Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help with stealth vundo trojan [RESOLVED]


  • This topic is locked This topic is locked

#1
nah1

nah1

    New Member

  • Member
  • Pip
  • 6 posts
I did scan with spybot search and destroy and found out this i got in computer i managed to delete it. So i got also bit defender did re scan bouth are latest updatest it also did find some virus and i deleted all.
Now i downloaded virtumondebegone and vundofix bouth runned and they did find nothing.

Then downloaded superantispyware and runned the scan it did find only some cookies.

Im very thankful for any info i still think that some undedeced rootkit might be in my computer but im not sure coz antiviruses dosent find anything and there is also no pop - ups.


Posted Image

Here is my hijack logg:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:23:30, on 21.07.2008
Platform: Windows XP SP3, v.3300 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.2.253:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = neptun.ksk;venus.ksk;pluto;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [GBB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\IGN\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.2.100.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1200247487046
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tuvSllLF - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

Edited by __RiP_ChAiN_, 23 July 2008 - 04:47 AM.
removed [codebox] tags from HJT log

  • 0

Advertisements


#2
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
Hello nah1, Welcome to Geeks-To-Go.

My name is Gravity Gripp and I'll be working with you on these issues. For now, I will be reviewing your log but will be responding back soon. Also, please note that I am still in training so there may be a slight delay in my responses because I will be working with an expert on this.

I look forward to working with you :)

Also, for future reference please do not place logs in code boxes unless told to do so. It makes it hard to read :)
  • 0

#3
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
nah1, lets run VundoFix and get a little more in-depth log.

STEP ONE
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

STEP TWO
Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

STEP THREE
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#4
nah1

nah1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ok first off thnx for u replays and for ur help.

Ok closed the teatimer on spybot like u told.
Then i downloaded vundofix and runned it. It finded the infection here is the logg.
A now i see why my vundofix didnt find anything my version was 7.0.5 ur gived me the link to 7.06 and it finded the dedection.

What i cant understand is that i have bitdefender ; spybot; superanitspyware; spwaredoctor all are updated and licensed and thos didnt find anything :)

why the regular antiviruses could not find anything and i updated my java coz i heard it comes in from java and very weird i havent visited any pages or downloaded something sucipsios i dont know even where it came.
















VundoFix V7.0.6

Scan started at 20:01:43 23.07.2008

Listing files found while scanning....

C:\Windows\system32\NCTAudioCDGrabber2.dll
C:\Windows\system32\NCTAudioFile2.dll
C:\Windows\system32\NCTAudioPlayer2.dll
C:\Windows\system32\NCTAudioRecord2.dll
C:\Windows\system32\NCTAVIFile.dll
C:\Windows\system32\NCTQuickTimeFile.dll
C:\Windows\system32\NCTVideoCoreM.dll
C:\Windows\system32\NCTWMAFile2.dll

Beginning removal...

Attempting to delete C:\Windows\system32\NCTAudioCDGrabber2.dll
C:\Windows\system32\NCTAudioCDGrabber2.dll Has been deleted!

Attempting to delete C:\Windows\system32\NCTAudioFile2.dll
C:\Windows\system32\NCTAudioFile2.dll Has been deleted!

Attempting to delete C:\Windows\system32\NCTAudioPlayer2.dll
C:\Windows\system32\NCTAudioPlayer2.dll Has been deleted!

Attempting to delete C:\Windows\system32\NCTAudioRecord2.dll
C:\Windows\system32\NCTAudioRecord2.dll Has been deleted!

Attempting to delete C:\Windows\system32\NCTAVIFile.dll
C:\Windows\system32\NCTAVIFile.dll Has been deleted!

Attempting to delete C:\Windows\system32\NCTQuickTimeFile.dll
C:\Windows\system32\NCTQuickTimeFile.dll Has been deleted!

Attempting to delete C:\Windows\system32\NCTVideoCoreM.dll
C:\Windows\system32\NCTVideoCoreM.dll Has been deleted!

Attempting to delete C:\Windows\system32\NCTWMAFile2.dll
C:\Windows\system32\NCTWMAFile2.dll Has been deleted!

Performing Repairs to the registry.
Done!




Ok now did hijack this run and got log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:18:42, on 23.07.2008
Platform: Windows XP SP3, v.3300 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.2.253:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = neptun.ksk;venus.ksk;pluto;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [GBB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\IGN\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.2.100.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1200247487046
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tuvSllLF - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 9255 bytes



Ok now is dss main logg:



Deckard's System Scanner v20071014.68
Run by ivor on 2008-07-23 20:20:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-07-23 17:20:02 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 21.15 GiB (less than 15%) free.


-- HijackThis (run as ivor.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:22:14, on 23.07.2008
Platform: Windows XP SP3, v.3300 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\ivor\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ivor.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.2.253:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = neptun.ksk;venus.ksk;pluto;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [GBB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\IGN\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.2.100.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1200247487046
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tuvSllLF - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 9198 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080529-211655-138 O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
backup-20080531-081038-354 O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
backup-20080531-081038-533 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
backup-20080531-081038-574 O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
backup-20080531-081106-163 O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
backup-20080531-081106-348 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
backup-20080531-081106-985 O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
backup-20080604-081541-370 O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
backup-20080604-081541-591 O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
backup-20080604-081541-798 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
backup-20080608-231519-261 O4 - HKLM\..\Run: [BM7351d1a5] Rundll32.exe "C:\WINDOWS\system32\cncjqmco.dll",s
backup-20080617-131245-635 O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
backup-20080617-131245-656 O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
backup-20080617-131507-264 O2 - BHO: (no name) - {B1725668-957E-4BD3-8AE4-4FFBBC5ACB67} - (no file)
backup-20080617-131507-284 O2 - BHO: (no name) - {F3EA90E5-74D6-430F-9931-EE8FE3042F57} - (no file)
backup-20080617-131507-474 O2 - BHO: (no name) - {07860EE1-05AA-4062-AA0A-AF82EE24A258} - C:\WINDOWS\system32\hgGvwxxV.dll (file missing)
backup-20080617-131507-506 O2 - BHO: (no name) - {3FD53FAF-8167-49B9-8038-0FD2AD4A66E5} - (no file)
backup-20080617-131507-510 O2 - BHO: (no name) - {84E02E07-EE99-4F41-A1FB-BE9008C4EA47} - (no file)
backup-20080617-131507-516 O2 - BHO: (no name) - {7EC5DC5D-E5BE-484F-BE03-4D9BF683C364} - (no file)
backup-20080617-131507-524 O2 - BHO: (no name) - {BD3C6F7C-6C8D-48F6-AC52-5E4071AEB257} - (no file)
backup-20080617-131507-586 O2 - BHO: (no name) - {7844CE99-E383-4FB7-BC53-A9AEA0319039} - C:\WINDOWS\system32\urqOHBtU.dll (file missing)
backup-20080617-131507-684 O2 - BHO: (no name) - {3A88D9DC-45B2-4ECC-97CA-A8E0AD1C7EC3} - (no file)
backup-20080617-131507-767 O2 - BHO: (no name) - {EF6EC4FE-27CA-40B0-83ED-189DD9473F46} - (no file)
backup-20080617-131507-848 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080617-131507-869 O2 - BHO: (no name) - {36C65BE2-62E8-4F31-B8F6-28166EF90943} - C:\WINDOWS\system32\xxywwTno.dll (file missing)
backup-20080617-131507-928 O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
backup-20080617-131918-462 O2 - BHO: (no name) - {F9A130D0-8BAE-4EAF-A9E7-243B675DE386} - C:\WINDOWS\system32\awtsQJDw.dll (file missing)
backup-20080617-131918-580 O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
backup-20080617-211405-544 O2 - BHO: (no name) - {F9A130D0-8BAE-4EAF-A9E7-243B675DE386} - (no file)
backup-20080617-211406-159 O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
backup-20080617-211439-223 O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
backup-20080618-103624-281 O2 - BHO: (no name) - {F9A130D0-8BAE-4EAF-A9E7-243B675DE386} - (no file)
backup-20080618-115001-359 O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
backup-20080618-115128-429 O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
backup-20080721-231346-715 O2 - BHO: (no name) - {F9A130D0-8BAE-4EAF-A9E7-243B675DE386} - (no file)

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.ini - inifile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 BDSelfPr - c:\program files\bitdefender\bitdefender 2008\bdselfpr.sys <Not Verified; BitDefender S.R.L.; BitDefender>

S0 Cak46 - c:\windows\system32\drivers\cak46.sys (file missing)
S0 crT61 - c:\windows\system32\drivers\crt61.sys (file missing)
S0 Crt71 - c:\windows\system32\drivers\crt71.sys (file missing)
S0 Kik36 - c:\windows\system32\drivers\kik36.sys (file missing)
S0 Ljh81 - c:\windows\system32\drivers\ljh81.sys (file missing)
S0 Nnx35 - c:\windows\system32\drivers\nnx35.sys (file missing)
S0 puO14 - c:\windows\system32\drivers\puo14.sys (file missing)
S0 tbL81 - c:\windows\system32\drivers\tbl81.sys (file missing)
S0 Xfx13 - c:\windows\system32\drivers\xfx13.sys (file missing)
S1 Avg7Core (AVG7 Kernel) - c:\windows\system32\drivers\avg7core.sys (file missing)
S1 Avg7RsW (AVG7 Wrap Driver) - c:\windows\system32\drivers\avg7rsw.sys (file missing)
S1 Avg7RsXP (AVG7 Resident Driver XP) - c:\windows\system32\drivers\avg7rsxp.sys (file missing)
S3 ATE_PROCMON - c:\program files\anti trojan elite\atepmon.sys
S3 grmnusb - c:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>
S3 Koh34 - c:\windows\system32\drivers\koh34.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S3 SolidWorks Licensing Service - "c:\program files\common files\solidworks shared\service\solidworkslicensing.exe" <Not Verified; SolidWorks; SolidWorks Licensing Service>
S4 Avg7Alrt (AVG7 Alert Manager Server) - c:\progra~1\grisoft\avg7\avgamsvr.exe (file missing)
S4 AVGEMS (AVG E-mail Scanner) - c:\progra~1\grisoft\avg7\avgemc.exe (file missing)
S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)
S4 PSEXESVC (PsExec) - c:\windows\psexesvc.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_283E&SUBSYS_50011458&REV_02\3&13C0B0C5&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_283E&SUBSYS_50011458&REV_02\3&13C0B0C5&0&FB
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-07-22 17:01:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-06-16 15:53:00 268 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-05-30 17:45:31 356 --a------ C:\WINDOWS\Tasks\Pareto UNS.job
2008-05-30 17:16:36 374 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2007-11-09 16:53:38 390 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
2007-11-09 16:53:15 336 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job


-- Files created between 2008-06-23 and 2008-07-23 -----------------------------

2008-07-23 20:01:43 0 d-------- C:\VundoFix Backups
2008-07-21 03:00:24 0 d-------- C:\Program Files\MSXML 4.0
2008-07-20 22:19:46 0 d-------- C:\Program Files\Sun


-- Find3M Report ---------------------------------------------------------------

2008-07-23 20:22:10 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-07-23 20:15:28 0 d-------- C:\Documents and Settings\ivor\Application Data\Hamachi
2008-07-23 12:32:50 0 d-------- C:\Documents and Settings\ivor\Application Data\uTorrent
2008-07-21 23:30:25 0 d-------- C:\Documents and Settings\ivor\Application Data\LimeWire
2008-07-21 12:52:20 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-20 22:19:16 0 d-------- C:\Program Files\Java
2008-07-20 22:07:36 0 d-------- C:\Program Files\Spyware Doctor
2008-06-19 12:59:28 33096 --a------ C:\Documents and Settings\ivor\Application Data\GDIPFONTCACHEV1.DAT
2008-06-18 16:59:06 0 d-------- C:\Documents and Settings\ivor\Application Data\SolidWorks
2008-06-18 00:24:03 0 d-------- C:\Program Files\HiddenFinder
2008-06-17 22:24:22 77824 --a------ C:\WINDOWS\system32\xcomm.dll <Not Verified; BitDefender; BitDefender Communicator>
2008-06-17 21:33:14 0 d-------- C:\Documents and Settings\ivor\Application Data\BitDefender
2008-06-17 21:32:45 0 d-------- C:\Program Files\BitDefender
2008-06-12 15:49:25 0 d-------- C:\Program Files\DWGeditor
2008-06-12 15:48:31 0 d-------- C:\Program Files\Common Files\eDrawings2007
2008-06-12 15:47:31 0 d-------- C:\Program Files\Common Files\SolidWorks Shared
2008-06-12 15:46:45 0 d-------- C:\Program Files\SolidWorks
2008-06-12 15:43:53 0 d-------- C:\Program Files\Common Files
2008-06-11 14:37:51 0 d-------- C:\Program Files\Common Files\BitDefender
2008-06-10 23:18:29 0 d-------- C:\Documents and Settings\ivor\Application Data\DivX
2008-06-10 17:49:18 0 d-------- C:\Program Files\Final Codecs
2008-06-10 16:57:47 680 --a------ C:\Documents and Settings\ivor\Application Data\coreavc.ini
2008-06-10 16:57:47 0 d-------- C:\Documents and Settings\ivor\Application Data\BSplayer PRO
2008-06-10 16:57:22 0 d-------- C:\Program Files\Common Files\Real
2008-06-10 16:56:17 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-06-09 14:49:00 3906 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-09 14:11:48 392589 --ahs---- C:\WINDOWS\system32\VxxwvGgh.ini2
2008-06-09 13:21:37 0 d-------- C:\Documents and Settings\ivor\Application Data\SUPERAntiSpyware.com
2008-06-09 13:21:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-09 01:02:59 0 d-------- C:\Program Files\Anti Trojan Elite
2008-06-09 00:26:22 0 d-------- C:\Documents and Settings\ivor\Application Data\Comodo
2008-06-09 00:26:19 0 d-------- C:\Program Files\COMODO
2008-06-09 00:25:13 362365 --ahs---- C:\WINDOWS\system32\onTwwyxx.ini2
2008-06-08 23:46:32 385210 --ahs---- C:\WINDOWS\system32\UtBHOqru.ini2
2008-06-08 17:32:19 0 d-------- C:\Documents and Settings\ivor\Application Data\DWGeditor
2008-06-08 17:21:39 0 d-------- C:\Documents and Settings\ivor\Application Data\DassaultSystemes
2008-06-08 17:14:17 0 d-------- C:\Program Files\Common Files\Solidworks Data
2008-06-08 17:10:33 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-04 00:04:17 0 d-------- C:\Documents and Settings\ivor\Application Data\Mask Pro 4.0
2008-06-03 23:56:10 0 d-------- C:\Program Files\onOne Software
2008-06-02 20:06:02 0 d-------- C:\Program Files\MSN Messenger
2008-06-01 22:35:22 0 d-------- C:\Program Files\Movie Maker
2008-06-01 22:34:16 24916 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-01 22:33:47 0 d-------- C:\Program Files\Messenger
2008-06-01 22:33:44 0 d-------- C:\Program Files\Windows NT
2008-05-30 23:50:06 0 d-------- C:\Documents and Settings\ivor\Application Data\MSN6
2008-05-30 17:52:19 0 d-------- C:\Documents and Settings\ivor\Application Data\PC Tools
2008-05-30 10:21:37 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-29 21:24:26 320 --a------ C:\WINDOWS\8E8P4MGQLP8YPYWE3380
2008-05-29 21:10:06 0 d-------- C:\Program Files\Trend Micro
2008-05-29 09:35:36 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-27 14:51:49 0 d-------- C:\Documents and Settings\ivor\Application Data\Adobe
2008-05-18 21:40:35 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [12.07.2006 12:58]
"SkyTel"="SkyTel.EXE" [16.05.2006 13:04 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05.12.2007 01:41]
"nwiz"="nwiz.exe" [05.12.2007 01:41 C:\WINDOWS\system32\nwiz.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [13.02.2007 21:29]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [06.03.2008 14:56]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10.06.2008 04:27]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11.01.2008 23:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28.03.2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30.03.2008 10:36]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05.12.2007 01:41]
"RTHDCPL"="RTHDCPL.EXE" [21.07.2006 11:56 C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [03.05.2005 13:43 C:\WINDOWS\ALCMTR.EXE]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [20.07.2008 16:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [26.01.2008 07:57]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19.01.2007 12:54]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [12.11.2006 13:48]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [05.03.2007 13:57]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\ivor\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16.03.2005 20:16:50]
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [10.01.2008 23:20:49]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13.02.2001 1:01:04]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [29.03.2007 15:46:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13.05.2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19.04.2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvSllLF]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGvwxxV

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cak46.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\crT61.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Crt71.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kik36.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Koh34.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ljh81.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nnx35.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\puO14.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tbL81.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xfx13.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Mask Pro 3.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Register Mask Pro 3.0.lnk
backup=C:\WINDOWS\pss\Register Mask Pro 3.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
"C:\Program Files\COMODO\Firewall\cfp.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
"C:\Program Files\Spyware Doctor\pctsTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NodLogin]
"C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe" /o

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc
bdx scan

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\Autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{023f31f2-652a-11dc-b160-0016e684e3ee}]
Setup\command- setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{122cb9a2-30b0-11dd-94c7-c0e4ea1983bd}]
Setup\command- setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3611f509-96d1-11dc-b18d-0016e684e3ee}]
Setup\command- J:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40cf60a3-48e7-11dc-b14d-0016e684e3ee}]
Setup\command- setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6eab5642-dd7b-11db-b5cc-806d6172696f}]
AutoRun\command- D:\Run.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84ea56b1-f9b1-11dc-88ab-0016e684e3ee}]
Setup\command- L:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84ea56c8-f9b1-11dc-88ab-0016e684e3ee}]
Setup\command- J:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d285567a-04de-11dd-88b6-0016e684e3ee}]
Setup\command- setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df3ab360-f00d-11db-aaaf-0016e684e3ee}]
Setup\command- setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2cdb450-a6a5-11dc-b19a-0016e684e3ee}]
Setup\command- setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ead65e51-ffc1-11db-aab0-0016e684e3ee}]
Setup\command- J:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee1441c2-d7f1-11dc-b1bc-0016e684e3ee}]
Setup\command- setup.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 update.bitdefender.com
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

8829 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-23 20:22:54 ------------






Ok the extra scan:



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6400 @ 2.13GHz
Percentage of Memory in Use: 15%
Physical Memory (total/avail): 3583.48 MiB / 3040.08 MiB
Pagefile Memory (total/avail): 5465.31 MiB / 4950.4 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.34 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 186.3 GiB total, 21.15 GiB free.
D: is CDROM (No Media)
I: is Fixed (NTFS) - 279.47 GiB total, 263.12 GiB free.

\\.\PHYSICALDRIVE1 - Maxtor 6L300S0 - 279.47 GiB - 1 partition
\PARTITION0 - Installable File System - 279.47 GiB - I:

\\.\PHYSICALDRIVE0 - ST3200822AS - 186.31 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 186.3 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ivor\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=IVOR-864782D9D5
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ivor
INCLUDE=c:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\include\;C:\Program Files\Microsoft Visual Studio\VC98\atl\include;C:\Program Files\Microsoft Visual Studio\VC98\mfc\include;C:\Program Files\Microsoft Visual Studio\VC98\include
LIB=c:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Lib\;C:\Program Files\Microsoft Visual Studio\VC98\mfc\lib;C:\Program Files\Microsoft Visual Studio\VC98\lib
LOGONSERVER=\\IVOR-864782D9D5
MSDevDir=C:\Program Files\Microsoft Visual Studio\Common\MSDev98
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT;C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin;C:\Program Files\Microsoft Visual Studio\Common\Tools;C:\Program Files\Microsoft Visual Studio\VC98\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ivor\LOCALS~1\Temp
TMP=C:\DOCUME~1\ivor\LOCALS~1\Temp
USERDOMAIN=IVOR-864782D9D5
USERNAME=ivor
USERPROFILE=C:\Documents and Settings\ivor
VS71COMNTOOLS=C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\Tools\
VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

ivor (admin)
Administrator.IVOR-864782D9D5 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec /X{A5B5A16D-277A-476B-8F62-1029A2F23072}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AGEIA PhysX v8.01.18 --> MsiExec.exe /X{A5B5A16D-277A-476B-8F62-1029A2F23072}
Anti Trojan Elite 4.0.4 --> "C:\Program Files\Anti Trojan Elite\unins000.exe"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
BitDefender Total Security 2008 --> MsiExec.exe /I{0F25993F-A294-4F9B-B794-E30EBBF7F86A}
Call of Duty® 4 - Modern Warfare™ 1.3 Patch --> C:\Program Files\InstallShield Installation Information\{050C1C8E-4A4D-4C2F-B9AE-67E60EE91B7F}\setup.exe -runfromtemp -l0x0409
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Command & Conquer™ 3: Kane's Wrath --> MsiExec.exe /I{CC2422C9-F7B5-4175-B295-5EC2283AA674}
COMODO Firewall Pro --> C:\Program Files\COMODO\Firewall\cfpconfg.exe -u
DWGeditor --> MsiExec.exe /X{B2529250-5623-432E-80E0-24FDA6DD9202}
eDrawings 2007 --> MsiExec.exe /I{E5A93086-C9A3-4BD6-9227-61C67D9F900C}
Final Codecs 2008 New Year Edition --> C:\Program Files\Final Codecs\uninst.exe
Hamachi 1.0.2.5 --> C:\Program Files\Hamachi\uninstall.exe
Hex-Rays Decompiler v1.0 --> "C:\Program Files\IDA\plugins\unins000.exe"
Hidden Finder 1.4.3 --> "C:\Program Files\HiddenFinder\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
IDA Pro Advanced v5.2 with WinCE v5.0 debugger --> "C:\Program Files\IDA\unins000.exe"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Japanese Fonts Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5760-0000-800000000003}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Lightroom --> MsiExec.exe /I{84918CAE-2B7D-401E-98E0-557F97BA7857}
LimeWire PRO 4.16.0 --> "C:\Program Files\LimeWire\uninstall.exe"
Mask Pro 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2DFAC810-6DD8-4E23-96A4-BEB118408203}\setup.exe" -l0x9 -uninst -removeonly
Microsoft Games for Windows - LIVE Redistributable --> MsiExec.exe /X{20DEB77C-21D6-4D22-BB47-233E47613D57}
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OpenOffice.org Installer 1.0 --> MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
Power Retouche Pro --> C:\Program Files\Adobe\Adobe Photoshop CS2\Plug-Ins\PowerRetouche\UnInstall_PRPro.exe
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Regio Eesti CD-atlas (ver 4.0) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Regio\Atlas 4.0\Uninst.isu"
Safari --> MsiExec.exe /I{40589552-3892-409E-B92C-9F5032A4B2F0}
SolidWorks 2007-2008 Student Design Kit --> MsiExec.exe /X{470FB20B-0FCD-4DB4-9DE9-0744E
  • 0

#5
nah1

nah1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
jesus crist i downloaded malwarebytes anti_malware and did a scan!!!!

The result is depressing here is the screen shot:
http://img225.images...vundopicix6.jpg

This scani i did after vundofix, superantispyware, spybot, bitdefender scan

and here is the log of anti-malwarebytes:
Malwarebytes' Anti-Malware 1.22
Database version: 984
Windows 5.1.2600 Service Pack 3, v.3300

22:39:37 23.07.2008
mbam-log-7-23-2008 (22-39-37).txt

Scan type: Full Scan (C:\|D:\|I:\|)
Objects scanned: 211030
Time elapsed: 1 hour(s), 33 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bd3c6f7c-6c8d-48f6-ac52-5e4071aeb257} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\ivor\Desktop\coding section\Last sof2 täiesti viimane\SoF2\Release\SoF2.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
I:\c ketta asjad kõik\coding section\Last sof2 täiesti viimane\SoF2\Release\SoF2.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\BM7351d1a5.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM7351d1a5.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
  • 0

#6
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
nah1, alot of anti-virus programs have issues with vundo so it's no surprise that BitDefender is also. But, lets go ahead and take care of the rest of it.

STEP ONE
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\WINDOWS\tuvSllLF.dll
    C:\WINDOWS\system32\VxxwvGgh.ini2
    C:\WINDOWS\system32\onTwwyxx.ini2
    C:\WINDOWS\system32\UtBHOqru.ini2
    Cak46 <delete service>
    crT61 <delete service>
    Crt71 <delete service>
    Kik36 <delete service>
    Ljh81 <delete service>
    Nnx35 <delete service>
    puO14 <delete service>
    tbL81 <delete service>
    Xfx13 <delete service>
    Koh34 <delete service>
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvSllLF
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cak46.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\crT61.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Crt71.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kik36.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Koh34.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ljh81.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nnx35.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\puO14.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tbL81.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xfx13.sys
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{023f31f2-652a-11dc-b160-0016e684e3ee}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{122cb9a2-30b0-11dd-94c7-c0e4ea1983bd}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3611f509-96d1-11dc-b18d-0016e684e3ee}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40cf60a3-48e7-11dc-b14d-0016e684e3ee}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6eab5642-dd7b-11db-b5cc-806d6172696f}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84ea56b1-f9b1-11dc-88ab-0016e684e3ee}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84ea56c8-f9b1-11dc-88ab-0016e684e3ee}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d285567a-04de-11dd-88b6-0016e684e3ee}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df3ab360-f00d-11db-aaaf-0016e684e3ee}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2cdb450-a6a5-11dc-b19a-0016e684e3ee}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ead65e51-ffc1-11db-aab0-0016e684e3ee}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee1441c2-d7f1-11dc-b1bc-0016e684e3ee}
    Purity
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

STEP TWO

Next, I would like you open a new text document. Go to the Start Menu, then All Programs/Programs, then to Accessories, then click Notepad.

Copy the following into the Notepad window.
@echo off
copy "C:\VundoFix Backups\NCTAudioCDGrabber2.dll.bad" "C:\Windows\system32\NCTAudioCDGrabber2.dll"
copy "C:\VundoFix Backups\NCTAudioFile2.dll.bad" "C:\Windows\system32\NCTAudioFile2.dll"
copy "C:\VundoFix Backups\NCTAudioPlayer2.dll.bad" "C:\Windows\system32\NCTAudioPlayer2.dll"
copy "C:\VundoFix Backups\NCTAudioRecord2.dll.bad" "C:\Windows\system32\NCTAudioRecord2.dll"
copy "C:\VundoFix Backups\NCTAVIFile.dll.bad" "C:\Windows\system32\NCTAVIFile.dll"
copy "C:\VundoFix Backups\NCTQuickTimeFile.dll.bad" "C:\Windows\system32\NCTQuickTimeFile.dll"
copy "C:\VundoFix Backups\NCTVideoCoreM.dll.bad" "C:\Windows\system32\NCTVideoCoreM.dll"
copy "C:\VundoFix Backups\NCTWMAFile2.dll.bad" "C:\Windows\system32\NCTWMAFile2.dll"

Now, in notepad go to File and the Save As. Change the location to your desktop by clicking the Desktop icon on the left hand side. Then where it has "*.txt", replace that with "gtgfix.bat", then change the Save as type to "All Files", then click save.

You should now have a file on your desktop called gtgfix.bat, go ahead and double click on that file.

Then, if you would, please provide me with a new DSS log. It will only produce the main.txt this time, so just post that.
  • 0

#7
nah1

nah1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Step1 OTMoveIt2 log:

Explorer killed successfully
File/Folder C:\WINDOWS\tuvSllLF.dll not found.
C:\WINDOWS\system32\VxxwvGgh.ini2 moved successfully.
C:\WINDOWS\system32\onTwwyxx.ini2 moved successfully.
C:\WINDOWS\system32\UtBHOqru.ini2 moved successfully.
Cak46 service deleted successfully.
crT61 service deleted successfully.
Crt71 service deleted successfully.
Kik36 service deleted successfully.
Ljh81 service deleted successfully.
Nnx35 service deleted successfully.
puO14 service deleted successfully.
tbL81 service deleted successfully.
Xfx13 service deleted successfully.
Koh34 service deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvSllLF >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvSllLF\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cak46.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cak46.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\crT61.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\crT61.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Crt71.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Crt71.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kik36.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kik36.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Koh34.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Koh34.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ljh81.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ljh81.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nnx35.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Nnx35.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\puO14.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\puO14.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tbL81.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tbL81.sys\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xfx13.sys >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Xfx13.sys\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{023f31f2-652a-11dc-b160-0016e684e3ee} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{023f31f2-652a-11dc-b160-0016e684e3ee}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{122cb9a2-30b0-11dd-94c7-c0e4ea1983bd} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{122cb9a2-30b0-11dd-94c7-c0e4ea1983bd}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3611f509-96d1-11dc-b18d-0016e684e3ee} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3611f509-96d1-11dc-b18d-0016e684e3ee}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40cf60a3-48e7-11dc-b14d-0016e684e3ee} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40cf60a3-48e7-11dc-b14d-0016e684e3ee}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6eab5642-dd7b-11db-b5cc-806d6172696f} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6eab5642-dd7b-11db-b5cc-806d6172696f}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84ea56b1-f9b1-11dc-88ab-0016e684e3ee} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84ea56b1-f9b1-11dc-88ab-0016e684e3ee}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84ea56c8-f9b1-11dc-88ab-0016e684e3ee} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84ea56c8-f9b1-11dc-88ab-0016e684e3ee}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d285567a-04de-11dd-88b6-0016e684e3ee} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d285567a-04de-11dd-88b6-0016e684e3ee}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df3ab360-f00d-11db-aaaf-0016e684e3ee} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df3ab360-f00d-11db-aaaf-0016e684e3ee}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2cdb450-a6a5-11dc-b19a-0016e684e3ee} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2cdb450-a6a5-11dc-b19a-0016e684e3ee}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ead65e51-ffc1-11db-aab0-0016e684e3ee} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ead65e51-ffc1-11db-aab0-0016e684e3ee}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee1441c2-d7f1-11dc-b1bc-0016e684e3ee} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee1441c2-d7f1-11dc-b1bc-0016e684e3ee}\\ deleted successfully.
< Purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFDE47.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFE203.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFEF2F.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFF036.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\tmp00001c59\tmp00000000 scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07272008_175956

Files moved on Reboot...
File C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFDE47.tmp not found!
File C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFE203.tmp not found!
File C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFEF2F.tmp not found!
File C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFF036.tmp not found!
File C:\WINDOWS\temp\tmp00001c59\tmp00000000 not found!





Ok and now the new dss log :


Deckard's System Scanner v20071014.68
Run by ivor on 2008-07-27 18:09:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 20.87 GiB (less than 15%) free.


-- HijackThis (run as ivor.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:09:29, on 27.07.2008
Platform: Windows XP SP3, v.3300 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\ivor\Desktop\antiviruste installerid\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ivor.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.2.253:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = neptun.ksk;venus.ksk;pluto;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [GBB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\IGN\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.2.100.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1200247487046
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 9186 bytes

-- Files created between 2008-06-27 and 2008-07-27 -----------------------------

2008-07-27 18:07:18 403968 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll <Not Verified; Online Media Technologies Ltd.; NCTWMAFile2 ActiveX DLL>
2008-07-27 18:07:18 495104 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll <Not Verified; NCT Company Ltd.; NCTVideoCoreM ActiveX DLL>
2008-07-27 18:07:17 249856 --a------ C:\WINDOWS\system32\NCTQuickTimeFile.dll <Not Verified; Online Media Technologies Company Ltd.; NCTQuickTimeFile Module>
2008-07-27 18:07:17 382464 --a------ C:\WINDOWS\system32\NCTAVIFile.dll <Not Verified; NCT Company Ltd.; NCTAVIFile ActiveX DLL>
2008-07-27 18:07:16 467968 --a------ C:\WINDOWS\system32\NCTAudioRecord2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioRecord2 ActiveX DLL>
2008-07-27 18:07:15 467456 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioPlayer2 ActiveX DLL>
2008-07-27 18:07:14 877568 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2008-07-27 18:07:09 479744 --a------ C:\WINDOWS\system32\NCTAudioCDGrabber2.dll <Not Verified; NCT; NCTAudioCDGrabber2 ActiveX DLL>
2008-07-24 12:45:23 0 d-------- C:\Program Files\Helicopter Strike Force
2008-07-23 20:57:25 0 d-------- C:\Documents and Settings\ivor\Application Data\Malwarebytes
2008-07-23 20:57:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-23 20:57:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 20:01:43 0 d-------- C:\VundoFix Backups
2008-07-21 03:00:24 0 d-------- C:\Program Files\MSXML 4.0
2008-07-20 22:19:46 0 d-------- C:\Program Files\Sun


-- Find3M Report ---------------------------------------------------------------

2008-07-27 18:09:21 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-07-27 18:03:50 0 d-------- C:\Documents and Settings\ivor\Application Data\Hamachi
2008-07-24 10:14:13 0 d-------- C:\Program Files\Spyware Doctor
2008-07-23 12:32:50 0 d-------- C:\Documents and Settings\ivor\Application Data\uTorrent
2008-07-21 23:30:25 0 d-------- C:\Documents and Settings\ivor\Application Data\LimeWire
2008-07-21 12:52:20 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-20 22:19:16 0 d-------- C:\Program Files\Java
2008-06-19 12:59:28 33096 --a------ C:\Documents and Settings\ivor\Application Data\GDIPFONTCACHEV1.DAT
2008-06-18 16:59:06 0 d-------- C:\Documents and Settings\ivor\Application Data\SolidWorks
2008-06-18 00:24:03 0 d-------- C:\Program Files\HiddenFinder
2008-06-17 22:24:22 77824 --a------ C:\WINDOWS\system32\xcomm.dll <Not Verified; BitDefender; BitDefender Communicator>
2008-06-17 21:33:14 0 d-------- C:\Documents and Settings\ivor\Application Data\BitDefender
2008-06-17 21:32:45 0 d-------- C:\Program Files\BitDefender
2008-06-12 15:49:25 0 d-------- C:\Program Files\DWGeditor
2008-06-12 15:48:31 0 d-------- C:\Program Files\Common Files\eDrawings2007
2008-06-12 15:47:31 0 d-------- C:\Program Files\Common Files\SolidWorks Shared
2008-06-12 15:46:45 0 d-------- C:\Program Files\SolidWorks
2008-06-12 15:43:53 0 d-------- C:\Program Files\Common Files
2008-06-11 14:37:51 0 d-------- C:\Program Files\Common Files\BitDefender
2008-06-10 23:18:29 0 d-------- C:\Documents and Settings\ivor\Application Data\DivX
2008-06-10 17:49:18 0 d-------- C:\Program Files\Final Codecs
2008-06-10 16:57:47 680 --a------ C:\Documents and Settings\ivor\Application Data\coreavc.ini
2008-06-10 16:57:47 0 d-------- C:\Documents and Settings\ivor\Application Data\BSplayer PRO
2008-06-10 16:57:22 0 d-------- C:\Program Files\Common Files\Real
2008-06-10 16:56:17 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-06-09 14:49:00 3906 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-09 13:21:37 0 d-------- C:\Documents and Settings\ivor\Application Data\SUPERAntiSpyware.com
2008-06-09 13:21:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-09 01:02:59 0 d-------- C:\Program Files\Anti Trojan Elite
2008-06-09 00:26:22 0 d-------- C:\Documents and Settings\ivor\Application Data\Comodo
2008-06-09 00:26:19 0 d-------- C:\Program Files\COMODO
2008-06-08 17:32:19 0 d-------- C:\Documents and Settings\ivor\Application Data\DWGeditor
2008-06-08 17:21:39 0 d-------- C:\Documents and Settings\ivor\Application Data\DassaultSystemes
2008-06-08 17:14:17 0 d-------- C:\Program Files\Common Files\Solidworks Data
2008-06-08 17:10:33 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-04 00:04:17 0 d-------- C:\Documents and Settings\ivor\Application Data\Mask Pro 4.0
2008-06-03 23:56:10 0 d-------- C:\Program Files\onOne Software
2008-06-02 20:06:02 0 d-------- C:\Program Files\MSN Messenger
2008-06-01 22:35:22 0 d-------- C:\Program Files\Movie Maker
2008-06-01 22:34:16 24916 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-01 22:33:47 0 d-------- C:\Program Files\Messenger
2008-06-01 22:33:44 0 d-------- C:\Program Files\Windows NT
2008-05-30 23:50:06 0 d-------- C:\Documents and Settings\ivor\Application Data\MSN6
2008-05-30 17:52:19 0 d-------- C:\Documents and Settings\ivor\Application Data\PC Tools
2008-05-30 10:21:37 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-29 21:24:26 320 --a------ C:\WINDOWS\8E8P4MGQLP8YPYWE3380
2008-05-29 21:10:06 0 d-------- C:\Program Files\Trend Micro
2008-05-29 09:35:36 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-27 14:51:49 0 d-------- C:\Documents and Settings\ivor\Application Data\Adobe
2008-05-18 21:40:35 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [12.07.2006 12:58]
"SkyTel"="SkyTel.EXE" [16.05.2006 13:04 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05.12.2007 01:41]
"nwiz"="nwiz.exe" [05.12.2007 01:41 C:\WINDOWS\system32\nwiz.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [13.02.2007 21:29]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [06.03.2008 14:56]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10.06.2008 04:27]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11.01.2008 23:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28.03.2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30.03.2008 10:36]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05.12.2007 01:41]
"RTHDCPL"="RTHDCPL.EXE" [21.07.2006 11:56 C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [03.05.2005 13:43 C:\WINDOWS\ALCMTR.EXE]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [20.07.2008 16:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [26.01.2008 07:57]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19.01.2007 12:54]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [12.11.2006 13:48]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [05.03.2007 13:57]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\ivor\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16.03.2005 20:16:50]
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [10.01.2008 23:20:49]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13.02.2001 1:01:04]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [29.03.2007 15:46:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13.05.2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19.04.2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGvwxxV

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Mask Pro 3.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Register Mask Pro 3.0.lnk
backup=C:\WINDOWS\pss\Register Mask Pro 3.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
"C:\Program Files\COMODO\Firewall\cfp.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
"C:\Program Files\Spyware Doctor\pctsTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NodLogin]
"C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe" /o

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc
bdx scan

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{962d8446-723f-11dc-b171-0016e684e3ee}]
Setup\command- setup.exe




-- End of Deckard's System Scanner: finished at 2008-07-27 18:09:54 ------------
  • 0

#8
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
STEP ONE
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{962d8446-723f-11dc-b171-0016e684e3ee}
    Purity
    EmptyTemp
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

STEP TWO
The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
Registry Modifications

Next, I would like you open a new text document. Go to the Start Menu, then All Programs/Programs, then to Accessories, then click Notepad.

Copy the following into the Notepad window.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6D,00,73,00,76,00,31,00,5F,00,30,00,00,00,00,00

Now, in notepad go to File and the Save As. Change the location to your desktop by clicking the Desktop icon on the left hand side. Then where it has "*.txt", replace that with "gtgfix.reg", then change the Save as type to "All Files", then click save.

You should now have a file on your desktop called gtgfix.reg, go ahead and double click on that file. It will ask if you want to import this into the registry, just click yes.

STEP THREE
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt

Edited by Gravity Gripp, 27 July 2008 - 03:44 PM.

  • 0

#9
nah1

nah1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ok did the step 1 here is what i got:

Explorer killed successfully
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{962d8446-723f-11dc-b171-0016e684e3ee} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{962d8446-723f-11dc-b171-0016e684e3ee}\\ deleted successfully.
< Purity >
< EmptyTemp >
File delete failed. C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFA03.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFA16.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFCA89.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFCB17.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\tmp00004aa0\tmp00000000 scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07282008_133128

Files moved on Reboot...
File C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFA03.tmp not found!
File C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFA16.tmp not found!
File C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFCA89.tmp not found!
File C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFCB17.tmp not found!
File C:\WINDOWS\temp\tmp00004aa0\tmp00000000 not found!



ok now the step 2 did it had no problems


ok now the step 3 here is main.txt:


Deckard's System Scanner v20071014.68
Run by ivor on 2008-07-28 14:05:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-07-28 11:05:19 UTC - RP1 - System Checkpoint


Performed disk cleanup.

System Drive C: has 19.36 GiB (less than 15%) free.


-- HijackThis (run as ivor.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:05:28, on 28.07.2008
Platform: Windows XP SP3, v.3300 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\ivor\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ivor.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.2.253:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = neptun.ksk;venus.ksk;pluto;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [GBB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\IGN\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.2.100.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1200247487046
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 9517 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080529-211655-138 O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
backup-20080531-081038-354 O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
backup-20080531-081038-533 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
backup-20080531-081038-574 O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
backup-20080531-081106-163 O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
backup-20080531-081106-348 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
backup-20080531-081106-985 O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
backup-20080604-081541-370 O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
backup-20080604-081541-591 O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
backup-20080604-081541-798 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
backup-20080608-231519-261 O4 - HKLM\..\Run: [BM7351d1a5] Rundll32.exe "C:\WINDOWS\system32\cncjqmco.dll",s
backup-20080617-131245-635 O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
backup-20080617-131245-656 O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
backup-20080617-131507-264 O2 - BHO: (no name) - {B1725668-957E-4BD3-8AE4-4FFBBC5ACB67} - (no file)
backup-20080617-131507-284 O2 - BHO: (no name) - {F3EA90E5-74D6-430F-9931-EE8FE3042F57} - (no file)
backup-20080617-131507-474 O2 - BHO: (no name) - {07860EE1-05AA-4062-AA0A-AF82EE24A258} - C:\WINDOWS\system32\hgGvwxxV.dll (file missing)
backup-20080617-131507-506 O2 - BHO: (no name) - {3FD53FAF-8167-49B9-8038-0FD2AD4A66E5} - (no file)
backup-20080617-131507-510 O2 - BHO: (no name) - {84E02E07-EE99-4F41-A1FB-BE9008C4EA47} - (no file)
backup-20080617-131507-516 O2 - BHO: (no name) - {7EC5DC5D-E5BE-484F-BE03-4D9BF683C364} - (no file)
backup-20080617-131507-524 O2 - BHO: (no name) - {BD3C6F7C-6C8D-48F6-AC52-5E4071AEB257} - (no file)
backup-20080617-131507-586 O2 - BHO: (no name) - {7844CE99-E383-4FB7-BC53-A9AEA0319039} - C:\WINDOWS\system32\urqOHBtU.dll (file missing)
backup-20080617-131507-684 O2 - BHO: (no name) - {3A88D9DC-45B2-4ECC-97CA-A8E0AD1C7EC3} - (no file)
backup-20080617-131507-767 O2 - BHO: (no name) - {EF6EC4FE-27CA-40B0-83ED-189DD9473F46} - (no file)
backup-20080617-131507-848 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080617-131507-869 O2 - BHO: (no name) - {36C65BE2-62E8-4F31-B8F6-28166EF90943} - C:\WINDOWS\system32\xxywwTno.dll (file missing)
backup-20080617-131507-928 O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
backup-20080617-131918-462 O2 - BHO: (no name) - {F9A130D0-8BAE-4EAF-A9E7-243B675DE386} - C:\WINDOWS\system32\awtsQJDw.dll (file missing)
backup-20080617-131918-580 O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
backup-20080617-211405-544 O2 - BHO: (no name) - {F9A130D0-8BAE-4EAF-A9E7-243B675DE386} - (no file)
backup-20080617-211406-159 O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
backup-20080617-211439-223 O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
backup-20080618-103624-281 O2 - BHO: (no name) - {F9A130D0-8BAE-4EAF-A9E7-243B675DE386} - (no file)
backup-20080618-115001-359 O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
backup-20080618-115128-429 O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
backup-20080721-231346-715 O2 - BHO: (no name) - {F9A130D0-8BAE-4EAF-A9E7-243B675DE386} - (no file)

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.ini - inifile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.reg - regfile - shell\open\command - regedit.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 BDSelfPr - c:\program files\bitdefender\bitdefender 2008\bdselfpr.sys <Not Verified; BitDefender S.R.L.; BitDefender>

S1 Avg7Core (AVG7 Kernel) - c:\windows\system32\drivers\avg7core.sys (file missing)
S1 Avg7RsW (AVG7 Wrap Driver) - c:\windows\system32\drivers\avg7rsw.sys (file missing)
S1 Avg7RsXP (AVG7 Resident Driver XP) - c:\windows\system32\drivers\avg7rsxp.sys (file missing)
S3 ATE_PROCMON - c:\program files\anti trojan elite\atepmon.sys
S3 grmnusb - c:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S3 SolidWorks Licensing Service - "c:\program files\common files\solidworks shared\service\solidworkslicensing.exe" <Not Verified; SolidWorks; SolidWorks Licensing Service>
S4 Avg7Alrt (AVG7 Alert Manager Server) - c:\progra~1\grisoft\avg7\avgamsvr.exe (file missing)
S4 AVGEMS (AVG E-mail Scanner) - c:\progra~1\grisoft\avg7\avgemc.exe (file missing)
S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)
S4 PSEXESVC (PsExec) - c:\windows\psexesvc.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_283E&SUBSYS_50011458&REV_02\3&13C0B0C5&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_283E&SUBSYS_50011458&REV_02\3&13C0B0C5&0&FB
Service:

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description: SCSI/RAID Host Controller
Device ID: ACPI\PNPA000\4&48FDEB35&0
Manufacturer: (Standard mass storage controllers)
Name: SCSI/RAID Host Controller
PNP Device ID: ACPI\PNPA000\4&48FDEB35&0
Service: a8lwj5g6


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 1312)
2007-04-19 13:41:36 294912 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\explorer.exe (pid 240)
2008-05-13 10:13:36 77824 --a------ C:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>
2008-06-17 22:13:33 155648 --a------ C:\Program Files\BitDefender\BitDefender 2008\bdshelxt.dll <Not Verified; BitDefender S.R.L; BDShellExt Module>
2008-06-17 22:13:33 77824 --a------ C:\Program Files\BitDefender\BitDefender 2008\bdutils.dll <Not Verified; SOFTWIN S.R.L.; BitDefender 11>
2007-04-17 16:30:02 90112 --a------ C:\Program Files\BitDefender\BitDefender 2008\txmlx.dll <Not Verified; SOFTWIN S.R.L.; >
2007-02-27 12:39:26 61440 --a------ C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware Context Menu Extension>
2006-09-14 00:20:24 126464 --a------ C:\Program Files\WinRAR\RarExt.dll
2007-12-05 01:41:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll

C:\WINDOWS\system32\svchost.exe (pid 1180)
2008-06-17 22:11:25 139264 --a------ C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\scan.dll <Not Verified; S.C. BitDefender S.R.L; BitDefender 11>
2008-07-20 16:58:32 90112 --a------ C:\Program Files\BitDefender\BitDefender 2008\quarcore.dll <Not Verified; BitDefender S.R.L.; BitDefender 11>
2008-06-17 22:11:25 36864 --a------ C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\smartscn.dll <Not Verified; BitDefender; BitDefender>
2008-06-17 22:12:31 102400 --a------ C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_7102\bdcore.dll <Not Verified; BitDefender; >
2008-06-19 11:35:36 53248 --a------ C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\av32bit_7102\avxdisk.dll


-- Scheduled Tasks -------------------------------------------------------------

2008-07-22 17:01:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-06-16 15:53:00 268 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-05-30 17:45:31 356 --a------ C:\WINDOWS\Tasks\Pareto UNS.job
2008-05-30 17:16:36 374 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2007-11-09 16:53:38 390 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
2007-11-09 16:53:15 336 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job


-- Files created between 2008-06-28 and 2008-07-28 -----------------------------

2008-07-28 13:44:09 0 d-------- C:\WINDOWS\28.07.2008
2008-07-27 18:07:18 403968 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll <Not Verified; Online Media Technologies Ltd.; NCTWMAFile2 ActiveX DLL>
2008-07-27 18:07:18 495104 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll <Not Verified; NCT Company Ltd.; NCTVideoCoreM ActiveX DLL>
2008-07-27 18:07:17 249856 --a------ C:\WINDOWS\system32\NCTQuickTimeFile.dll <Not Verified; Online Media Technologies Company Ltd.; NCTQuickTimeFile Module>
2008-07-27 18:07:17 382464 --a------ C:\WINDOWS\system32\NCTAVIFile.dll <Not Verified; NCT Company Ltd.; NCTAVIFile ActiveX DLL>
2008-07-27 18:07:16 467968 --a------ C:\WINDOWS\system32\NCTAudioRecord2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioRecord2 ActiveX DLL>
2008-07-27 18:07:15 467456 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioPlayer2 ActiveX DLL>
2008-07-27 18:07:14 877568 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2008-07-27 18:07:09 479744 --a------ C:\WINDOWS\system32\NCTAudioCDGrabber2.dll <Not Verified; NCT; NCTAudioCDGrabber2 ActiveX DLL>
2008-07-24 12:45:23 0 d-------- C:\Program Files\Helicopter Strike Force
2008-07-23 20:57:25 0 d-------- C:\Documents and Settings\ivor\Application Data\Malwarebytes
2008-07-23 20:57:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-23 20:57:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 20:01:43 0 d-------- C:\VundoFix Backups
2008-07-21 03:00:24 0 d-------- C:\Program Files\MSXML 4.0
2008-07-20 22:19:46 0 d-------- C:\Program Files\Sun


-- Find3M Report ---------------------------------------------------------------

2008-07-28 14:05:13 81984 --a------ C:\WINDOWS\system32\bdod.bin
2008-07-28 13:34:17 0 d-------- C:\Documents and Settings\ivor\Application Data\Hamachi
2008-07-28 06:49:03 0 d-------- C:\Documents and Settings\ivor\Application Data\uTorrent
2008-07-24 10:14:13 0 d-------- C:\Program Files\Spyware Doctor
2008-07-21 23:30:25 0 d-------- C:\Documents and Settings\ivor\Application Data\LimeWire
2008-07-21 12:52:20 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-20 22:19:16 0 d-------- C:\Program Files\Java
2008-06-19 12:59:28 33096 --a------ C:\Documents and Settings\ivor\Application Data\GDIPFONTCACHEV1.DAT
2008-06-18 16:59:06 0 d-------- C:\Documents and Settings\ivor\Application Data\SolidWorks
2008-06-18 00:24:03 0 d-------- C:\Program Files\HiddenFinder
2008-06-17 22:24:22 77824 --a------ C:\WINDOWS\system32\xcomm.dll <Not Verified; BitDefender; BitDefender Communicator>
2008-06-17 21:33:14 0 d-------- C:\Documents and Settings\ivor\Application Data\BitDefender
2008-06-17 21:32:45 0 d-------- C:\Program Files\BitDefender
2008-06-12 15:49:25 0 d-------- C:\Program Files\DWGeditor
2008-06-12 15:48:31 0 d-------- C:\Program Files\Common Files\eDrawings2007
2008-06-12 15:47:31 0 d-------- C:\Program Files\Common Files\SolidWorks Shared
2008-06-12 15:46:45 0 d-------- C:\Program Files\SolidWorks
2008-06-12 15:43:53 0 d-------- C:\Program Files\Common Files
2008-06-11 14:37:51 0 d-------- C:\Program Files\Common Files\BitDefender
2008-06-10 23:18:29 0 d-------- C:\Documents and Settings\ivor\Application Data\DivX
2008-06-10 17:49:18 0 d-------- C:\Program Files\Final Codecs
2008-06-10 16:57:47 680 --a------ C:\Documents and Settings\ivor\Application Data\coreavc.ini
2008-06-10 16:57:47 0 d-------- C:\Documents and Settings\ivor\Application Data\BSplayer PRO
2008-06-10 16:57:22 0 d-------- C:\Program Files\Common Files\Real
2008-06-10 16:56:17 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-06-09 14:49:00 3906 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-09 13:21:37 0 d-------- C:\Documents and Settings\ivor\Application Data\SUPERAntiSpyware.com
2008-06-09 13:21:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-09 01:02:59 0 d-------- C:\Program Files\Anti Trojan Elite
2008-06-09 00:26:22 0 d-------- C:\Documents and Settings\ivor\Application Data\Comodo
2008-06-09 00:26:19 0 d-------- C:\Program Files\COMODO
2008-06-08 17:32:19 0 d-------- C:\Documents and Settings\ivor\Application Data\DWGeditor
2008-06-08 17:21:39 0 d-------- C:\Documents and Settings\ivor\Application Data\DassaultSystemes
2008-06-08 17:14:17 0 d-------- C:\Program Files\Common Files\Solidworks Data
2008-06-08 17:10:33 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-04 00:04:17 0 d-------- C:\Documents and Settings\ivor\Application Data\Mask Pro 4.0
2008-06-03 23:56:10 0 d-------- C:\Program Files\onOne Software
2008-06-02 20:06:02 0 d-------- C:\Program Files\MSN Messenger
2008-06-01 22:35:22 0 d-------- C:\Program Files\Movie Maker
2008-06-01 22:34:16 24916 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-01 22:33:47 0 d-------- C:\Program Files\Messenger
2008-06-01 22:33:44 0 d-------- C:\Program Files\Windows NT
2008-05-30 23:50:06 0 d-------- C:\Documents and Settings\ivor\Application Data\MSN6
2008-05-30 17:52:19 0 d-------- C:\Documents and Settings\ivor\Application Data\PC Tools
2008-05-30 10:21:37 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-29 21:24:26 320 --a------ C:\WINDOWS\8E8P4MGQLP8YPYWE3380
2008-05-29 21:10:06 0 d-------- C:\Program Files\Trend Micro
2008-05-29 09:35:36 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-18 21:40:35 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [12.07.2006 12:58]
"SkyTel"="SkyTel.EXE" [16.05.2006 13:04 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05.12.2007 01:41]
"nwiz"="nwiz.exe" [05.12.2007 01:41 C:\WINDOWS\system32\nwiz.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [13.02.2007 21:29]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [06.03.2008 14:56]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10.06.2008 04:27]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11.01.2008 23:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [28.03.2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30.03.2008 10:36]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05.12.2007 01:41]
"RTHDCPL"="RTHDCPL.EXE" [21.07.2006 11:56 C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [03.05.2005 13:43 C:\WINDOWS\ALCMTR.EXE]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [20.07.2008 16:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [26.01.2008 07:57]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19.01.2007 12:54]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [12.11.2006 13:48]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [05.03.2007 13:57]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

C:\Documents and Settings\ivor\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16.03.2005 20:16:50]
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [20.10.2005 12:04:08]
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [10.01.2008 23:20:49]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13.02.2001 1:01:04]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [29.03.2007 15:46:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13.05.2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19.04.2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Mask Pro 3.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Register Mask Pro 3.0.lnk
backup=C:\WINDOWS\pss\Register Mask Pro 3.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
"C:\Program Files\COMODO\Firewall\cfp.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
"C:\Program Files\Spyware Doctor\pctsTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NodLogin]
"C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe" /o

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc
bdx scan

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\setup.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 update.bitdefender.com
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

8829 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-28 14:06:29 ------------



Here is the extra.txt:


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU 6400 @ 2.13GHz
Percentage of Memory in Use: 17%
Physical Memory (total/avail): 3583.48 MiB / 2942.84 MiB
Pagefile Memory (total/avail): 5465.31 MiB / 4875.48 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1871.01 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 186.3 GiB total, 19.36 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is CDROM (CDFS)
G: is CDROM (No Media)
H: is CDROM (No Media)
I: is Fixed (NTFS) - 279.47 GiB total, 263.12 GiB free.
K: is Removable (FAT32)

\\.\PHYSICALDRIVE1 - Maxtor 6L300S0 - 279.47 GiB - 1 partition
\PARTITION0 - Installable File System - 279.47 GiB - I:

\\.\PHYSICALDRIVE0 - ST3200822AS - 186.31 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 186.3 GiB - C:

\\.\PHYSICALDRIVE2 - Apple iPod USB Device - 1913.99 MiB - 1 partition
\PARTITION0 - Unknown - 1819.86 MiB - K:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ivor\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=IVOR-864782D9D5
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ivor
INCLUDE=c:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\include\;C:\Program Files\Microsoft Visual Studio\VC98\atl\include;C:\Program Files\Microsoft Visual Studio\VC98\mfc\include;C:\Program Files\Microsoft Visual Studio\VC98\include
LIB=c:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Lib\;C:\Program Files\Microsoft Visual Studio\VC98\mfc\lib;C:\Program Files\Microsoft Visual Studio\VC98\lib
LOGONSERVER=\\IVOR-864782D9D5
MSDevDir=C:\Program Files\Microsoft Visual Studio\Common\MSDev98
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT;C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin;C:\Program Files\Microsoft Visual Studio\Common\Tools;C:\Program Files\Microsoft Visual Studio\VC98\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ivor\LOCALS~1\Temp
TMP=C:\DOCUME~1\ivor\LOCALS~1\Temp
USERDOMAIN=IVOR-864782D9D5
USERNAME=ivor
USERPROFILE=C:\Documents and Settings\ivor
VS71COMNTOOLS=C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\Tools\
VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

ivor (admin)
Administrator.IVOR-864782D9D5 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec /X{A5B5A16D-277A-476B-8F62-1029A2F23072}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AGEIA PhysX v8.01.18 --> MsiExec.exe /X{A5B5A16D-277A-476B-8F62-1029A2F23072}
Anti Trojan Elite 4.0.4 --> "C:\Program Files\Anti Trojan Elite\unins000.exe"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
BitDefender Total Security 2008 --> MsiExec.exe /I{0F25993F-A294-4F9B-B794-E30EBBF7F86A}
Call of Duty® 4 - Modern Warfare™ 1.3 Patch --> C:\Program Files\InstallShield Installation Information\{050C1C8E-4A4D-4C2F-B9AE-67E60EE91B7F}\setup.exe -runfromtemp -l0x0409
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Command & Conquer™ 3: Kane's Wrath --> MsiExec.exe /I{CC2422C9-F7B5-4175-B295-5EC2283AA674}
COMODO Firewall Pro --> C:\Program Files\COMODO\Firewall\cfpconfg.exe -u
DWGeditor --> MsiExec.exe /X{B2529250-5623-432E-80E0-24FDA6DD9202}
eDrawings 2007 --> MsiExec.exe /I{E5A93086-C9A3-4BD6-9227-61C67D9F900C}
ERUNT 1.1j --> "C:\Program Files\ERUNT\unins000.exe"
Final Codecs 2008 New Year Edition --> C:\Program Files\Final Codecs\uninst.exe
Hamachi 1.0.2.5 --> C:\Program Files\Hamachi\uninstall.exe
Helicopter Strike Force --> MsiExec.exe /I{09AD08C0-104D-4E58-92E0-E03CEABA9CD7}
Hex-Rays Decompiler v1.0 --> "C:\Program Files\IDA\plugins\unins000.exe"
Hidden Finder 1.4.3 --> "C:\Program Files\HiddenFinder\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
IDA Pro Advanced v5.2 with WinCE v5.0 debugger --> "C:\Program Files\IDA\unins000.exe"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Japanese Fonts Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5760-0000-800000000003}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Lightroom --> MsiExec.exe /I{84918CAE-2B7D-401E-98E0-557F97BA7857}
LimeWire PRO 4.16.0 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Mask Pro 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2DFAC810-6DD8-4E23-96A4-BEB118408203}\setup.exe" -l0x9 -uninst -removeonly
Microsoft Games for Windows - LIVE Redistributable --> MsiExec.exe /X{20DEB77C-21D6-4D22-BB47-233E47613D57}
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OpenOffice.org Installer 1.0 --> MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
Power Retouche Pro --> C:\Program Files\Adobe\Adobe Photoshop CS2\Plug-Ins\PowerRetouche\UnInstall_PRPro.exe
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Regio Eesti CD-atlas (ver 4.0) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Regio\Atlas 4.0\Uninst.isu"
Safari --> MsiExec.exe /I{40589552-3892-409E-B92C-9F5032A4B2F0}
SolidWorks 2007-2008 Student Design Kit --> MsiExec.exe /X{470FB20B-0FCD-4DB4-9DE9-0744E2DAC93C}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
SUPERAntiSpyware Professional --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Tone Mapping Plug-In 1.2 --> "C:\Program Files\Adobe\Adobe Photoshop CS2\Plug-Ins\Photomatix\unins000.exe"
TuneUp Utilities 2008 --> MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA}
Turok --> C:\Program Files\InstallShield Installation Information\{1BC3AF44-D80E-4744-A8E1-9BC540424AC9}\setup.exe -runfromtemp -l0x0009Turok -removeonly
Uniblue SpyEraser --> "C:\Program Files\Uniblue\SpyEraser\unins000.exe"
Vertus Fluid Mask 3 3.0.8 --> "C:\Program Files\Vertus Fluid Mask 3\Uninstall.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type3433 / Success
Event Submitted/Written: 07/28/2008 01:36:35 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type3430 / Error
Event Submitted/Written: 07/28/2008 01:33:17 PM
Event ID/Source: 17204 / MSSQL$SQLEXPRESS
Event Description:
FCB::Open failed: Could not open file c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\mastlog.ldf for file number 2. OS error: 5(Access is denied.).

Event Record #/Type3429 / Error
Event Submitted/Written: 07/28/2008 01:33:17 PM
Event ID/Source: 17207 / MSSQL$SQLEXPRESS
Event Description:
FCB::Open: Operating system error 5(Access is denied.) occurred while creating or opening file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\mastlog.ldf'. Diagnose and correct the operating system error, and retry the operation.

Event Record #/Type3428 / Error
Event Submitted/Written: 07/28/2008 01:33:17 PM
Event ID/Source: 17204 / MSSQL$SQLEXPRESS
Event Description:
FCB::Open failed: Could not open file c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\master.mdf for file number 1. OS error: 5(Access is denied.).

Event Record #/Type3427 / Error
Event Submitted/Written: 07/28/2008 01:33:17 PM
Event ID/Source: 17207 / MSSQL$SQLEXPRESS
Event Description:
FCB::Open: Operating system error 5(Access is denied.) occurred while creating or opening file 'c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\master.mdf'. Diagnose and correct the operating system error, and retry the operation.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3235 / Error
Event Submitted/Written: 07/28/2008 01:33:18 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Avg7Core
Avg7RsW
Avg7RsXP

Event Record #/Type3234 / Error
Event Submitted/Written: 07/28/2008 01:33:18 PM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The SQL Server (SQLEXPRESS) service terminated with service-specific error 3417 (0xD59).

Event Record #/Type3233 / Error
Event Submitted/Written: 07/28/2008 01:33:18 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The TuneUp Theme Extension service failed to start due to the following error:
%%1083

Event Record #/Type3227 / Error
Event Submitted/Written: 07/28/2008 01:32:55 PM
Event ID/Source: 10016 / DCOM
Event Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.

Event Record #/Type3223 / Warning
Event Submitted/Written: 07/28/2008 07:41:22 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.



-- End of Deckard's System Scanner: finished at 2008-07-28 14:06:29 ------------
  • 0

#10
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
nah1, a few more things here.


STEP ONE
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • C:\WINDOWS\8E8P4MGQLP8YPYWE3380
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.


STEP TWO
Next, I would like you open a new text document. Go to the Start Menu, then All Programs/Programs, then to Accessories, then click Notepad.

Copy the following into the Notepad window.
@echo off
dir "C:\VundoFix Backups" > gtgcheck.txt

Now, in notepad go to File and the Save As. Change the location to your desktop by clicking the Desktop icon on the left hand side. Then where it has "*.txt", replace that with "gtgcheck.bat", then change the Save as type to "All Files", then click save.

You should now have a file on your desktop called gtgfix.bat, go ahead and double click on that file. This will create a file in the root of the hard drive called gtgcheck.txt.

If you go to Start->Run and type notepad c:\gtgcheck.txt it will open this file, please copy and paste that with your next reply.

STEP THREE
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#11
nah1

nah1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Step 1
C:\WINDOWS\8E8P4MGQLP8YPYWE3380
Scanner results : All Scanners reported not find malware!
Time : 2008/07/30 17:29:51 (EEST)
Scanner ? Engine Ver Sig Ver Sig Date Scan result Time
a-squared 3.5.0.22 2008.07.29 2008-07-29
-
2.624
AhnLab V3 2008.07.30.01 2008.07.30 2008-07-30
-
0.865
AntiVir 7.8.1.12 7.0.5.193 2008-07-30
-
2.147
Arcavir 1.0.5 200807292345 2008-07-29
-
1.163
AVAST! 3.0.1 080729-1 2008-07-29
-
0.002
AVG 7.5.51.442 270.5.7/1581 2008-07-30
-
1.495
BitDefender 7.60825.1410286 7.20260 2008-07-30
-
2.628
CA (VET) 9.0.0.143 31.6.5995 2008-07-30
-
0.640
ClamAV 0.93.3 7891 2008-07-30
-
0.002
Comodo 2.11 2.0.0.601 2008-07-30
-
0.446
CP Secure 1.1.0.715 2008.07.30 2008-07-30
-
5.560
Dr.Web 4.44.0.9170 2008.07.30 2008-07-30
-
3.012
ewido 4.0.0.2 2008.07.30 2008-07-30
-
2.371
F-Prot 4.4.4.56 20080729 2008-07-29
-
0.960
F-Secure 5.51.6100 2008.07.30.04 2008-07-30
-
0.027
Fortinet 2.81-3.11 9.367 2008-07-30
-
1.640
Ikarus T3.1.01.34 2008.07.30.71187 2008-07-30
-
3.012
JiangMin 11.0.706 2008.07.30 2008-07-30
-
2.051
Kaspersky 5.5.10 2008.07.30 2008-07-30
-
0.018
KingSoft 2008.1.14.15 2008.7.30.18 2008-07-30
-
0.545
McAfee 5.2.00 5349 2008-07-29
-
2.546
Microsoft 1.3806 2008.07.30 2008-07-30
-
4.677
mks_vir 2.01 2008.07.28 2008-07-28
-
2.449
Norman 5.93.01 5.93.00 2008-07-28
-
4.678
nProtect 2008-07-30.00 1736473 2008-07-30
-
3.226
Panda 9.05.01 2008.07.29 2008-07-29
-
2.572
Quick Heal 9.50 2008.07.07 2008-07-07
-
1.663
Rising 20.0 20.55.22.00 2008-07-30
-
0.234
Sophos 2.75.4 4.31 2008-07-30
-
1.892
Sunbelt 3.1.1537.1 2169 2008-07-28
-
0.389
Symantec 1.3.0.24 20080729.005 2008-07-29
-
0.278
The Hacker 6.2.96 v00389 2008-07-24
-
0.374
Trend Micro 8.700-1004 5.444.01 2008-07-30
-
0.021
VBA32 3.12.8.1 20080729.0746 2008-07-29
-
1.124
ViRobot 20080730 2008.07.30 2008-07-30
-
0.407
VirusBuster 4.5.11.10 10.82.26/596940 2008-07-29
-
0.781




Step 2
Volume in drive C has no label.
Volume Serial Number is 7062-E296

Directory of C:\VundoFix Backups

23.07.2008 20:31 <DIR> .
23.07.2008 20:31 <DIR> ..
04.11.2004 21:31 479˙744 NCTAudioCDGrabber2.dll.bad
01.06.2005 20:11 877˙568 NCTAudioFile2.dll.bad
01.06.2005 20:11 467˙456 NCTAudioPlayer2.dll.bad
01.06.2005 20:12 467˙968 NCTAudioRecord2.dll.bad
08.06.2005 02:11 382˙464 NCTAVIFile.dll.bad
20.07.2005 01:53 249˙856 NCTQuickTimeFile.dll.bad
09.07.2005 02:31 495˙104 NCTVideoCoreM.dll.bad
26.05.2005 20:00 403˙968 NCTWMAFile2.dll.bad
8 File(s) 3˙824˙128 bytes
2 Dir(s) 10˙738˙147˙328 bytes free





Step 3
Kaspersky my computer scan


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, July 31, 2008 7:17:57 AM
Operating System: Microsoft Windows XP Professional, Service Pack 3, v.3300 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/07/2008
Kaspersky Anti-Virus database records: 914924
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 187555
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 04:11:35

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\ivor\Application Data\BitDefender\Desktop\Profiles\asdict.dat Object is locked skipped
C:\Documents and Settings\ivor\Application Data\Mozilla\Firefox\Profiles\87x55rby.default\cert8.db Object is locked skipped
C:\Documents and Settings\ivor\Application Data\Mozilla\Firefox\Profiles\87x55rby.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\ivor\Application Data\Mozilla\Firefox\Profiles\87x55rby.default\history.dat Object is locked skipped
C:\Documents and Settings\ivor\Application Data\Mozilla\Firefox\Profiles\87x55rby.default\key3.db Object is locked skipped
C:\Documents and Settings\ivor\Application Data\Mozilla\Firefox\Profiles\87x55rby.default\parent.lock Object is locked skipped
C:\Documents and Settings\ivor\Application Data\Mozilla\Firefox\Profiles\87x55rby.default\search.sqlite Object is locked skipped
C:\Documents and Settings\ivor\Application Data\Mozilla\Firefox\Profiles\87x55rby.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\ivor\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ivor\Desktop\antiviruste installerid\SmitfraudFix\IEDFix.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\Documents and Settings\ivor\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_AC70_6312_7062_E296\dfsr.db Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_AC70_6312_7062_E296\fsr.log Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_AC70_6312_7062_E296\fsrtmp.log Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_AC70_6312_7062_E296\tmp.edb Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\Application Data\Mozilla\Firefox\Profiles\87x55rby.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\Application Data\Mozilla\Firefox\Profiles\87x55rby.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\Application Data\Mozilla\Firefox\Profiles\87x55rby.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\Application Data\Mozilla\Firefox\Profiles\87x55rby.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\History\History.IE5\MSHist012008073120080801\index.dat Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\temp\~DFB63F.tmp Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\temp\~DFB676.tmp Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\temp\~DFD779.tmp Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\temp\~DFD7BA.tmp Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\temp\~ROMFN_00000CF4 Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\ivor\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ivor\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ivor\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BitDefender\BitDefender 2008\as2core\antispam_sig_13371\aspdict.dat Object is locked skipped
C:\Program Files\BitDefender\BitDefender 2008\dbokf.db Object is locked skipped
C:\Program Files\BitDefender\BitDefender 2008\dbokf.db-journal Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F672C7A8-E66E-4409-B689-85EC9DAA3D25}\RP6\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-144730-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-144824-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-145611-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-150041-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-150106-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-151111-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-175358-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-180823-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-180826-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-180831-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-180838-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-180900-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-180950-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-180954-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-181001-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-181006-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-181258-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-181259-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-181301-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-181315-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-181348-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-182021-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-182024-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-182309-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-182311-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-182312-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-182319-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-182349-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-183602-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-184014-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-184624-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-184640-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-190836-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-190842-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-190852-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-190900-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-190903-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193106-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193106-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193113-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193113-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193455-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193458-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193502-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193519-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193522-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193725-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194858-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194858-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194901-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194901-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194908-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194908-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194916-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194916-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194920-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194920-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194925-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194925-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194929-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194929-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194942-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194942-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194955-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194955-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194959-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194959-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-195243-00.hdmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C1490EEA-4A25-4AA6-B266-414D2F7C6C54}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\404Fix.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\tmp000079b4\tmp00000000 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\_restore{F672C7A8-E66E-4409-B689-85EC9DAA3D25}\RP6\change.log Object is locked skipped

Scan process completed.


Kaspersky cridical area scan


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, July 31, 2008 7:52:45 AM
Operating System: Microsoft Windows XP Professional, Service Pack 3, v.3300 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/07/2008
Kaspersky Anti-Virus database records: 914924
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\ivor\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 16151
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:15:24

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-144730-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-144824-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-145611-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-150041-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-150106-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-151111-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-175358-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-180823-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-180826-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-180831-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-180838-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-180900-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-180950-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-180954-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-181001-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-181006-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-181258-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-181259-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-181301-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-181315-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-181348-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-182021-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-182024-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-182309-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-182311-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-182312-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-182319-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-182349-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-183602-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-184014-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-184624-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-184640-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-190836-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-190842-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-190852-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-190900-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-190903-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193106-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193106-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193113-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193113-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193455-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193458-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193502-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193519-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193522-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-193725-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194858-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194858-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194901-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194901-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194908-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194908-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194916-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194916-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194920-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194920-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194925-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194925-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194929-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194929-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194942-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194942-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194955-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194955-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194959-00.hdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-194959-00.mdmp Object is locked skipped
C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20080113-195243-00.hdmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C1490EEA-4A25-4AA6-B266-414D2F7C6C54}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\404Fix.exe Infected: Hoax.Win32.Renos.vaoz skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\tmp00000313\tmp00000000 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFB63F.tmp Object is locked skipped
C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFB676.tmp Object is locked skipped
C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFD779.tmp Object is locked skipped
C:\DOCUME~1\ivor\LOCALS~1\Temp\~DFD7BA.tmp Object is locked skipped
C:\DOCUME~1\ivor\LOCALS~1\Temp\~ROMFN_00000CF4 Object is locked skipped

Scan process completed.


Memory scan was ok
  • 0

#12
Gravity Gripp

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,813 posts
nah1, I think everything looks good here. Are you still experiencing any problems? If not, I think it's time for a cleanup.


STEP ONE
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



STEP TWO
Also, The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • MalwareBytes Anti-Malware - A powerful anti-malware tool which can remove malware that may find it's way onto your system.
  • Avast! Anti-Virus - A free for home use anti-virus program.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • JKDefrag - A disk defragmenter and optimizer for Windows 2000/2003/XP/Vista. It is completely automatic and very easy to use, fast, low overhead and has several optimization strategies. After downloading the zip file, just extract JKDefrag.exe to your desktop and double click.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Pidgin - A Malware free Instant Messenger program which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN, MyspaceIM, GTalk)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP