Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan:Win32:ConHook.I found! plz help! [CLOSED]


  • This topic is locked This topic is locked

#1
razoroth

razoroth

    New Member

  • Member
  • Pip
  • 6 posts
The problem started earlier today after I ran a program named rpc.exe (Thought it was legit) and shortly afterwards, Windows Defender popped up with Threat found, Trojan:Win32:ConHook.I, and when I try to remove it with windows defender, it comes back with an error. This is what the details says in defender:1

---------------------------------------------------------------------------

Error encountered:
Code 0x80508017. Some actions couldn't be applied to potentially harmful items. The items might be stored in a read-only location. Delete the files or folders that contains the items or, for information on removing read-only permissions from files and folders, see Help and Support.

Category:
Trojan

Description:
This program is dangerous and installs other programs.

Advice:
Remove this software immediately.

Resources:
process:
pid:2612

clsid:
HKLM\SOFTWARE\CLASSES\CLSID\{43F203E2-F8FD-4BD7-A0B2-75988D6EE012}

regkey:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{43F203E2-F8FD-4BD7-A0B2-75988D6EE012}

regkey:
HKLM\SOFTWARE\CLASSES\CLSID\{43F203E2-F8FD-4BD7-A0B2-75988D6EE012}

regkey:
[email protected]\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{43F203E2-F8FD-4BD7-A0B2-75988D6EE012}

bho:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{43F203E2-F8FD-4BD7-A0B2-75988D6EE012}

ieaddon:
[email protected]\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{43F203E2-F8FD-4BD7-A0B2-75988D6EE012}

lsapackage:
HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA\\AUTHENTICATION PACKAGES:C:\Windows\system32\efCvvwUN

file:
C:\Windows\system32\efCvvwUN.dll

View more information about this item online

---------------------------------------------------------------------------

Now each time I remove these registry entries, kill off the dll, and delete it, everything seems to run fine for a few minutes, then the whole process repeats itself, but with different file names being created (ex: C:\Windows\system32\efCvvwUN.dll where efCvvwUN.dll is always a randomly generated dll in System32 directory.)

The symptoms noticed so far are random and ever more frequent explorer.exe crashes, pop ups here and there, sluggish pc performance, and about 50% of the time I cannot connect to the net via mozilla or (dare i try) Iexplorer.exe

I've been fighting this virus with little to no success all day, and before I perform a complete wipe, not being able to back up most of my music compilations and videos (I'm a DJ/EJ composer) I figured I'd turn to a more informed source of help.

Here is my HiJackThis log:

---------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:17 PM, on 7/25/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Windows\zHotkey.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ModPS2Key.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wowhead.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...TP&M=GT5404
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TP&M=GT5404
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...h...TP&M=GT5404
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43F203E2-F8FD-4BD7-A0B2-75988D6EE012} - C:\Windows\system32\efCvvwUN.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C1F4E22B-356A-4927-8618-35B5E5D542E5} - C:\Windows\system32\ngwmwjlr.dll
O2 - BHO: (no name) - {C32D9423-FE23-4890-82CF-2F3423F47046} - C:\Users\Rion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R2PZNRXK\3077ahntdksr[1].dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onec...s/wlscctrl2.cab
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcz_device - - C:\Windows\system32\lxczcoms.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Users\Rion\AppData\Local\Temp\{74F93B7A-5FFE-4B01-9EAD-44FF2467B3C3}\NMSAccessU.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\Windows\system32\sfrem01.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10599 bytes


-----------------------------------------------------------------------------

I thank you guys in advance for any help received. I managed to keep this computer clean and virus free for 2 years now, with 0 wipes and reinstalls to date. I hope to keep that record going. Have a great day!

-Sincerely,

-Raz
  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi razoroth

welcome to geekstogo :)

lets see if we can take out the identified infection and then scan to see if there are other infections on your machine:

As a Vista user I will require that all the programmes I ask you to run, be run by right clicking the icon and selecting Run as Administrator. Otherwise some programmes may fail to do their job properly

====STEP 1====
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{43F203E2-F8FD-4BD7-A0B2-75988D6EE012}
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{43F203E2-F8FD-4BD7-A0B2-75988D6EE012}
    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{C1F4E22B-356A-4927-8618-35B5E5D542E5}
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{C1F4E22B-356A-4927-8618-35B5E5D542E5}
    C:\Windows\system32\efCvvwUN.dll
    C:\Windows\system32\ngwmwjlr.dll
    EmptyTemp
    purity 
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

====STEP 2====
Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


====STEP 3====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 4====
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


In your next reply could i see:
1. the OTMoveIT log
2. the Vundofix.txt log
3. the malwarebytes log
4. the 2 DSS logs (though there may only be one)

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

feel free to post the logs as you get them, i will wait for the final DSS logs before proceeding.

andrewuk

Edited by andrewuk, 25 July 2008 - 05:38 PM.

  • 0

#3
razoroth

razoroth

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
OTMoveIT Log:

------------

Explorer killed successfully
< HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{43F203E2-F8FD-4BD7-A0B2-75988D6EE012} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{43F203E2-F8FD-4BD7-A0B2-75988D6EE012}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{43F203E2-F8FD-4BD7-A0B2-75988D6EE012} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{43F203E2-F8FD-4BD7-A0B2-75988D6EE012}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{C1F4E22B-356A-4927-8618-35B5E5D542E5} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{C1F4E22B-356A-4927-8618-35B5E5D542E5}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{C1F4E22B-356A-4927-8618-35B5E5D542E5} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{C1F4E22B-356A-4927-8618-35B5E5D542E5}\\ deleted successfully.
File/Folder C:\Windows\system32\efCvvwUN.dll not found.
File/Folder C:\Windows\system32\ngwmwjlr.dll not found.
< EmptyTemp >
File delete failed. C:\Users\Rion\AppData\Local\Temp\etilqs_96tdg5asq95VbIlCCesF scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\nmsmc_DQLWinService.log scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07252008_190954

Files moved on Reboot...
File C:\Users\Rion\AppData\Local\Temp\etilqs_96tdg5asq95VbIlCCesF not found!
File move failed. C:\Windows\temp\nmsmc_DQLWinService.log scheduled to be moved on reboot.

--------------


VundoFix V7.0.6

Scan started at 7:16:00 PM 7/25/2008

Listing files found while scanning....

C:\Windows\System32\emaitgyh.dll
C:\Windows\System32\fesudxia.dll
C:\Windows\System32\ftmsmwnr.dll
C:\Windows\System32\hkjictpp.dll
C:\Windows\System32\hygtiame.ini
C:\Windows\System32\lyhngyyh.dll
C:\Windows\System32\mjqxrwgb.dll
C:\Windows\System32\nwbhiqgq.dll
C:\Windows\System32\pptcijkh.ini
C:\Windows\System32\rcfcjtpm.dll
C:\Windows\System32\ssqOGYQG.dll
C:\Windows\System32\vewwihsm.dll

Beginning removal...

(Screen went blank at this point as stated it would, but after a minute or so of staying blank, started rebooting as if I had just turned it off.)

VundoFix V7.0.6

Scan started at 8:10:06 PM 7/25/2008

Listing files found while scanning....

C:\Windows\System32\emaitgyh.dll
C:\Windows\System32\fesudxia.dll
C:\Windows\System32\ftmsmwnr.dll
C:\Windows\System32\hkjictpp.dll
C:\Windows\System32\hygtiame.ini
C:\Windows\System32\lyhngyyh.dll
C:\Windows\System32\mjqxrwgb.dll
C:\Windows\System32\nwbhiqgq.dll
C:\Windows\System32\pptcijkh.ini
C:\Windows\System32\rcfcjtpm.dll
C:\Windows\System32\ssqOGYQG.dll
C:\Windows\System32\vewwihsm.dll

(It seems the files may not have been removed on startup, not sure if I should click Fix Vundo again or not, if told to do so, I will run it again,)

----------------

MBAM is currently still running and has been for quite some time now, so far 12 infections found, waiting for it to finish to proceed. The MBAM and DDS logs should be posted up a little later on tonight or in the morning if it continues to scan for the next few hours.

Thank you for your patience with this matter, it's much appreciated.

-Raz
  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
no harm in running vundofix again once the mbam is finished (could take a while) and posting the new vundofix log.

andrewuk
  • 0

#5
razoroth

razoroth

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Malwarebytes' Anti-Malware 1.23
Database version: 993
Windows 6.0.6001 Service Pack 1

6:14:20 AM 7/26/2008
mbam-log-7-26-2008 (06-14-19).txt

Scan type: Full Scan (C:\|J:\|)
Objects scanned: 280254
Time elapsed: 1 hour(s), 55 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\emaitgyh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\hygtiame.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\hkjictpp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\pptcijkh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\TechTracker\VersionTracker Pro\Crack.eXe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\fesudxia.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ftmsmwnr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\mjqxrwgb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\rcfcjtpm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\vewwihsm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\lyhngyyh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\nwbhiqgq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\07252008_185407\Windows\system32\efCvvwUN.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\07252008_185407\Windows\system32\ngwmwjlr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
J:\Storage\Programs\Setup Files\audioeditor\SF-ADDICTED\SonyProducts_Keygen\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
J:\Storage\Programs\Setup Files\audioeditor\SF-ADDICTED\SonyProducts_Keygen\SonyProducts-Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
J:\Storage\Programs\Setup Files\Windows Cracks\Windows Genuine Advantage Crack\Windows XP Keygen.exe (Malware.Tool) -> Quarantined and deleted successfully.
J:\Storage\Programs\Windows Cracks\Windows Genuine Advantage Crack\Windows XP Keygen.exe (Malware.Tool) -> Quarantined and deleted successfully.
J:\Storage\Programs\E-Soft Audio\patch.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\ssqOGYQG.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

-------

Deckard's System Scanner v20071014.68
Run by Rion on 2008-07-26 06:15:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 2 Restore Point(s) --
2: 2008-07-26 07:24:31 UTC - RP833 - Windows Defender Checkpoint
1: 2008-07-25 21:55:58 UTC - RP831 - Windows Defender Checkpoint


Performed disk cleanup.

System Drive C: has 32.03 GiB (less than 15%) free.


-- HijackThis (run as Rion.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:28 AM, on 7/26/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Windows\zHotkey.exe
C:\Windows\ModPS2Key.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\ESET\nod32kui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Rion\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rion.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wowhead.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...TP&M=GT5404
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TP&M=GT5404
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...h...TP&M=GT5404
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43F203E2-F8FD-4BD7-A0B2-75988D6EE012} - C:\Windows\system32\efCvvwUN.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C32D9423-FE23-4890-82CF-2F3423F47046} - C:\Users\Rion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R2PZNRXK\3077ahntdksr[1].dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onec...s/wlscctrl2.cab
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcz_device - - C:\Windows\system32\lxczcoms.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Users\Rion\AppData\Local\Temp\{74F93B7A-5FFE-4B01-9EAD-44FF2467B3C3}\NMSAccessU.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\Windows\system32\sfrem01.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 10725 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071015-075728-342 O3 - Toolbar: (no name) - {84938242-5C5B-4A55-B6B9-A1507543B418} - (no file)
backup-20071015-075728-410 O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video Access ActiveX Object\isadd.dll (file missing)
backup-20071015-075728-520 O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
backup-20071015-075728-841 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20071015-075728-971 O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll (file missing)

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfsync04 (StarForce Protection Synchronization Driver (version 4.x)) - c:\windows\system32\drivers\sfsync04.sys <Not Verified; Protection Technology (StarForce); SF FrontLine>

S3 ICAM3NT5 (Intel USB Video Camera III) - c:\windows\system32\drivers\icam3usb.sys <Not Verified; Intel Corporation; Blank Description>
S3 MAC607 (MAC607 Filter) - c:\windows\system32\drivers\mac607.sys
S3 PL-40R (CASIO USB MIDI) - c:\windows\system32\drivers\pl40rwdm.sys <Not Verified; CASIO COMPUTER CO., LTD.; LK USB MIDI>
S3 TVICHW32 - \??\c:\windows\system32\drivers\tvichw32.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 DQLWinService - "c:\program files\common files\intel\inteldh\nms\adpplugins\dqlwinservice.exe" <Not Verified; ; DQLWinSe Application>
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 NMSAccessU - c:\users\rion\appdata\local\temp\{74f93b7a-5ffe-4b01-9ead-44ff2467b3c3}\nmsaccessu.exe (file missing)
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 VundoFixSvc (VundoFix Service) - vundofixsvc.exe <Not Verified; Atribune.org; Vundofix Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-26 04:38:28 416 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{A770F690-9522-4A97-B748-9D9016172653}.job


-- Files created between 2008-06-26 and 2008-07-26 -----------------------------

2008-07-25 20:32:07 0 d-------- C:\Users\All Users\Malwarebytes
2008-07-25 20:32:07 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-25 19:56:43 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-07-25 19:16:00 0 d-------- C:\VundoFix Backups
2008-07-25 15:15:58 0 d-------- C:\Program Files\ScanSpyware v3.8
2008-07-25 15:09:54 0 d-------- C:\Program Files\jv16 PowerTools
2008-07-25 15:00:51 0 d-------- C:\security
2008-07-25 14:58:57 0 d-------- C:\vscan
2008-07-25 14:32:28 3017 --ahs---- C:\Windows\system32\NUwvvCfe.ini2
2008-07-25 13:29:13 0 d-------- C:\Program Files\Windows Live Safety Center
2008-07-25 13:23:08 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-25 12:00:51 4591 --ahs---- C:\Windows\system32\cJRsrtwa.ini2
2008-07-24 13:31:44 0 d-------- C:\Users\Public\Games
2008-07-08 18:15:53 0 d-------- C:\Program Files\AIMTunes
2008-07-08 17:06:49 0 d-------- C:\Program Files\Dziobas Rar Player
2008-07-07 21:16:34 23 --a------ C:\Users\Rion\jagex_runescape_preferences.dat
2008-07-07 21:16:27 0 d-------- C:\Windows\.jagex_cache_32
2008-07-01 19:20:56 0 d-------- C:\Users\All Users\Office Genuine Advantage
2008-06-29 18:52:23 0 d-------- C:\Program Files\LucasArts
2008-06-27 23:44:27 0 d-------- C:\AeriaGames
2008-06-26 12:55:41 4096 --a------ C:\Windows\d3dx.dat
2008-06-26 12:35:37 0 d-------- C:\Windows\Saints & Sinners Bowling
2008-06-26 12:35:22 0 d-------- C:\Windows\Rocket Bowl
2008-06-26 12:34:57 0 d-------- C:\Windows\Gutterball 2
2008-06-26 12:31:00 0 d-------- C:\Windows\Anime Bowling Babes
2008-06-26 12:31:00 0 d-------- C:\Program Files\Bowling
2008-06-26 01:42:45 0 d-------- C:\Program Files\3D Ultra Pinball CreepNight
2008-06-26 01:41:19 0 d-------- C:\Program Files\3D Ultra Pinball
2008-06-26 00:23:19 0 d-------- C:\Program Files\Acidx Productions


-- Find3M Report ---------------------------------------------------------------

2008-07-26 05:19:29 0 d-------- C:\Users\Rion\AppData\Roaming\foobar2000
2008-07-25 20:32:12 0 d-------- C:\Users\Rion\AppData\Roaming\Malwarebytes
2008-07-25 18:53:08 0 d-------- C:\Users\Rion\AppData\Roaming\Xfire
2008-07-25 15:22:01 0 d-------- C:\Program Files\Curse
2008-07-25 12:55:48 0 d-------- C:\Users\Rion\AppData\Roaming\uTorrent
2008-07-24 13:52:47 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-07-24 13:13:50 0 d-------- C:\Program Files\Burn4Free
2008-07-23 07:12:12 0 d-------- C:\Program Files\Xfire
2008-07-15 15:51:09 0 d-------- C:\Program Files\World of Warcraft
2008-07-09 03:07:49 0 d-------- C:\Program Files\Windows Mail
2008-07-08 18:17:09 0 d-------- C:\Program Files\AIM6
2008-07-08 16:05:17 0 d-------- C:\Program Files\Java
2008-06-29 18:52:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-28 16:08:56 0 d-------- C:\Program Files\VirtualDubMod
2008-06-21 06:12:16 0 d-------- C:\Program Files\FunPause Atlantis
2008-06-21 02:36:27 26 --a------ C:\Windows\popcinfo.dat
2008-06-19 03:40:15 0 d-------- C:\Program Files\TryMedia
2008-06-19 03:38:56 0 d-------- C:\Program Files\Yahoo! Games
2008-06-18 19:26:33 0 d-------- C:\Users\Rion\AppData\Roaming\Mozilla
2008-06-07 22:36:32 0 d-------- C:\Program Files\MobMapUpdater
2008-05-29 17:21:11 0 d-------- C:\Program Files\Valvesoftware


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43F203E2-F8FD-4BD7-A0B2-75988D6EE012}]
C:\Windows\system32\efCvvwUN.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C32D9423-FE23-4890-82CF-2F3423F47046}]
C:\Users\Rion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R2PZNRXK\3077ahntdksr[1].dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/18/2008 11:38 PM]
"CCUTRAYICON"="C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [11/18/2006 10:01 AM]
"NMSSupport"="C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [09/26/2006 01:56 PM]
"CHotkey"="zHotkey.exe" [11/07/2006 05:08 PM C:\Windows\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [01/27/2005 12:13 PM C:\Windows\ShowWnd.exe]
"ModPS2"="ModPS2Key.exe" [11/07/2006 05:34 PM C:\Windows\ModPS2Key.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [09/29/2006 03:39 PM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [01/31/2007 04:40 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [01/31/2007 04:40 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [01/31/2007 04:40 PM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [03/03/2007 03:46 AM]
"P17Helper"="P17.dll" [05/02/2005 10:38 PM C:\Windows\System32\P17.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/01/2007 03:57 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [02/01/2008 12:13 AM]
"SigmatelSysTrayApp"="sttray.exe" [11/02/2006 11:38 AM C:\Windows\sttray.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [09/11/2007 10:28 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [09/11/2007 10:28 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [09/11/2007 10:28 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/18/2008 11:33 PM]
"Aim6"="" []
"@"="" []
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [03/05/2007 01:57 PM]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/18/2008 11:33 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/18/2008 11:33 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"DefaultP17MIDI"=MIDIDEF.EXE
"DefaultP17"=P17Def.Exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Users\Rion\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\efCvvwUN

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigFix]
c:\program files\Bigfix\bigfix.exe /atstartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Updates]
svehost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager]
C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
AutoRun\command- M:\autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-26 06:20:25 ------------
  • 0

#6
razoroth

razoroth

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 2.80GHz
Percentage of Memory in Use: 48%
Physical Memory (total/avail): 2045.3 MiB / 1046.46 MiB
Pagefile Memory (total/avail): 4327.88 MiB / 3195.99 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1890.75 MiB

C: is Fixed (NTFS) - 223.06 GiB total, 32.03 GiB free.
D: is Fixed (NTFS) - 9.82 GiB total, 4.46 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (FAT)
I: is Removable (No Media)
J: is Fixed (FAT32) - 149.01 GiB total, 38.15 GiB free.
K: is CDROM (No Media)
L: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2500JS-00NCB1 - 232.88 GiB - 2 partitions
\PARTITION0 - Installable File System - 9.82 GiB - D:
\PARTITION1 (bootable) - Installable File System - 223.06 GiB - C:

\\.\PHYSICALDRIVE3 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE5 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE2 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB SM Reader USB Device - 494.19 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 499.54 MiB - H:

\\.\PHYSICALDRIVE1 - WD 1600JB External USB Device - 149.05 GiB - 1 partition
\PARTITION0 - Unknown - 149.05 GiB - J:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.) Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Groove Games\\LASR\\LASR.exe"="C:\\Program Files\\Groove Games\\LASR\\LASR.exe:*:Enabled:LASR"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Rion\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RIONDESKTOP
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Rion
LOCALAPPDATA=C:\Users\Rion\AppData\Local
LOGONSERVER=\\RIONDESKTOP
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Ahead\Lib\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0604
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Rion\AppData\Local\Temp
TMP=C:\Users\Rion\AppData\Local\Temp
USERDOMAIN=RionDesktop
USERNAME=Rion
USERPROFILE=C:\Users\Rion
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

IUSR_NMPR (new local, net ready)
Rion (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Windows\UNNeroBackItUp.exe /UNINSTALL
--> C:\Windows\UNNeroMediaHome.exe /UNINSTALL
--> C:\Windows\UNNeroShowTime.exe /UNINSTALL
--> C:\Windows\UNNeroVision.exe /UNINSTALL
--> C:\Windows\UNRecode.exe /UNINSTALL
--> MsiExec /X{65F1CF63-31E0-450B-96F3-4A88BE7361A6}
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
123 Audio Video Merger --> "C:\Program Files\Manitools\123 Audio Video Merger\unins000.exe"
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Activation Assistant for the 2007 Microsoft Office suites --> "C:\ProgramData\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Active GIF Creator 3.1 --> "C:\Program Files\Active GIF Creator 3.1\uninstall.exe"
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Shockwave Player --> C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AGEIA PhysX v7.07.09 --> MsiExec.exe /X{65F1CF63-31E0-450B-96F3-4A88BE7361A6}
Agere Systems PCI-SV92PP Soft Modem --> agrsmdel
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AIMTunes --> C:\Program Files\AIMTunes\Uninstall.exe
Allok QuickTime to AVI MPEG DVD Converter 1.4.0 --> "C:\Program Files\Allok QuickTime Converter\unins000.exe"
Allok Video Joiner 2.1.4 --> "C:\Program Files\Allok Video Joiner\unins000.exe"
Anime Bowling Babes --> "C:\Windows\Anime Bowling Babes\uninstall.exe" "/U:C:\Program Files\Bowling\Anime Bowling Babes\Uninstall\uninstall.xml"
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Ares Ultra 3.8.0 --> "C:\Program Files\Ares Ultra\unins000.exe"
arniWORX awxDTools - Daemon-Tools ShellExtension - 1.0.6.0 --> "C:\Program Files\DAEMON Tools\unins000.exe"
Atlantis version 1.4 --> "C:\Program Files\FunPause Atlantis\unins000.exe"
Auctioneer AddOns --> C:\Program Files\World of Warcraft\Auctioneer Uninstaller.exe
Audacity 1.3.3 (Unicode) --> "C:\Program Files\Audacity 1.3 Beta (Unicode)\unins000.exe"
Audio Conversion Wizard 2.0 --> "C:\Program Files\Audio Conversion Wizard\unins000.exe"
Audiosurf --> MsiExec.exe /I{6D316D67-DA52-4659-9C98-F479963534D6}
AutoHotkey 1.0.47.05 --> C:\Program Files\AutoHotkey\uninst.exe
AV Voice Changer Software DIAMOND 5.5 --> C:\PROGRA~1\AVVCS5~1.5DI\UNWISE.EXE C:\PROGRA~1\AVVCS5~1.5DI\INSTALL.LOG
Azureus --> C:\Program Files\Azureus\Uninstall.exe
Bazooka Scanner --> "C:\Program Files\Bazooka Scanner\Uninstall.exe" "C:\Program Files\Bazooka Scanner\install.log"
Bejeweled 2 Deluxe --> "C:\Program Files\Gateway Games\Bejeweled 2 Deluxe\Uninstall.exe"
BigFix --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34FF0741-EC67-4C05-AC2A-6D257123DF2E}\setup.exe" -l0x9 -uninst -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
Blasterball 3 --> "C:\Program Files\Gateway Games\Blasterball 3\Uninstall.exe"
Browser Address Error Redirector --> regsvr32 /u /s "c:\google\BAE.dll"
Burn4Free CD and DVD --> "C:\Program Files\Burn4Free\uninstall.exe"
Chatango Message Catcher --> "C:\Program Files\Chatango\uninstall.exe"
Chuzzle Deluxe --> "C:\Program Files\Gateway Games\Chuzzle Deluxe\Uninstall.exe"
Collab --> C:\Program Files\Image-Line\Collab\uninstall.exe
Combined Community Codec Pack 2007-02-22 --> "C:\Program Files\Combined Community Codec Pack\unins001.exe"
Crysis® --> MsiExec.exe /I{000E79B7-E725-4F01-870A-C12942B7F8E4}
CueClub Patch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3C9D983-55A2-11D4-9D68-0020781864F1}\setup.exe"
DaemonScript --> MsiExec.exe /X{0A21D2E9-F8A2-4CF9-88D7-E04A1C4C90AE}
DHTML Editing Component --> MsiExec.exe /I{2EA870FA-585F-4187-903D-CB9FFD21E2E0}
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE2CC4A5-2128-4EA2-941D-14F7A6A1AB61} /l1033
Diner Dash --> "C:\Program Files\Gateway Games\Diner Dash\Uninstall.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Dziobas Rar Player 0.008.9 --> "C:\Program Files\Dziobas Rar Player\unins000.exe"
EA SPORTS online 2008 --> C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
FATE --> "C:\Program Files\Gateway Games\FATE\Uninstall.exe"
FL Studio 6 --> C:\Program Files\Image-Line\FL Studio 6\uninstall.exe
FlatOut2 --> MsiExec.exe /I{C884B05A-F5D9-4AE4-9D84-E6BD9F6E7890}
foobar2000 v0.9.4.5 --> "C:\Program Files\foobar2000\uninstall.exe"
Fraps (remove only) --> "C:\Fraps\uninstall.exe"
Free Download Manager 2.1 --> "C:\Program Files\Free Download Manager\unins000.exe"
GameSpy Arcade --> C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG
Gateway Game Console --> "C:\Program Files\Gateway Games\Gateway Game Console\Uninstall.exe"
Gateway Recovery Center Installer --> MsiExec.exe /X{7F3BCF8A-8E02-4659-AF25-F9AB66BD6718}
GEAR 32bit Driver Installer --> MsiExec.exe /X{E89B484C-B913-49A0-959B-89E836001658}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
GTA San Andreas --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D417C96A-FCC7-4590-A1BB-FAF73F5BC98E}\setup.exe" -l0x9 -removeonly
GTA San Andreas Admin Console --> C:\PROGRA~1\GTASAC~1\UNWISE.EXE C:\PROGRA~1\GTASAC~1\INSTALL.LOG
GTACars3_1 --> C:\Windows\IsUninst.exe -f"C:\Program Files\FIF Engineering\GTACars3_1\Uninst.isu"
GTASA Ultimate Editor 3.6.6 --> "C:\Program files\gtaSAeditor\unins000.exe"
Guitar Hero III --> MsiExec.exe /I{0CE1A6C0-F3F7-49E6-8F9D-2431F9827441}
Gutterball 2 --> "C:\Windows\Gutterball 2\uninstall.exe" "/U:C:\Program Files\Bowling\Gutterball 2\Uninstall\uninstall.xml"
Haali Media Splitter --> "C:\Program Files\Haali\MatroskaSplitter\uninstall.exe"
Halo 2 for Windows Vista --> C:\Program Files\Microsoft Games\Halo 2\StartUp.exe /tnp:/remove
Halo Server --> "C:\Program Files\Microsoft Games\Halo Server\UNINSTAL.EXE" /runtemp /addremove
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
IconCool Studio v3.3x --> C:\PROGRA~1\ICONCO~1\ICONCO~1\UNWISE.EXE C:\PROGRA~1\ICONCO~1\ICONCO~1\INSTALL.LOG
ICONStudio 5.0 --> "C:\Program Files\ICONStudio\unins000.exe"
IGN Download Manager 2.3.2 --> C:\Program Files\IGN\Download Manager\uninst.exe
ImgBurn (Remove Only) --> "C:\Program Files\ImgBurn\uninstall.exe"
IncGamers Client --> C:\Program Files\IncGamers Client\uninst.exe
Intel A/V Codecs V2.0 --> C:\Windows\IsUninst.exe -fC:\Windows\system32\CDUninst.isu
Intel Streaming Media Viewer --> C:\Windows\uninst.exe -f"C:\Program Files\Internet Explorer\Plugins\DeIsL1.isu"
Intel® Graphics Media Accelerator Driver --> C:\Windows\system32\igxpun.exe -uninstall
Intel® Matrix Storage Manager --> C:\Windows\System32\Imsmudlg.exe
Intel® PRO Network Connections Drivers --> Prounstl.exe
Intel® Viiv™ Software --> MsiExec.exe /X{26C610BF-761B-4209-BD6A-A0F1B73D6DDE} /qb!
Internet Explorer Security Plugin 2006 --> "C:\Program Files\Video Access ActiveX Object\iesuninst.exe"
Internet Security Add-On --> "C:\Program Files\Video Access ActiveX Object\isunst.exe"
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Development Kit 6 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160000}
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
JEOPARDY --> "C:\Program Files\Gateway Games\JEOPARDY\Uninstall.exe"
jv16 PowerTools 1.4.1 --> "C:\Program Files\jv16 PowerTools\unins000.exe"
Kaspersky Online Scanner --> C:\Windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Lexmark 1200 Series --> C:\Program Files\Lexmark 1200 Series\Install\x86\Uninst.exe
LimeWire PRO 4.13.2 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Madden NFL 08 --> C:\Program Files\EA Sports\Madden NFL 08\EAUninstall.exe
Magic ISO Maker v5.3 (build 0221) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Marvel™ - Ultimate Alliance --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{932FB3F3-594D-4600-ABFA-F2DE80A14214}
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB929729) --> "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M929729\M929729Uninstall.msp"
Microsoft Digital Image Starter Edition 2006 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=12
Microsoft Games for Windows - LIVE Redistributable --> MsiExec.exe /X{2F750C77-1FEC-44F9-88CC-2CE322EBD61E}
Microsoft Halo --> "C:\Program Files\Microsoft Games\Halo\UNINSTAL.EXE" /runtemp /addremove
Microsoft Money 2006 --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Office Excel 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall EXCEL /dll OSETUP.DLL
Microsoft Office Excel 2007 --> MsiExec.exe /X{90120000-0016-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall WORD /dll OSETUP.DLL
Microsoft Office Word 2007 --> MsiExec.exe /X{90120000-001B-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\Windows\INF\wpie4x86.inf,WebPostUninstall
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
mIRC --> "J:\Storage\Rion's Documents\MIRC\Scripts\Zone Script\mirc.exe" -uninstall
MixMeister Fusion 7.2.2 --> "C:\Program Files\MixMeister Fusion 7.2.2\unins000.exe"
MobMap 1.42 --> "C:\Program Files\MobMapUpdater\unins000.exe"
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSUN Decoder Pack 2005 --> "C:\Program Files\MSUN Decoder Pack\unins000.exe"
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 Parser and SDK --> MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
Native Instruments FM8 v1.0.1.002 VSTi DXi RTAS --> C:\PROGRA~1\NATIVE~1\FM8\UNWISE.EXE C:\PROGRA~1\NATIVE~1\FM8\INSTALL.LOG
Native.Instruments Battery v3.0.1.005 VSTi DXi RTAS --> C:\PROGRA~1\NATIVE~1\BATTER~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\BATTER~1\INSTALL.LOG
Need for Speed™ Carbon --> C:\Program Files\Electronic Arts\Need for Speed Carbon\EAUninstall.exe
Need for Speed™ ProStreet --> MsiExec.exe /X{CC419DDC-E0F0-4013-B25A-6FA036516F0D}
Nero 7 Ultra Edition --> MsiExec.exe /X{CF097717-F174-4144-954A-FBC4BF301033}
Nero PhotoShow Express 4 --> "C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\Uninstall.exe"
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NewsLeecher v3.8 Final --> "C:\Program Files\NewsLeecher\unins000.exe"
NFS Underground 2 Mega Trainer --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\prjMegaTrain\ST6UNST.LOG"
NOD32 antivirus systeem --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX --> "C:\Program Files\Eset\unins000.exe"
nullDC 1.0.0 Public Beta 1 Setup --> MsiExec.exe /I{C3FDA1E4-1E17-48D8-B4F0-C141E9FFB4BA}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
Opera 9.10 --> MsiExec.exe /X{5D582D33-EB35-4D77-B7AF-403322D947E6}
PageBreeze Free HTML Editor --> C:\PROGRA~1\PAGEBR~1\UNWISE.EXE C:\PROGRA~1\PAGEBR~1\INSTALL.LOG
Patch It v2.0 --> MsiExec.exe /I{66E6FA87-9B8C-4559-8DAD-E8ADD6CF7E76}
PCSX2 0.9 R3 --> J:\Storage\Emulating\PCSX2 2\Uninstal.exe
Pcsx2 0.9.2 Watermoose --> "C:\Emulating\PCXS2\unins000.exe"
Penguins! --> "C:\Program Files\Gateway Games\Penguins!\Uninstall.exe"
Polar Bowler --> "C:\Program Files\Gateway Games\Polar Bowler\Uninstall.exe"
Polar Golfer --> "C:\Program Files\Gateway Games\Polar Golfer\Uninstall.exe"
Power2Go 5.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\Setup.exe" -uninstall
Project64 1.6 --> MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}
PS/GC/BOX To PC CONVERTOR --> C:\Program Files\FT8D91\uninst.exe
PS2 Multimedia Keyboard Driver --> "C:\Program Files\InstallShield Installation Information\{FF262740-C85A-11D5-BBEC-00D0B740900A}\setup.exe" -ul
Public Messenger ver 2.03 --> "C:\Program Files\Video Access ActiveX Object\pmunst.exe"
PunkBuster Services --> C:\Windows\system32\pbsvc.exe -u
Python 2.5 --> MsiExec.exe /I{0A2C5854-557E-48C8-835A-3B9F074BDCAA}
QuickPar 0.9 --> C:\Program Files\QuickPar\uninst.exe
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
River Past Audio Converter Pro --> C:\Windows\Audio Converter Pro Uninstaller.exe
Rocket Bowl --> "C:\Windows\Rocket Bowl\uninstall.exe" "/U:C:\Program Files\Bowling\Rocket Bowl\Uninstall\uninstall.xml"
Saints & Sinners Bowling --> "C:\Windows\Saints & Sinners Bowling\uninstall.exe" "/U:C:\Program Files\Bowling\Saints & Sinners Bowling\Uninstall\uninstall.xml"
San Andreas Mod Installer --> "C:\Windows\San Andreas Mod Installer\uninstall.exe" "/U:C:\Emulating\GTASA\Mod Installer\Uninstall\uninstall.xml"
ScanSpyware v3.8 --> "C:\Program Files\ScanSpyware v3.8\unins000.exe"
SCRABBLE --> "C:\Program Files\Gateway Games\SCRABBLE\Uninstall.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0016-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-001B-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-001B-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Shockwave --> C:\Windows\System32\Macromed\SHOCKW~2\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~2\Install.log
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Sonic R --> C:\Sega\SonicR\directx\setup /r
Sothink SWF Decompiler --> "C:\Program Files\SourceTec\Sothink SWF Decompiler\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Star Wars® Knights of the Old Republic® II: The Sith Lords™ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{629F65FB-7F3C-4D66-A1C0-20722744B7B6}\setup.exe" -l0x9 -removeonly
Super Collapse! II Platinum --> C:\PROGRA~1\GAMEHO~1\SUPERC~1\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\SUPERC~1\INSTALL.LOG
SuperjoyBox Game Controller Version 3.0 --> C:\Superjoy\unins000.exe
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
The Core Media Player 4.0 --> "C:\Program Files\CoreCodec\The Core Media Player\uninstall-tcmp4.exe"
The Orange Box --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9EF7918F-6283-48D4-8648-9FE84BE9FB41}\setup.exe" -l0x9 -removeonly
TIFNY 5.0 --> C:\PROGRA~1\Tifny\UNWISE.EXE C:\PROGRA~1\Tifny\INSTALL.LOG
Transformers™ - The Game --> C:\Program Files\InstallShield Installation Information\{5645BA4F-2BF3-4F31-B3F7-710700C92456}\setup.exe -runfromtemp -l0x0409
TSP_CODEC --> C:\Program Files\Bytescribe\TSP_CODEC\Uninst.exe /pid:{A90C03D6-08E1-4C59-B93B-6919A6C0AC19} /asd
Ultra Document To Text Converter 2.0 --> "C:\Program Files\Ultra Document To Text Converter\unins000.exe"
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0016-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-001B-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Veoh Player --> C:\Program Files\InstallShield Installation Information\{3D5A72E1-1467-4199-8CF6-12DA8D502A6B}\setup.exe -runfromtemp -l0x0409
Video Convert Split Merge Studio v6.7.2 Build 366 --> "C:\Program Files\Video Convert Split Merge Studio\unins000.exe"
VideoLAN VLC media player 0.8.6e --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\Á\mtsAxInstaller.exe /u
WinAce Archiver --> "C:\Program Files\WinAce\SXUNINST.EXE" "C:\Program Files\WinAce\SXUNINST.INI"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live OneCare safety scanner --> "C:\Program Files\Windows Live Safety Center\UnInstall.exe"
Windows Live OneCare safety scanner --> MsiExec.exe /X{FE0646A7-19D0-41B4-A2BB-2C35D644270D}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
Wrath of the Lich King Beta --> C:\Program Files\Common Files\Blizzard Entertainment\Wrath of the Lich King\Uninstall.exe
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Zuma Deluxe 1.0 --> C:\Program Files\Yahoo! Games\Zuma Deluxe\PopUninstall.exe "C:\Program Files\Yahoo! Games\Zuma Deluxe\Install.log"


-- Application Event Log -------------------------------------------------------

Event Record #/Type222834 / Error
Event Submitted/Written: 07/26/2008 02:24:30 AM
Event ID/Source: 8194 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {861742dc-369d-4297-bd02-ac3d58b04ca5}

Event Record #/Type222830 / Error
Event Submitted/Written: 07/25/2008 08:48:39 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application MySpaceIM.exe, version 1.0.756.0, time stamp 0x4807dcb0, faulting module kernel32.dll, version 6.0.6001.18000, time stamp 0x4791a76d, exception code 0xe06d7363, fault offset 0x000442eb,
process id 0xf20, application start time 0xMySpaceIM.exe0.

Event Record #/Type222819 / Success
Event Submitted/Written: 07/25/2008 07:59:54 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type222818 / Success
Event Submitted/Written: 07/25/2008 07:59:53 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type222815 / Success
Event Submitted/Written: 07/25/2008 07:59:42 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type67728 / Warning
Event Submitted/Written: 07/26/2008 06:16:50 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%RionDesktop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %RionDesktop27 can't undo changes that you allow.

For more information please see the following:
%RionDesktop275

Scan ID: {64A90B17-C0C2-4DF7-9047-91DF69E240B0}

User: RionDesktop\Rion

Name: %RionDesktop271

ID: %RionDesktop272

Severity ID: %RionDesktop273

Category ID: %RionDesktop274

Path Found: %RionDesktop276

Alert Type: %RionDesktop278

Detection Type: 1.1.1600.02

Event Record #/Type67727 / Warning
Event Submitted/Written: 07/26/2008 06:16:50 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%RionDesktop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %RionDesktop27 can't undo changes that you allow.

For more information please see the following:
%RionDesktop275

Scan ID: {9FACB9BA-766E-4EF7-B531-EB820A5F6659}

User: RionDesktop\Rion

Name: %RionDesktop271

ID: %RionDesktop272

Severity ID: %RionDesktop273

Category ID: %RionDesktop274

Path Found: %RionDesktop276

Alert Type: %RionDesktop278

Detection Type: 1.1.1600.02

Event Record #/Type67726 / Warning
Event Submitted/Written: 07/26/2008 06:16:50 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%RionDesktop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %RionDesktop27 can't undo changes that you allow.

For more information please see the following:
%RionDesktop275

Scan ID: {6EE3F4EE-07C2-43A6-9FF4-42401A0F5A48}

User: RionDesktop\Rion

Name: %RionDesktop271

ID: %RionDesktop272

Severity ID: %RionDesktop273

Category ID: %RionDesktop274

Path Found: %RionDesktop276

Alert Type: %RionDesktop278

Detection Type: 1.1.1600.02

Event Record #/Type67725 / Warning
Event Submitted/Written: 07/26/2008 06:16:49 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%RionDesktop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %RionDesktop27 can't undo changes that you allow.

For more information please see the following:
%RionDesktop275

Scan ID: {C738E96F-42C7-4052-8030-6AF569C158BE}

User: RionDesktop\Rion

Name: %RionDesktop271

ID: %RionDesktop272

Severity ID: %RionDesktop273

Category ID: %RionDesktop274

Path Found: %RionDesktop276

Alert Type: %RionDesktop278

Detection Type: 1.1.1600.02

Event Record #/Type67724 / Warning
Event Submitted/Written: 07/26/2008 06:16:49 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%RionDesktop27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %RionDesktop27 can't undo changes that you allow.

For more information please see the following:
%RionDesktop275

Scan ID: {016D0182-36EA-48FA-A73A-32106D3A6951}

User: RionDesktop\Rion

Name: %RionDesktop271

ID: %RionDesktop272

Severity ID: %RionDesktop273

Category ID: %RionDesktop274

Path Found: %RionDesktop276

Alert Type: %RionDesktop278

Detection Type: 1.1.1600.02



-- End of Deckard's System Scanner: finished at 2008-07-26 06:20:25 ------------

-----

And that's all of it. I did not run vundofix again after the second time because things seemed to work normally afterwards. Of course, if you see anything out of the ordinary, I will gladly run it again if it means my computer is safe again. Thanks for all the help. I will await your response to either follow further instructions, or finalize this thread.

-Sincerely,

-Raz
  • 0

#7
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
loks like you had/have other infections (i can see evidence of at least one worm), so we will run another tool.

Firstly, can you disable your Windows Defender - it will interfer with some of our fixes:

Disable Windows Defender until the computer is clean
  • Open Windows Defender
  • Select Tools and then General Settings
  • Under Real Time Protection Options uncheck Turn on real-time protection
  • Select Save
Don't forget to re-enable it, when your computer is clean.


could you also tell me what antivirus program you are running. i can see signs of NOD32 and perhaps Norton?


and then..........


if you have already downloaded combofix then could you delete the current version of combofix you have and then follow these instructions:

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. (All the instructions for installing the Recovery Console are in the above link, but for more information on the Windows XP Recovery Console read http://support.micro...com/kb/314058.)

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#8
razoroth

razoroth

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Yes, I am currently using NOD32, although this program did not seem to prevent anything from happening, so I will be uninstalling it when all this is finished. Any recommendations on a better Anti-Virus Software to use would be appreciated.

Here are the logs:

--------------

ComboFix Log:

--------------

ComboFix 08-07-26.1 - Rion 2008-07-26 14:20:17.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1026 [GMT -5:00]
Running from: C:\Users\Rion\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Rion\AppData\Roaming\macromedia\Flash Player\#SharedObjects\FM3VLUCN\interclick.com
C:\Users\Rion\AppData\Roaming\macromedia\Flash Player\#SharedObjects\FM3VLUCN\interclick.com\ud.sol
C:\Users\Rion\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Users\Rion\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Windows\System32\cJRsrtwa.ini
C:\Windows\System32\cJRsrtwa.ini2
C:\Windows\system32\drivers\npf.sys
C:\Windows\system32\mcrh.tmp
C:\Windows\System32\NUwvvCfe.ini
C:\Windows\System32\NUwvvCfe.ini2
C:\Windows\system32\packet.dll
C:\Windows\system32\wpcap.dll
D:\Autorun.inf
J:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-25 20:32 . 2008-07-25 20:32 <DIR> d-------- C:\Users\Rion\AppData\Roaming\Malwarebytes
2008-07-25 20:32 . 2008-07-25 20:32 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-25 20:32 . 2008-07-25 20:32 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-07-25 20:32 . 2008-07-25 20:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-25 20:32 . 2008-07-23 20:09 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-07-25 20:32 . 2008-07-23 20:09 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-07-25 19:56 . 2008-07-25 19:56 24,576 --a------ C:\Windows\System32\VundoFixSVC.exe
2008-07-25 19:16 . 2008-07-25 20:28 <DIR> d-------- C:\VundoFix Backups
2008-07-25 15:15 . 2008-07-25 15:52 <DIR> d-------- C:\Program Files\ScanSpyware v3.8
2008-07-25 15:10 . 2008-07-25 15:10 5 --a------ C:\Windows\System32\SndDrv32b.ini
2008-07-25 15:09 . 2008-07-25 16:09 <DIR> d-------- C:\Program Files\jv16 PowerTools
2008-07-25 15:00 . 2008-07-25 15:01 <DIR> d-------- C:\security
2008-07-25 14:58 . 2008-07-25 14:58 <DIR> d-------- C:\vscan
2008-07-25 13:29 . 2008-07-25 13:31 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-25 13:23 . 2008-07-25 13:23 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-07-25 12:07 . 2008-07-25 12:05 102,664 --a------ C:\Windows\System32\drivers\tmcomm.sys
2008-07-24 13:31 . 2008-07-24 13:52 <DIR> d-------- C:\Users\Public\Games
2008-07-23 12:34 . 2008-07-23 12:34 268 --ah----- C:\sqmdata03.sqm
2008-07-23 12:34 . 2008-07-23 12:34 244 --ah----- C:\sqmnoopt03.sqm
2008-07-22 22:51 . 2008-06-25 20:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-22 22:50 . 2008-06-25 20:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-22 22:50 . 2008-06-25 22:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-17 16:47 . 2008-07-17 16:47 54,156 --ah----- C:\Windows\QTFont.qfn
2008-07-17 16:47 . 2008-07-17 16:47 1,409 --a------ C:\Windows\QTFont.for
2008-07-15 18:09 . 2008-07-15 18:09 42,320 --a------ C:\Windows\System32\xfcodec.dll
2008-07-08 20:53 . 2008-04-26 03:25 3,600,952 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-07-08 20:53 . 2008-04-26 03:25 3,549,240 --a------ C:\Windows\System32\ntoskrnl.exe
2008-07-08 20:53 . 2008-04-26 03:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-07-08 20:53 . 2008-04-11 22:32 784,896 --a------ C:\Windows\System32\rpcrt4.dll
2008-07-08 20:53 . 2008-05-09 22:35 564,736 --a------ C:\Windows\System32\emdmgmt.dll
2008-07-08 20:53 . 2008-04-04 20:21 72,192 --a------ C:\Windows\System32\drivers\pacer.sys
2008-07-08 20:53 . 2008-04-04 22:34 15,360 --a------ C:\Windows\System32\pacerprf.dll
2008-07-08 20:52 . 2008-05-08 16:59 430,080 --a------ C:\Windows\System32\vbscript.dll
2008-07-08 20:52 . 2008-05-08 16:59 180,224 --a------ C:\Windows\System32\scrobj.dll
2008-07-08 20:52 . 2008-05-08 16:59 172,032 --a------ C:\Windows\System32\scrrun.dll
2008-07-08 20:52 . 2008-05-08 16:59 155,648 --a------ C:\Windows\System32\wscript.exe
2008-07-08 20:52 . 2008-05-08 16:58 135,168 --a------ C:\Windows\System32\wshom.ocx
2008-07-08 20:52 . 2008-05-08 16:58 135,168 --a------ C:\Windows\System32\cscript.exe
2008-07-08 20:52 . 2008-05-08 16:59 90,112 --a------ C:\Windows\System32\wshext.dll
2008-07-08 18:15 . 2008-07-08 18:17 <DIR> d-------- C:\Program Files\AIMTunes
2008-07-08 17:06 . 2008-07-08 17:06 <DIR> d-------- C:\Program Files\Dziobas Rar Player
2008-07-07 21:16 . 2008-07-07 21:16 <DIR> d-------- C:\Windows\.jagex_cache_32
2008-07-07 21:16 . 2008-07-07 21:19 23 --a------ C:\Users\Rion\jagex_runescape_preferences.dat
2008-07-01 19:20 . 2008-07-01 19:20 <DIR> d-------- C:\Users\All Users\Office Genuine Advantage
2008-07-01 19:20 . 2008-07-01 19:20 <DIR> d-------- C:\ProgramData\Office Genuine Advantage
2008-06-29 18:52 . 2008-06-29 18:52 <DIR> d-------- C:\Program Files\LucasArts
2008-06-27 23:44 . 2008-06-27 23:44 <DIR> d-------- C:\AeriaGames
2008-06-26 12:55 . 2008-06-26 12:55 4,096 --a------ C:\Windows\d3dx.dat
2008-06-26 12:35 . 2008-06-26 12:35 <DIR> d-------- C:\Windows\Saints & Sinners Bowling
2008-06-26 12:35 . 2008-06-26 12:35 <DIR> d-------- C:\Windows\Rocket Bowl
2008-06-26 12:34 . 2008-06-26 12:47 <DIR> d-------- C:\Windows\Gutterball 2
2008-06-26 12:31 . 2008-06-26 12:31 <DIR> d-------- C:\Windows\Anime Bowling Babes
2008-06-26 12:31 . 2008-06-26 12:35 <DIR> d-------- C:\Program Files\Bowling
2008-06-26 01:42 . 2008-06-26 02:13 <DIR> d-------- C:\Program Files\3D Ultra Pinball CreepNight
2008-06-26 01:41 . 2008-06-26 02:06 <DIR> d-------- C:\Program Files\3D Ultra Pinball
2008-06-26 00:23 . 2008-06-26 00:23 <DIR> d-------- C:\Program Files\Acidx Productions

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 19:10 --------- d-----w C:\Users\Rion\AppData\Roaming\Xfire
2008-07-26 19:08 --------- d-----w C:\Program Files\ESET
2008-07-26 10:19 --------- d-----w C:\Users\Rion\AppData\Roaming\foobar2000
2008-07-25 20:22 --------- d-----w C:\Program Files\Curse
2008-07-25 18:26 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-25 17:55 --------- d-----w C:\Users\Rion\AppData\Roaming\uTorrent
2008-07-24 18:52 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-07-24 18:13 --------- d-----w C:\Program Files\Burn4Free
2008-07-24 06:24 --------- d-----w C:\ProgramData\Xfire
2008-07-23 12:12 --------- d-----w C:\Program Files\Xfire
2008-07-15 20:51 --------- d-----w C:\Program Files\World of Warcraft
2008-07-11 04:20 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-07-11 04:19 103,736 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-07-09 08:07 --------- d-----w C:\Program Files\Windows Mail
2008-07-08 23:17 --------- d-----w C:\Program Files\AIM6
2008-07-08 23:16 --------- d-----w C:\ProgramData\AOL Downloads
2008-07-08 23:15 --------- d-----w C:\ProgramData\Viewpoint
2008-07-08 23:14 --------- d-----w C:\ProgramData\AOL
2008-07-08 21:05 --------- d-----w C:\Program Files\Java
2008-06-29 23:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 21:08 --------- d-----w C:\Program Files\VirtualDubMod
2008-06-21 11:12 --------- d-----w C:\Program Files\FunPause Atlantis
2008-06-19 08:40 --------- d-----w C:\Program Files\TryMedia
2008-06-19 08:38 --------- d-----w C:\Program Files\Yahoo! Games
2008-06-09 10:01 --------- d-----w C:\ProgramData\MumboJumbo
2008-06-08 03:36 --------- d-----w C:\Program Files\MobMapUpdater
2008-05-29 22:21 --------- d-----w C:\Program Files\Valvesoftware
2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll
2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll
2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll
2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll
2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll
2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll
2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll
2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll
2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll
2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll
2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll
2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll
2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll
2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin
2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin
2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-03-21 03:41 174 --sha-w C:\Program Files\desktop.ini
2007-11-14 19:22 22,328 ----a-w C:\Users\Rion\AppData\Roaming\PnkBstrK.sys
2007-07-23 16:24 0 ----a-w C:\Users\Rion\AppData\Roaming\wklnhst.dat
2007-08-05 01:52 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-08-05 01:52 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-08-05 01:52 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-02-23 01:31 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007022220070223\index.dat
2007-02-23 16:33 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007022320070224\index.dat
2007-02-24 23:39 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007022420070225\index.dat
2007-02-26 03:58 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007022520070226\index.dat
2007-02-27 14:20 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007022720070228\index.dat
2007-02-28 18:07 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007022820070301\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-18 23:33 125952]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 13:57 1103480]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-18 23:33 1233920]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 23:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 10:01 182744]
"NMSSupport"="C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 13:56 423424]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 15:39 151552]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-01-31 16:40 131072]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-01-31 16:40 151552]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-01-31 16:40 126976]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-03-03 03:46 949376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-11 22:28 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-11 22:28 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-11 22:28 81920]
"CHotkey"="zHotkey.exe" [2006-11-07 17:08 547840 C:\Windows\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2005-01-27 12:13 36864 C:\Windows\ShowWnd.exe]
"ModPS2"="ModPS2Key.exe" [2006-11-07 17:34 53248 C:\Windows\ModPS2Key.exe]
"P17Helper"="P17.dll" [2005-05-02 22:38 64512 C:\Windows\System32\P17.dll]
"SigmatelSysTrayApp"="sttray.exe" [2006-11-02 11:38 303104 C:\Windows\sttray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 18:27 9117696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"DefaultP17MIDI"="MIDIDEF.EXE" [2002-12-02 20:16 49152 C:\Windows\MIDIDEF.EXE]
"DefaultP17"="P17Def.Exe" [2005-05-02 22:35 20480 C:\Windows\P17DEF.EXE]

C:\Users\Rion\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.i420"= I263_32.drv
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"vidc.xvid"= xvid.dll
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigFix]
--a------ 2006-11-16 19:04 2348584 c:\Program Files\BigFix\bigfix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 05:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-04-17 18:27 9117696 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager]
--a------ 2006-05-10 14:52 249856 C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4003477587-3145471023-3728799210-1001]
"EnableNotificationsRef"=dword:00000003

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4003477587-3145471023-3728799210-500]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{0CA77071-095F-425A-B903-67C1BAE7C57D}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{9ADA0F11-6FDA-42B3-9811-FEB370107DB3}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{73312F8B-1ADE-418D-940A-9E63562062D8}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{7AE56B14-0DF8-4773-9907-724694FC87ED}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{D7D661D1-F9B1-4D3B-8994-546B8E526129}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{E7CA01BB-D96A-4316-953C-8E09B510BF97}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{0DFB510C-C20C-424A-9854-12DCBDF3A54D}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{D732540B-8727-4E75-8E54-F83F9C1BC214}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{110E5761-6991-47A2-BB7A-00169EB1E7C9}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A7C6F45B-3831-4C1C-919F-51EFD740F266}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{29889E81-CA06-4F2A-86E3-97CF859589AD}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{D76701EB-3D10-4E2E-A730-E0964A7882A9}"= TCP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{945116BD-15A1-4F86-B9A7-08C31EFDFACD}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{802F82F5-49A0-4868-9DC9-DFF479D28850}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{0CF140C8-43EC-4610-9CD9-9C396B3824D0}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{D529FCC4-23D6-4D8D-8220-37F3DB4F8108}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{DA9DCB01-FF17-4C8E-AE36-34C2505F7DC9}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{459460B3-959B-4A3B-80BD-256EA40E77F5}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5A6E6C06-AC00-4894-8B09-9AC6FA698FBE}"= UDP:C:\Windows\System32\lxczcoms.exe:Lexmark Communications System
"{B43ED56E-D036-421C-AF29-092646C0E98F}"= TCP:C:\Windows\System32\lxczcoms.exe:Lexmark Communications System
"TCP Query User{6FA9C4D4-F3CD-42A2-AEDC-12BF8533B716}C:\\program files\\electronic arts\\battlefield 2142\\bf2142.exe"= UDP:C:\program files\electronic arts\battlefield 2142\bf2142.exe:BF2142
"UDP Query User{CCF1605D-E33E-453D-B80A-00EB058264E2}C:\\program files\\electronic arts\\battlefield 2142\\bf2142.exe"= TCP:C:\program files\electronic arts\battlefield 2142\bf2142.exe:BF2142
"TCP Query User{319B875E-E8BF-42DD-9E79-CEB6237E78FF}C:\\program files\\microsoft games\\halo\\halo.exe"= UDP:C:\program files\microsoft games\halo\halo.exe:Halo
"UDP Query User{17774CF2-ED6F-4EA9-9CE3-9DDC82A97D3E}C:\\program files\\microsoft games\\halo\\halo.exe"= TCP:C:\program files\microsoft games\halo\halo.exe:Halo
"TCP Query User{789F0244-5348-4FE0-81CA-A2CCB477A914}C:\\program files\\empire interactive\\flatout2\\flatout2.exe"= UDP:C:\program files\empire interactive\flatout2\flatout2.exe:FlatOut2
"UDP Query User{F5DECE9A-78F2-4755-9484-294C2E9F8CD6}C:\\program files\\empire interactive\\flatout2\\flatout2.exe"= TCP:C:\program files\empire interactive\flatout2\flatout2.exe:FlatOut2
"TCP Query User{E914028A-DD6F-4D44-A10A-13ABC3E7892D}C:\\program files\\ea games\\medal of honor pacific assault™\\mohpa.exe"= UDP:C:\program files\ea games\medal of honor pacific assault™\mohpa.exe:Medal of Honor Pacific Assault™
"UDP Query User{7FE1E1F4-E640-4473-8318-26F76C311535}C:\\program files\\ea games\\medal of honor pacific assault™\\mohpa.exe"= TCP:C:\program files\ea games\medal of honor pacific assault™\mohpa.exe:Medal of Honor Pacific Assault™
"TCP Query User{DE1392FF-523B-4734-B6AA-C23A09C67FF3}C:\\program files\\atari\\test drive unlimited\\testdriveunlimited.exe"= UDP:C:\program files\atari\test drive unlimited\testdriveunlimited.exe:Test Drive Unlimited
"UDP Query User{CE8156EE-4C28-45B4-85AB-8C5A828226E3}C:\\program files\\atari\\test drive unlimited\\testdriveunlimited.exe"= TCP:C:\program files\atari\test drive unlimited\testdriveunlimited.exe:Test Drive Unlimited
"{8974DAF6-15C2-443C-81AC-7576E9FD87BB}"= UDP:C:\Program Files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"{BC677363-1A3A-4F52-AA32-16BFA1B9A83C}"= TCP:C:\Program Files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"TCP Query User{5FC40756-12A8-4760-9344-C519572BF325}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{65849FA5-1568-4505-9535-196EDE7BF27F}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"TCP Query User{BD5EDE06-4686-4033-8B72-BBC0B5689DD4}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{257A2A26-0307-4782-9273-AF4A9E62D510}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{77143EED-2831-4DD7-86BC-4F01B7431BBA}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{76185481-0709-496C-B542-E8A957A42119}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{43F41021-AEFE-48DE-B7BE-3A03E53D6FF9}C:\\program files\\ea games\\need for speed underground 2\\speed2.exe"= UDP:C:\program files\ea games\need for speed underground 2\speed2.exe:SPEED2
"UDP Query User{680BFB71-3A3B-477D-B433-DBC3E2B56EDB}C:\\program files\\ea games\\need for speed underground 2\\speed2.exe"= TCP:C:\program files\ea games\need for speed underground 2\speed2.exe:SPEED2
"TCP Query User{67FDFA8D-0707-493F-BEED-447B7EAE21BC}C:\\program files\\atari\\test drive unlimited\\testdriveunlimited.exe"= UDP:C:\program files\atari\test drive unlimited\testdriveunlimited.exe:Test Drive Unlimited
"UDP Query User{423D7EB8-56D7-4655-9B62-3F709A9292D6}C:\\program files\\atari\\test drive unlimited\\testdriveunlimited.exe"= TCP:C:\program files\atari\test drive unlimited\testdriveunlimited.exe:Test Drive Unlimited
"TCP Query User{EACEF7A6-C015-44FA-8EAA-1A6BCD7651E7}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{F5F36DD8-E811-483A-84A9-16BB3DD855BE}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{8B6E1E6A-938A-4E80-A941-1176A2AE06ED}C:\\program files\\microsoft games\\halo\\halo.exe"= UDP:C:\program files\microsoft games\halo\halo.exe:Halo
"UDP Query User{A9D9810B-5F24-454F-80DF-CF4BBC0C59BD}C:\\program files\\microsoft games\\halo\\halo.exe"= TCP:C:\program files\microsoft games\halo\halo.exe:Halo
"TCP Query User{F0213E3D-57BE-41F5-B701-C53CBE3EE7B7}C:\\program files\\activision value\\world series of poker toc\\wsoptoc.exe"= UDP:C:\program files\activision value\world series of poker toc\wsoptoc.exe:WSOPTOC
"UDP Query User{7986767A-2BC1-4FBC-B0BD-371B6C66C6AD}C:\\program files\\activision value\\world series of poker toc\\wsoptoc.exe"= TCP:C:\program files\activision value\world series of poker toc\wsoptoc.exe:WSOPTOC
"{F219062A-390D-4777-907E-C0A38D0A3290}"= UDP:C:\Program Files\AeriaGames\ProjectTorque\ProjectTorque.bin:LevelR
"{5D6B619F-8A90-43E8-8EC4-FF38E716276B}"= TCP:C:\Program Files\AeriaGames\ProjectTorque\ProjectTorque.bin:LevelR
"TCP Query User{DD85D45D-C2AB-4CA8-96A7-9AAB50D624AC}C:\\program files\\real\\realone player\\realplay.exe"= UDP:C:\program files\real\realone player\realplay.exe:RealPlayer
"UDP Query User{6044F4A2-DD11-4109-A443-3D63999A0667}C:\\program files\\real\\realone player\\realplay.exe"= TCP:C:\program files\real\realone player\realplay.exe:RealPlayer
"TCP Query User{5B54F778-4E88-43A2-BAE8-705911931AEA}C:\\program files\\thq\\fsw ten hammers\\fsw2.exe"= UDP:C:\program files\thq\fsw ten hammers\fsw2.exe:"Full Spectrum Warrrior 2: Ten Hammers" Game
"UDP Query User{E9E7BC7F-D7FF-4B43-AC27-72D7E20A1572}C:\\program files\\thq\\fsw ten hammers\\fsw2.exe"= TCP:C:\program files\thq\fsw ten hammers\fsw2.exe:"Full Spectrum Warrrior 2: Ten Hammers" Game
"TCP Query User{5EFDEF61-6449-4A1E-9E36-89F8B0FE78C4}C:\\program files\\ubisoft\\ghost recon advanced warfighter\\graw.exe"= UDP:C:\program files\ubisoft\ghost recon advanced warfighter\graw.exe:GRAW
"UDP Query User{E5A7EB07-0284-4393-986D-A421B1A76EB5}C:\\program files\\ubisoft\\ghost recon advanced warfighter\\graw.exe"= TCP:C:\program files\ubisoft\ghost recon advanced warfighter\graw.exe:GRAW
"{4D8CA647-A7E3-4E16-BCAA-563FF65BB6AB}"= UDP:C:\Program Files\AeriaGames\ProjectTorque\ProjectTorque.exe:Project Torque
"{FC6861FD-79D8-44D4-AC3B-011E1DB77DFD}"= TCP:C:\Program Files\AeriaGames\ProjectTorque\ProjectTorque.exe:Project Torque
"TCP Query User{86B462C1-1D15-4F78-BB71-A85D17C1FB76}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{A0961D16-ADC3-4F1A-8BC9-8D422FB5544F}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{4A846E3C-377A-48F2-BCD5-50624C183D76}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{FFA1DD44-C006-4F87-B093-9381835BF5A5}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{57171072-0548-4DA5-9DF1-09587F5E34C8}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{1C20C67B-0D6D-4CF2-B784-5A7899B4AD03}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{AD373400-6CC8-46C6-8859-54F1D13E6B7C}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{942B815C-41F9-45EF-A0F3-2B34A463CC75}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{5DC4DCC5-BAAD-4288-B98A-1E01BE26947B}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{BE965CC6-1D3C-4E8D-8083-42B3FA4AD532}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"TCP Query User{1BAA962F-E87B-477B-8361-5FFB6FD3FAFA}C:\\program files\\aspyr\\guitar hero iii\\gh3.exe"= UDP:C:\program files\aspyr\guitar hero iii\gh3.exe:Guitar Hero III
"UDP Query User{DECC2F80-E086-4C01-B6FB-DAF577C4C844}C:\\program files\\aspyr\\guitar hero iii\\gh3.exe"= TCP:C:\program files\aspyr\guitar hero iii\gh3.exe:Guitar Hero III
"TCP Query User{66EB304E-4C49-4A9C-B74B-35EB99274E1D}C:\\program files\\microsoft games\\halo server\\haloded.exe"= UDP:C:\program files\microsoft games\halo server\haloded.exe:Halo
"UDP Query User{946395C4-5A80-4E86-9F20-277685E1354E}C:\\program files\\microsoft games\\halo server\\haloded.exe"= TCP:C:\program files\microsoft games\halo server\haloded.exe:Halo
"{FED1E5D6-728A-4D42-B9DA-2F0F751659BF}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{806A10FF-C94C-48E8-907E-FFDBA1CFFBC5}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{081DDAF7-3B1D-4CFC-A5B4-0459D79D6418}"= UDP:59682:utor1
"{DA5CAA2A-AF5A-4A18-B35A-5F6A3FAB59E3}"= TCP:59682:utor2
"{F7F9B471-8A23-46C9-86D7-36379F77810C}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9CCC0380-DF7E-4794-938B-EF41FD0721E7}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{356BF28E-BCEE-414D-B884-7E426561B33E}J:\\storage\\rion's documents\\mirc\\scripts\\mako unlimited\\mirc.exe"= UDP:J:\storage\rion's documents\mirc\scripts\mako unlimited\mirc.exe:mIRC
"UDP Query User{28AF9C60-D46A-4FB1-BEDE-C8BD7206F72D}J:\\storage\\rion's documents\\mirc\\scripts\\mako unlimited\\mirc.exe"= TCP:J:\storage\rion's documents\mirc\scripts\mako unlimited\mirc.exe:mIRC
"TCP Query User{E37B1E31-CBC1-4EFA-A272-734F18460B47}C:\\users\\rion\\desktop\\mirc\\mako unlimited\\mirc.exe"= UDP:C:\users\rion\desktop\mirc\mako unlimited\mirc.exe:mirc.exe
"UDP Query User{C5CEE48E-3E2D-4105-95C4-DF81D9F09A24}C:\\users\\rion\\desktop\\mirc\\mako unlimited\\mirc.exe"= TCP:C:\users\rion\desktop\mirc\mako unlimited\mirc.exe:mirc.exe
"TCP Query User{5CF13511-F8DC-4B01-B35F-87D48A94C0A8}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{F6041952-51D4-4D66-9E9A-13B76CBD80DE}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{8AF6748C-2520-4454-B911-290DE7F13DEE}C:\\program files\\ares ultra\\ares ultra.exe"= UDP:C:\program files\ares ultra\ares ultra.exe:Ares Ultra p2p for windows
"UDP Query User{C9FC2096-CC1B-4B4D-8826-9369D46219E7}C:\\program files\\ares ultra\\ares ultra.exe"= TCP:C:\program files\ares ultra\ares ultra.exe:Ares Ultra p2p for windows
"{0322623F-6F0B-451C-AFEF-A947FF650783}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A4FAAC73-E481-446A-9297-7C43702CD3DC}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{786AB8F0-264E-4413-BA55-3F46F6835656}C:\\program files\\java\\jre1.6.0_03\\bin\\javaw.exe"= UDP:C:\program files\java\jre1.6.0_03\bin\javaw.exe:Java™ Platform SE binary
"UDP Query User{E2768079-CAE5-40C2-ABD0-91FEB834A856}C:\\program files\\java\\jre1.6.0_03\\bin\\javaw.exe"= TCP:C:\program files\java\jre1.6.0_03\bin\javaw.exe:Java™ Platform SE binary
"{4A5EBACE-3DC8-4855-A85D-99687179119B}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{02B2D936-B559-480B-BAAD-00E2217329F4}C:\\program files\\valvesoftware\\the orange box\\team fortress 2\\hl2.exe"= UDP:C:\program files\valvesoftware\the orange box\team fortress 2\hl2.exe:hl2
"UDP Query User{15FBD1D1-ED03-49EC-BE36-DE9EE8B7D2F3}C:\\program files\\valvesoftware\\the orange box\\team fortress 2\\hl2.exe"= TCP:C:\program files\valvesoftware\the orange box\team fortress 2\hl2.exe:hl2
"TCP Query User{21E2DA68-4749-4050-B3D4-7DB4FD6A7AC3}C:\\program files\\yahoo! games\\zuma deluxe\\zuma.exe"= UDP:C:\program files\yahoo! games\zuma deluxe\zuma.exe:Zuma
"UDP Query User{B7C557A6-3A9F-4ACA-AB71-409A01C2236A}C:\\program files\\yahoo! games\\zuma deluxe\\zuma.exe"= TCP:C:\program files\yahoo! games\zuma deluxe\zuma.exe:Zuma
"{03B85133-9309-4DE1-BF4E-07FC5738A0F8}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{FD5763F6-864C-4485-88CA-288CABB62943}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"{A0822C29-7144-4216-92CC-938411282D7F}"= Disabled:UDP:C:\Program Files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{C35428DA-74D4-4982-8FC5-6D3AD79088CB}"= TCP:C:\Program Files\MySpace\IM\MySpaceIM.exe:MySpaceIM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Groove Games\\LASR\\LASR.exe"= C:\Program Files\Groove Games\LASR\LASR.exe:*:Enabled:LASR

R2 DQLWinService;DQLWinService;C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 12:03]
R2 lxcz_device;lxcz_device;C:\Windows\system32\lxczcoms.exe [2007-02-08 18:50]
R2 nmsgopro;GoProto Protocol Driver for NMS;C:\Windows\system32\DRIVERS\nmsgopro.sys [2006-09-27 19:37]
R2 nmsunidr;UniDriver for NMS;C:\Windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 18:49]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38]
R3 IntelDH;IntelDH Driver;C:\Windows\system32\Drivers\IntelDH.sys [2006-12-21 10:00]
S2 NMSAccessU;NMSAccessU;C:\Users\Rion\AppData\Local\Temp\{74F93B7A-5FFE-4B01-9EAD-44FF2467B3C3}\NMSAccessU.exe []
S3 ICAM3NT5;Intel USB Video Camera III;C:\Windows\system32\Drivers\Icam3USB.sys [2000-08-08 00:55]
S3 MAC607;MAC607 Filter;C:\Windows\system32\DRIVERS\MAC607.sys [2007-06-25 01:35]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 02:30]
S3 PL-40R;CASIO USB MIDI;C:\Windows\system32\Drivers\pl40rwdm.sys [2004-10-01 02:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\shell\AutoRun\command - M:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder
2008-07-26 C:\Windows\Tasks\User_Feed_Synchronization-{A770F690-9522-4A97-B748-9D9016172653}.job - C:\Windows\system32\msfeedssync.exe [2008-01-18 23:33]
.
- - - - ORPHANS REMOVED - - - -

BHO-{43F203E2-F8FD-4BD7-A0B2-75988D6EE012} - C:\Windows\system32\efCvvwUN.dll
BHO-{C32D9423-FE23-4890-82CF-2F3423F47046} - C:\Users\Rion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R2PZNRXK\3077ahntdksr[1].dll
HKCU-Run-Aim6 - (no file)
MSConfigStartUp-NapsterShell - C:\Program Files\Napster\napster.exe
MSConfigStartUp-SpyHunter - C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
MSConfigStartUp-Microsoft Updates - svehost.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.wowhead.com/
R0 -: HKLM-Main,Start Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5404
R1 -: HKCU-Internet Settings,ProxyOverride = <local>
O8 -: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 -: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 -: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 -: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 14:39:23
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\Combined Community Codec Pack\Filters\FFDShow\ff_libmad.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Windows\System32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\ESET\nod32krn.exe
C:\Windows\System32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
.
**************************************************************************
.
Completion time: 2008-07-26 14:51:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 19:50:20

Pre-Run: 34,023,215,104 bytes free
Post-Run: 33,439,498,240 bytes free

384 --- E O F --- 2008-07-25 18:28:51
  • 0

#9
razoroth

razoroth

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
HiJackThis Log:

-----------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:43 PM, on 7/26/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Windows\zHotkey.exe
C:\Windows\ModPS2Key.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wowhead.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TP&M=GT5404
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onec...s/wlscctrl2.cab
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcz_device - - C:\Windows\system32\lxczcoms.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Users\Rion\AppData\Local\Temp\{74F93B7A-5FFE-4B01-9EAD-44FF2467B3C3}\NMSAccessU.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\Windows\system32\sfrem01.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe

--
End of file - 9762 bytes



I'll await further instruction.

-Raz
  • 0

#10
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will remove the remaining malware i can see, scan 4 files that i dont recogise and do a couple more scans to see if there is anything further lurking on your machine.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.

we will sort out your security programs in the following post

====STEP 1====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
C:\Program Files\ScanSpyware v3.8

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt

====STEP 2====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
====STEP 3====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\Windows\System32\SndDrv32b.ini

Click on the submit button

Please also do the same with the following three files:
C:\Windows\system32\DRIVERS\nmsgopro.sys
C:\Windows\system32\DRIVERS\nmsunidr.sys
C:\Windows\system32\DRIVERS\MAC607.sys


Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal



====STEP 4====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply could i see:
1. the combofix log
2. the SUPERantispyware log
3. the 4 jotti logs
4. the kaspersky log
5. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#11
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP