
FreeStyle Street Basketball™ --> C:\Program Files\InstallShield Installation Information\{E192E363-0D29-4D22-B034-F2E457CC0660}\setup.exe -runfromtemp -l0x0009 -removeonly
Frets On Fire --> "C:\Program Files\Frets on Fire\Uninstall.exe"
FrostWire 4.13.3 --> C:\Program Files\FrostWire\Uninstall.exe
GameTap --> C:\Program Files\InstallShield Installation Information\{67E158AF-8856-4337-B483-EA21930786AF}\setup.exe -runfromtemp -l0x0009 -removeonly
Garry's Mod --> "C:\Program Files\Steam\steam.exe" steam://uninstall/4000
GCFScape 1.6.6 --> "C:\Program Files\GCFScape\unins000.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Grand Theft Auto Vice City --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B35F00C-E63D-40DC-9839-DF15A33EAC46}\Setup.exe" -l0x9
Guitar Pro 5.2 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
Half-Life --> "C:\Program Files\Steam\steam.exe" steam://uninstall/70
Half-Life 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/220
Half-Life 2: Deathmatch --> "C:\Program Files\Steam\steam.exe" steam://uninstall/320
Half-Life 2: Episode One --> "C:\Program Files\Steam\steam.exe" steam://uninstall/380
Half-Life 2: Episode Two --> "C:\Program Files\Steam\steam.exe" steam://uninstall/420
Half-Life: Blue Shift --> "C:\Program Files\Steam\steam.exe" steam://uninstall/130
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Highlight Viewer (Windows Live Toolbar) --> MsiExec.exe /X{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Insurgency Mod --> "c:\program files\steam\SteamApps\SourceMods\insurgency\Uninstall.exe"
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
ISO Recorder --> MsiExec.exe /I{DFC6573E-124D-4026-BFA4-B433C9D3FF21}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MAME32k (remove only) --> "C:\Program Files\MAME32k\uninst.exe"
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
Megaupload Toolbar --> C:\Program Files\MegauploadToolbar\uninstall.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Flight Simulator X Demo --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{B98A34C0-A6A2-4087-B272-557C1C6D0A07}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional 2007 --> MsiExec.exe /X{91120000-0014-0000-0000-0000000FF1CE}
Microsoft Office Professional 2007 Trial --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROR /dll OSETUP.DLL
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 9.0\Microsoft Visual C++ 2008 Express Edition - ENU\setup.exe
Microsoft Visual C++ 2008 Express Edition - ENU --> MsiExec.exe /X{D1846BA1-6118-3EDF-8C57-6E1A04646738}
Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework --> MsiExec.exe /X{B4C0A315-07FB-39F9-85CD-8CE20C019350}
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32 --> MsiExec.exe /X{07FCBED5-94C3-4F94-B9D3-360FA27C7B06}
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries --> MsiExec.exe /X{842FAF7C-50EF-4463-9B8F-6222E1384D7D}
mIRC --> C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NaturalMotion endorphin 2.7.0 --> "C:\Program Files\NaturalMotion\endorphin 2.7.0 Learning Edition\unins000.exe"
nLite 1.4 RC2 --> "C:\Program Files\nLite\unins000.exe"
NVIDIA Drivers --> C:\WINDOWS\system32\NVUninst.exe UninstallGUI
NvMixer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7A6C517-11F2-419F-B5BB-27772B939698}\setup.exe" -uninstall
Okoker ISO Maker 6.3 --> "C:\Program Files\Okoker ISO Maker\unins000.exe"
Opposing Force --> "C:\Program Files\Steam\steam.exe" steam://uninstall/50
PBP Unpacker v0.94 --> "C:\Program Files\PBP Unpacker\unins000.exe"
Petz 4 --> C:\PROGRA~1\UbiSoft\PETZ4~1\UNWISE.EXE C:\PROGRA~1\UbiSoft\PETZ4~1\INSTALL.LOG
PetzPlayer --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\PF.Magic\PetzPlayer\UninstPzPlayer.isu"
PhoTags Express --> C:\PROGRA~1\PHOTAG~1\Setup.exe /remove
Portal --> "C:\Program Files\Steam\steam.exe" steam://uninstall/400
QuickTime --> MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
Real Lives 2007 --> C:\Program Files\Educational Simulations\Real Lives\UnInstall_21355.exe
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
RGSS-RTP Standard --> MsiExec.exe /I{5A9FE525-8B8F-4701-A937-7F6745A4E9C7}
Risk II --> "C:\Program Files\Risk II\ReflexiveArcade\unins000.exe"
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
SnagIt 8 --> MsiExec.exe /I{A1C4EE2B-DF14-4488-BC8A-F9336D588E97}
Source Dedicated Server --> "C:\Program Files\Steam\steam.exe" steam://uninstall/205
Source SDK --> "C:\Program Files\Steam\steam.exe" steam://uninstall/211
Source SDK Base --> "C:\Program Files\Steam\steam.exe" steam://uninstall/215
Source SDK Base - Orange Box --> "C:\Program Files\Steam\steam.exe" steam://uninstall/218
SPORE™ Creature Creator Trial Edition --> "C:\Program Files\InstallShield Installation Information\{ECEE0279-785F-4CB3-9F28-E69813234BF8}\setup.exe" -runfromtemp -l0x0009 -removeonly
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Star Wars Jedi Knight Jedi Academy --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EECBA68-8BE4-4076-94DF-E9ED206B1D21}\Setup.exe" -l0x9
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Super Smash Flash EXE Version 1.0 --> "C:\Program Files\Super Smash Flash EXE\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Sven Co-op 3.0 --> C:\WINDOWS\unvise32.exe c:\sierra\half-life\SvenCoop\uninstal.log
SwitchBlade --> MsiExec.exe /X{68FFEC1B-E28C-4F7A-A8E3-E99E2D54FFAA}
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Team Fortress Classic --> "C:\Program Files\Steam\steam.exe" steam://uninstall/20
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
The Queen Of Fighters 2.0 --> C:\Program Files\The Queen Of Fighters\Uninstall.exe
Toribash 3.24 --> "c:\Games\Toribash-3.24\unins000.exe"
TrackMania Nations Forever --> "C:\Program Files\Steam\steam.exe" steam://uninstall/11020
TractorSource V0.5 --> c:\Program Files\Steam\Steamapps\SourceMods\TractorSource_V0.5\Uninstal.exe
Uninstall Dual Mode Camera --> "C:\Program Files\JL2005B\unins000.exe"
Universal Document Converter --> "C:\Program Files\Universal Document Converter\unins000.exe"
Utherverse 3D Client --> "C:\Documents and Settings\All Users\Application Data\{D2A9AAE9-BAF5-4CBE-8CC4-9314EE287B09}\UtherverseSetup.exe" REMOVE=TRUE MODIFY=FALSE
Utherverse 3D Client --> C:\Documents and Settings\All Users\Application Data\{D2A9AAE9-BAF5-4CBE-8CC4-9314EE287B09}\UtherverseSetup.exe
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Ventrilo Server --> MsiExec.exe /I{1D46A3A0-B37D-423A-91C2-101A49E2FF80}
VeohTV BETA --> C:\Program Files\InstallShield Installation Information\{0405E51E-9582-4207-8F38-AC44201D3808}\setup.exe -runfromtemp -l0x0409
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
WebcamMax --> "C:\Program Files\WebcamMax\uninst.exe"
Weekday Warrior --> c:\program files\steam\SteamApps\SourceMods\WeekdayWarrior\uninst.exe
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Media ASF View 9 Series --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\asfview.inf,Uninstall
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Updates Downloader --> "C:\Program Files\Windows Updates Downloader\uninstall.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WolfQuest --> MsiExec.exe /X{6B7F486B-5F97-403B-949C-3C8A6D33BA37}
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
X-Coopmod Beta 2.5 --> "C:\Program Files\Fox\Aliens vs. Predator 2\setup\setup.exe" /u
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yugioh Virtual Desktop --> C:\WINDOWS\unvise32.exe C:\Program Files\YVD\uninstal.log
zbattle.net 1.09 SR-1 beta --> "C:\Program Files\zbattle.net\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type1419 / Success
Event Submitted/Written: 06/22/2008 04:43:26 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type1417 / Error
Event Submitted/Written: 06/22/2008 04:42:08 AM
Event ID/Source: 1013 / MsiInstaller
Event Description:
Product: Windows Live Messenger -- Your computer has a newer version of Windows Live Messenger than the one you are trying to install. To install an older version, first remove the current version (click Start, Settings, Control Panel, Add or Remove, Windows Live Messenger), and then run this Set Up again.

Event Record #/Type1376 / Error
Event Submitted/Written: 06/19/2008 10:44:38 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application mssjfile.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [mssjfile.exe!ws!]

Event Record #/Type1363 / Error
Event Submitted/Written: 06/19/2008 02:22:22 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting
  • 0

#4
Chopin
Posted 22 June 2008 - 04:20 PM

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello Dome, there is some stuff on there but it doesn't really look all that bad. Let's get started! However, first:

It looks like you currently have no Anti-Virus protection installed on your computer. This leaves your computer open to the majority of infections out there and is most likely one of the reasons you got infected in the first place. Please download one of the following AV programs:

Anti Virus Programs

Once you have an AV program installed (make sure you only install one, having more than one installed will give undesirable results), update to the latest definitions/ version and do a full system scan. Make sure you have your AV quarantine any bad files it finds (you should be able to find this option under the anti-virus's scan settings.) Please post the scan report that your AV program produces after it finishes scanning your computer.

Please read my entire post before commencing, and please follow my instructions in the order that they are given :) If you don't understand something, don't be afraid to ask!

1. Fix Entries with HijackThis
------------------------------------------------
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKUS\S-1-5-18\..\Run: [ctfmn1.exe] C:\WINDOWS\system32\111.ext (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctmon.exe] C:\WINDOWS\633341857211.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmn1.exe] C:\WINDOWS\system32\111.ext (User 'Default user')

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

2. Fix File Associations
------------------------------------------------
Please go to Start > Run. In the box that appears, carefully copy and paste the following:

"%Userprofile%\Desktop\dss.exe" /daft

Accept the disclaimer, and click the "Scan" button. Place a checkmark next to everything that appears and press "Fix". Afterwards, close the window.

3. Submit File for Testing
------------------------------------------------
Please go to this website: Link

Once there, you will see a textbox in the middle of the screen. Copy and paste the following line into the textbox:

C:\WINDOWS\system32\CMMGR32.EXE

Click the large "Send File" button. Your file will be scanned by MANY different antivirus engines, so until the top says Current status: Finished, don't close the window/copy the results! Once the scan is finished, copy and paste the entire table into a reply so it looks like this:

AhnLab-V3 2007.9.29.0 2007.09.28 -
AntiVir 7.6.0.18 2007.09.28 HEUR/Malware
Authentium 4.93.8 2007.09.28 -
Avast 4.7.1043.0 2007.09.28 -
AVG 7.5.0.488 2007.09.28 -
BitDefender 7.2 2007.09.28 -
CAT-QuickHeal 9.00 2007.09.28 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.09.28 -
DrWeb 4.33 2007.09.28 -
eSafe 7.0.15.0 2007.09.23 Suspicious Trojan/Worm
eTrust-Vet 31.2.5169 2007.09.27 -
Ewido 4.0 2007.09.28 -
FileAdvisor 1 2007.09.29 -
Fortinet 3.11.0.0 2007.09.28 -
F-Prot 4.3.2.48 2007.09.27 -
F-Secure 6.70.13030.0 2007.09.28 -
Ikarus T3.1.1.12 2007.09.28 -
Kaspersky 7.0.0.125 2007.09.29 -
McAfee 5130 2007.09.28 -
Microsoft 1.2803 2007.09.29 -
NOD32v2 2558 2007.09.28 -
Norman 5.80.02 2007.09.28 -
Panda 9.0.0.4 2007.09.28 -
Prevx1 V2 2007.09.29 Heuristic: Suspicious Self Modifying EXE
Rising 19.42.42.00 2007.09.28 -
Sophos 4.21.0 2007.09.28 -
Sunbelt 2.2.907.0 2007.09.28 VIPRE.Suspicious
Symantec 10 2007.09.28 -
TheHacker 6.2.6.073 2007.09.28 -
VBA32 3.12.2.4 2007.09.29 -
VirusBuster 4.3.26:9 2007.09.28 -
Webwasher-Gateway 6.0.1 2007.09.28 Heuristic.Malware


Once finished with C:\WINDOWS\system32\CMMGR32.EXE, please repeat the process with this line at the beginning:

C:\WINDOWS\system32\vcrxfileju.dll
C:\WINDOWS\96435308487.exe

Post those results as well.

4. Run ComboFix
------------------------------------------------
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open internet browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

In your next post
------------------------------------------------
  • Antivirus log
  • 3 VirusTotal logs
  • ComboFix log

  • 0

#5
Dome
Posted 25 June 2008 - 12:39 PM

Dome

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Avira AntiVir Personal
Report file date: Wednesday, June 25, 2008 00:50

Scanning for 1165085 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: JAKE

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 16:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 15:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 15:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 15:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 17:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 20:08:58
ANTIVIR2.VDF : 7.0.3.62 337408 Bytes 3/21/2008 02:12:34
ANTIVIR3.VDF : 7.0.3.68 57856 Bytes 3/25/2008 15:27:50
Engineversion : 8.1.0.28
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 16:58:21
AESCRIPT.DLL : 8.1.0.19 229754 Bytes 4/7/2008 22:34:44
AESCN.DLL : 8.1.0.12 115060 Bytes 4/7/2008 22:34:44
AERDL.DLL : 8.1.0.19 418164 Bytes 4/7/2008 22:34:44
AEPACK.DLL : 8.1.1.0 364918 Bytes 3/18/2008 18:20:42
AEOFFICE.DLL : 8.1.0.15 192889 Bytes 4/7/2008 22:34:44
AEHEUR.DLL : 8.1.0.15 1147253 Bytes 4/7/2008 22:34:44
AEHELP.DLL : 8.1.0.11 115061 Bytes 4/7/2008 22:34:43
AEGEN.DLL : 8.1.0.15 299379 Bytes 4/7/2008 22:34:43
AEEMU.DLL : 8.1.0.5 430450 Bytes 4/7/2008 22:34:43
AECORE.DLL : 8.1.0.25 168309 Bytes 4/8/2008 16:58:32
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/24/2008 00:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 17:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 20:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/24/2008 00:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 15:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/24/2008 00:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 21:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 19:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, F:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Wednesday, June 25, 2008 00:50

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'xfire.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdater.exe' - '1' Module(s) have been scanned
Scan process 'SUPERANTISPYWARE.EXE' - '1' Module(s) have been scanned
Scan process 'VeohClient.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'steam.exe' - '1' Module(s) have been scanned
Scan process 'daemon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'soundman.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'wcmmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'StarWindServiceAE.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
41 processes with 41 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '27' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Deckard\System Scanner\20080624213325\backup\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\bulmfiles.dll
[DETECTION] Contains suspicious code HEUR/Malware
[NOTE] The file was moved to '48cddd63.qua'!
C:\Deckard\System Scanner\20080624213325\backup\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\mssjfilejs.dll
[DETECTION] Is the Trojan horse TR/Spy.Gen
[NOTE] The file was moved to '48d4dd68.qua'!
C:\Deckard\System Scanner\20080624213325\backup\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\xptcisylgfile.dll
[DETECTION] Is the Trojan horse TR/Spy.Gen
[NOTE] The file was moved to '48d5dd65.qua'!
C:\Deckard\System Scanner\20080624213325\backup\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\xpttisylgfile.dll
[DETECTION] Is the Trojan horse TR/Spy.Gen
[NOTE] The file was moved to '49719c16.qua'!
C:\Deckard\System Scanner\20080624213325\backup\WINDOWS\temp\111eeow.dll
[DETECTION] Is the Trojan horse TR/Spy.Gen
[NOTE] The file was moved to '4892dd2e.qua'!
C:\Deckard\System Scanner\20080624213325\backup\WINDOWS\temp\111ow.dll
[DETECTION] Is the Trojan horse TR/Spy.Gen
[NOTE] The file was moved to '4930ef1f.qua'!
C:\Deckard\System Scanner\20080624213325\backup\WINDOWS\temp\2ow.dll
[DETECTION] Contains suspicious code HEUR/Malware
[NOTE] The file was moved to '48d8dd6d.qua'!
C:\Documents and Settings\Domebuddy\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.80734
[DETECTION] Contains suspicious code HEUR/Malware
[NOTE] The file was moved to '48a2dd97.qua'!
C:\Program Files\Common Files\Enterbrain\RGSS\Standard\Graphics.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\The Queen Of Fighters\Uninstall.exe
[DETECTION] Is the Trojan horse TR/Delf.axt
[NOTE] The file was moved to '48caefae.qua'!
C:\QooBox\Quarantine\C\WINDOWS\27531365669.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
[NOTE] The file was moved to '4896f1c9.qua'!
C:\QooBox\Quarantine\C\WINDOWS\633341857211.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.NSPI.Gen
[NOTE] The file was moved to '4894f1c5.qua'!
C:\QooBox\Quarantine\C\WINDOWS\96435308487.exe.vir
[DETECTION] Contains detection pattern of the dropper DR/Delphi.Gen
[NOTE] The file was moved to '4895f1c8.qua'!
C:\QooBox\Quarantine\C\WINDOWS\Tasks\0x01xx8p.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '4891f20b.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP208\A0275567.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '4893f1da.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP208\A0276567.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '4893f1db.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP208\A0277567.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '4893f1e0.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP209\A0278567.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '4893f1e2.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP210\A0279567.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '4893f1e3.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP213\A0280567.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '4893f1e6.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280652.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '4893f1eb.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280655.exe
[DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
[NOTE] The file was moved to '490ceabc.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280656.exe
[DETECTION] Is the Trojan horse TR/Crypt.NSPI.Gen
[NOTE] The file was moved to '4893f1ed.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280657.exe
[DETECTION] Contains detection pattern of the dropper DR/Delphi.Gen
[NOTE] The file was moved to '4893f1ec.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280711.dll
[DETECTION] Contains suspicious code HEUR/Malware
[NOTE] The file was moved to '490ceabe.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280712.dll
[DETECTION] Is the Trojan horse TR/Spy.Gen
[NOTE] The file was moved to '4893f1ef.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280713.dll
[DETECTION] Is the Trojan horse TR/Spy.Gen
[NOTE] The file was moved to '4893f1ee.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280714.dll
[DETECTION] Is the Trojan horse TR/Spy.Gen
[NOTE] The file was moved to '490ceabf.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280715.dll
[DETECTION] Is the Trojan horse TR/Spy.Gen
[NOTE] The file was moved to '4893f190.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280716.dll
[DETECTION] Is the Trojan horse TR/Spy.Gen
[NOTE] The file was moved to '490ceac1.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280717.dll
[DETECTION] Contains suspicious code HEUR/Malware
[NOTE] The file was moved to '490ceaa0.qua'!
C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280723.exe
[DETECTION] Is the Trojan horse TR/Delf.axt
[NOTE] The file was moved to '4893f1f1.qua'!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'F:\'


End of the scan: Wednesday, June 25, 2008 02:32
Used time: 1:42:15 min

The scan has been done completely.

15461 Scanning directories
379337 Files were scanned
26 viruses and/or unwanted programs were found
5 Files were classified as suspicious:
0 files were deleted
0 files were repaired
31 files were moved to quarantine
0 files were renamed
4 Files cannot be scanned
379311 Files not concerned
2224 Archives were scanned
4 Warnings
31 Notes






File vcrxfileju.dll received on 06.17.2008 06:53:14 (CET)
Current status: finished
Result: 13/33 (39.39%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.6.17.0 2008.06.16 -
AntiVir 7.8.0.55 2008.06.16 TR/ATRAPS.Gen
Authentium 5.1.0.4 2008.06.17 W32/Warezov.gen3!W32DL
Avast 4.8.1195.0 2008.06.16 -
AVG 7.5.0.516 2008.06.16 -
BitDefender 7.2 2008.06.17 Generic.PWStealer.928430AF
CAT-QuickHeal 9.50 2008.06.16 -
ClamAV 0.93.1 2008.06.17 -
DrWeb 4.44.0.09170 2008.06.16 -
eSafe 7.0.15.0 2008.06.16 -
eTrust-Vet 31.6.5880 2008.06.17 -
Ewido 4.0 2008.06.16 -
F-Prot 4.4.4.56 2008.06.12 W32/Warezov.gen3!W32DL
F-Secure 6.70.13260.0 2008.06.17 -
Fortinet 3.14.0.0 2008.06.17 -
GData 2.0.7306.1023 2008.06.17 -
Ikarus T3.1.1.26.0 2008.06.17 -
Kaspersky 7.0.0.125 2008.06.17 -
McAfee 5318 2008.06.16 -
Microsoft 1.3604 2008.06.17 -
NOD32v2 3192 2008.06.17 probably a variant of Win32/Genetik
Norman 5.80.02 2008.06.16 -
Panda 9.0.0.4 2008.06.16 Suspicious file
Prevx1 V2 2008.06.17 Malicious Software
Rising 20.49.02.00 2008.06.16 Trojan.PSW.Win32.YBOnline.dw
Sophos 4.30.0 2008.06.17 Sus/Behav-1007
Sunbelt 3.0.1153.1 2008.06.15 Trojan-PSW.Win32.Nilage.o
Symantec 10 2008.06.17 -
TheHacker 6.2.92.352 2008.06.17 -
TrendMicro 8.700.0.1004 2008.06.17 PAK_Generic.005
VBA32 3.12.6.7 2008.06.17 suspected of Backdoor.XiaoBird.3
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.17 Trojan.ATRAPS.Gen

The other 2 showed up before, but i forgot to copy the results down, after i did combofix, the files no longer existed



ComboFix 08-06-20.4 - Domebuddy 2008-06-24 21:46:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.553 [GMT -5:00]
Running from: C:\Documents and Settings\Domebuddy\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Domebuddy\Application Data\inst.exe
C:\WINDOWS\27531365669.exe
C:\WINDOWS\633341857211.exe
C:\WINDOWS\96435308487.exe
C:\WINDOWS\system32\CMMGR32.EXE
C:\WINDOWS\system32\d.txt
C:\WINDOWS\system32\windows.txt
C:\WINDOWS\Tasks\0x01xx8p.exe

Infected copy of C:\WINDOWS\system32\spoolsv.exe was found & disinfected
Restored copy from - C:\WINDOWS\system32\dllcache\spoolsv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETWM


((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2008-06-24 21:22 . 2008-06-24 21:22 <DIR> d-------- C:\Program Files\Avira
2008-06-24 21:22 . 2008-06-24 21:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-22 16:19 . 2008-06-22 16:19 <DIR> d-------- C:\Deckard
2008-06-22 05:26 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-06-22 05:26 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-06-22 05:26 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-06-22 05:26 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-06-22 05:26 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-06-22 05:26 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-06-22 05:26 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-06-22 05:26 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-06-22 05:26 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-06-22 05:26 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
2008-06-22 05:25 . 2008-06-22 05:25 <DIR> d-------- C:\WINDOWS\Logs
2008-06-22 05:25 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-06-22 05:25 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-06-22 05:25 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-06-22 05:24 . 2008-06-22 05:24 <DIR> d-------- C:\Program Files\Utherverse Digital Inc
2008-06-22 05:24 . 2008-06-22 05:25 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{D2A9AAE9-BAF5-4CBE-8CC4-9314EE287B09}
2008-06-21 19:38 . 2008-06-21 19:38 <DIR> d-------- C:\Program Files\Guitar Pro 5
2008-06-19 23:03 . 2008-04-04 18:07 5,632 --a------ C:\WINDOWS\system32\udcpm.dll
2008-06-19 23:02 . 2008-06-19 23:04 <DIR> dr------- C:\UDC Output Files
2008-06-19 23:02 . 2008-06-19 23:03 <DIR> d-------- C:\Program Files\Universal Document Converter
2008-06-19 16:38 . 2008-06-19 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-19 16:37 . 2008-06-20 17:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-19 16:37 . 2008-06-19 16:37 <DIR> d-------- C:\Documents and Settings\Domebuddy\Application Data\SUPERAntiSpyware.com
2008-06-18 23:12 . 2008-06-18 23:12 <DIR> dr-h----- C:\Documents and Settings\Domebuddy\Application Data\SecuROM
2008-06-18 14:15 . 2008-06-18 14:15 <DIR> d-------- C:\Documents and Settings\Domebuddy\Application Data\Viewpoint
2008-06-17 17:19 . 2008-06-17 17:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-17 15:13 . 2008-06-18 01:11 <DIR> d-------- C:\Program Files\Electronic Arts
2008-06-17 14:44 . 2008-06-17 14:44 <DIR> d-------- C:\ProgramData
2008-06-17 14:44 . 2008-06-18 01:11 2,004 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-06-16 19:04 . 2008-06-16 19:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 19:04 . 2008-06-16 19:04 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-16 19:04 . 2008-06-16 19:04 <DIR> d-------- C:\Documents and Settings\Domebuddy\Application Data\Malwarebytes
2008-06-16 19:04 . 2008-06-16 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-16 19:04 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-16 19:04 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-16 18:28 . 2008-06-16 18:29 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-16 18:28 . 2008-06-16 19:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-16 15:58 . 2008-06-23 22:31 <DIR> d-------- C:\Documents and Settings\Domebuddy\Application Data\SPORE Creature Creator
2008-06-16 15:58 . 2008-06-16 15:58 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-16 14:00 . 2008-06-16 14:00 <DIR> d-------- C:\Documents and Settings\Domebuddy\Application Data\dyyno-vlc
2008-06-16 13:59 . 2008-06-16 13:59 <DIR> d-------- C:\Program Files\Dyyno
2008-06-12 14:25 . 58 C:\QQ,”DOx™¯dD€IŽ,úñI†x™x¦¯¯’ö.url
2008-06-12 14:25 . 47 C:\I’ñxöñx’ö-E›’ñ1_á.url
2008-06-12 14:15 . 2008-06-16 16:09 20,192 ---hs---- C:\WINDOWS\system32\vcrxfileju.dll
2008-06-09 17:26 . 2008-06-09 17:58 <DIR> d-------- C:\Program Files\MAME32k
2008-06-09 14:00 . 2008-06-09 14:00 <DIR> d-------- C:\Program Files\Common Files\plugin
2008-06-04 04:56 . 2008-06-04 05:01 <DIR> d-------- C:\Program Files\keyclone
2008-06-02 19:56 . 2008-06-02 19:56 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-06-01 02:04 . 2008-06-01 23:11 <DIR> d-------- C:\Documents and Settings\Domebuddy\Application Data\Bamzooki
2008-06-01 02:01 . 2008-06-01 02:01 <DIR> d-------- C:\Program Files\BAMZOOKi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 03:01 --------- d-----w C:\Program Files\Steam
2008-06-25 02:18 --------- d-----w C:\Program Files\Warcraft III
2008-06-25 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-24 04:38 --------- d-----w C:\Documents and Settings\Domebuddy\Application Data\MegauploadToolbar
2008-06-24 03:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 02:37 --------- d-----w C:\Documents and Settings\Domebuddy\Application Data\Xfire
2008-06-19 21:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-19 19:22 --------- d-----w C:\Program Files\Xfire
2008-06-19 04:08 --------- d-----w C:\Documents and Settings\Domebuddy\Application Data\uTorrent
2008-06-18 00:05 --------- d-----w C:\Documents and Settings\Domebuddy\Application Data\mIRC
2008-06-18 00:03 --------- d-----w C:\Program Files\mIRC
2008-06-12 19:25 0 --sh--w C:\Program Files\desktoq.ini
2008-06-09 21:46 --------- d-----w C:\Program Files\zbattle.net
2008-06-09 03:07 --------- d-----w C:\Program Files\World of Warcraft
2008-06-08 16:22 --------- d-----w C:\Program Files\FrostWire
2008-05-23 00:37 --------- d-----w C:\Program Files\Rockstar Games
2008-05-22 21:46 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-05-22 21:46 --------- d-----w C:\Documents and Settings\Domebuddy\Application Data\SystemRequirementsLab
2008-05-09 23:21 --------- d-----w C:\Program Files\Atari
2008-05-09 23:20 --------- d-----w C:\Program Files\WarZone
2008-05-09 23:20 --------- d-----w C:\Program Files\Three Rings Design
2008-05-09 23:19 --------- d-----w C:\Documents and Settings\Domebuddy\Application Data\Lionhead Studios
2008-05-09 23:13 94,208 ----a-w C:\Documents and Settings\Domebuddy\Application Data\ezplay.sys
2008-05-09 23:13 47,360 ----a-w C:\Documents and Settings\Domebuddy\Application Data\pcouffin.sys
2008-05-09 23:13 --------- d-----w C:\Program Files\VSO
2008-05-09 23:13 --------- d-----w C:\Documents and Settings\Domebuddy\Application Data\Vso
2008-05-02 22:18 --------- d-----w C:\Program Files\WolfQuest
2008-05-02 20:26 --------- d-----w C:\Program Files\Realtek AC97
2008-05-02 20:22 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-05-01 20:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania
2008-04-25 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-25 21:34 --------- d-----w C:\Program Files\Yahoo!
2008-01-25 23:04 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-11-13 17:12 444 ----a-w C:\Program Files\Read-Me.txt
2007-11-07 16:34 2,732 ----a-w C:\Documents and Settings\Domebuddy\layout.bin
2007-11-07 16:25 372,736 ----a-w C:\Documents and Settings\Domebuddy\setup.exe
2007-10-25 03:13 20,962,344 -c--a-w C:\Program Files\Toribash-2.8.rar
2007-04-27 14:06 156,616 ----a-w C:\Documents and Settings\Domebuddy\_Setup.dll
2007-04-18 22:06 535,552 ----a-w C:\Documents and Settings\Domebuddy\ISSetup.dll
2000-02-02 00:01 36,864 --sh--r C:\WINDOWS\system32\soni32drv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2007-11-01 17:52 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 09:16 171464]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-03 09:40 68856]
"Steam"="c:\program files\steam\steam.exe" [2008-03-28 11:49 1271032]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 02:23 221568]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-18 14:30 3628080]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-20 17:57 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"WebcamMaxMoniter"="C:\Program Files\WebcamMax\wcmmon.exe" [2007-07-31 19:55 450048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:32 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"NvMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe" [2004-03-03 14:30 131072]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 16:22 577536 C:\WINDOWS\soundman.exe]
"UDC Integration"="" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

C:\Documents and Settings\Domebuddy\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-06-02 19:56:46 3017040]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-03 09:40:08 125624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0014D502-D7A2-456A-AE04-EB9ABF822FE4}"= C:\WINDOWS\TEMP\2ow.dll [ ]
"{E8606370-4F7A-4C2F-A39C-EDCDCC177924}"= C:\WINDOWS\system32\vcrxfileju.dll [2008-06-16 16:09 20192]
"{0021C267-E883-4899-BD2E-1B6F926757E7}"= C:\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\bulmfiles.dll [ ]
"{C51C4AFB-2A3A-6C2E-BA41-C10F02760731}"= C:\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\xptcisylgfile.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-20 17:57 77824]
"{00177B18-5DF9-42C3-916E-5EE7D13D09DC}"= C:\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\mssjfilejs.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-06-20 17:57 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv
"VIDC.XFR1"= xfcodec.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Steam\\steamapps\\tuftoe\\source sdk base\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\tuftoe\\source dedicated server\\srcds.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Sierra Online\\FreeStyle Street Basketball™\\FreeStyle.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\YVD\\YGO Virtual Desktop V086.exe"=
"C:\\Program Files\\Steam\\steamapps\\tuftoe\\garrysmod\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\tuftoe\\team fortress classic\\hl.exe"=
"C:\\Program Files\\Steam\\steamapps\\tuftoe\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\CamthWDM.sys [2007-01-11 00:39]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 cdrmkaun;cdrmkaun;C:\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\cdrmkaun.sys []
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\system32\Drivers\jl2005c.sys [2007-04-10 13:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b87df148-0cea-11dd-9ac5-806d6172696f}]
\Shell\AutoRun\command - D:\Autorun.exe root.ini

*Newly Created Service* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder
"2008-06-24 01:18:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-25 02:40:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-24 22:01:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-24 22:12:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-25 03:12:30

Pre-Run: 3,918,180,352 bytes free
Post-Run: 3,834,568,704 bytes free

234
  • 0

#6
Dome
Posted 25 June 2008 - 10:21 PM

Dome

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I just had an issue with vcrxfileju.dll My antivirus was constantly detecting it and every time i tried to quarantine, delete or deny its access it just popped up again, i pressed rename after tryin a bunch more times to quarantine it and it went away, i'm not exactly sure what rename does
  • 0

#7
Chopin
Posted 29 June 2008 - 05:49 PM

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Hello Dome, sorry about the delay :) Rename with AntiVir renders the file (usually) un-runnable, but leaves it still on your system.

Do you know the program Hide Window Plus 4? If not, it's most likely installed by malware.

Please read my entire post before commencing, and please follow my instructions in the order that they are given :) If you don't understand something, don't be afraid to ask!

1. Run OTMoveIt2
------------------------------------------------
If you haven't already, please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\QQ,”DOx™¯dD€IŽ,úñI†x™x¦¯¯’ö.url
    C:\I’ñxöñx’ö-E›’ñ1_á.url
    C:\WINDOWS\system32\vcrxfileju.*
    C:\Program Files\desktoq.ini

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

2. Scan with Kaspersky WebScanner
------------------------------------------------
Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

In your next post
------------------------------------------------
  • OTMoveIt2 log
  • Kaspersky WebScanner log

  • 0

#8
Chopin
Posted 08 July 2008 - 07:06 PM

Chopin

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,639 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP