Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

New strain of Vundo? Hijack this included [RESOLVED]


  • This topic is locked This topic is locked

#1
tom.a.gill

tom.a.gill

    Member

  • Member
  • PipPip
  • 15 posts
Hey.. been trying to fix my laptop.. but i dont think im getting anywhere. I think the problem is that the jkkjg.dll on my machine is a new jkkjifGA.dll form that i cant find anything about. anyway.. i was gonna run the removal tool for jkkjifGA.dll but thought i should post here first. Oh and I already ran the vundo removal tool from this site and got 0 hits also have DSS but wont post as per the rules.

Thanks in advance

Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:23 PM, on 7/27/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\QuickCam\Quickcam.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Users\Administrator\AppData\Local\Microsoft\Live Mesh\Bin\Servicing\0.9.3103.2\MoeMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Administrator\AppData\Local\Microsoft\Live Mesh\GacBase\Moe.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: run=""
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {42A30138-2DA5-463F-B8FA-DEB74952F4C4} - C:\Windows\system32\jkkjifGA.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MoeMonitor.exe] "C:\Users\Administrator\AppData\Local\Microsoft\Live Mesh\Bin\Servicing\0.9.3103.2\MoeMonitor.exe"
O4 - HKCU\..\Run: [MSSMSGS] rundll32.exe winfsy32.rom,bAVRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.3.24.3\gears.dll
O9 - Extra 'Tools' menuitem: &Google Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.3.24.3\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O13 - Gopher Prefix:
O16 - DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} (WLCTSCControl Class) - https://www.mesh.com...103.3/TSWeb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: Ave's FolderBg - {73526E5A-FD53-4BE7-B5E2-D3C89D7413DC} - C:\Windows\System32\Branding\folderbg\VistaFolderBackground.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c8d8e04ad8f56d) (gupdate1c8d8e04ad8f56d) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 11313 bytes
  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, my name is fenzodahl512 and welcome to Geekstogo..

I already ran the vundo removal tool from this site and got 0 hits also have DSS but wont post as per the rules.


Ok.. post DSS log here.. Both main.txt and extra.txt.. :)
  • 0

#3
tom.a.gill

tom.a.gill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-27 21:43:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 2.55 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-27 21:46:32
Platform: Windows Vista Service Pack 1 (6.00.6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\dwm.exe
C:\Windows\System32\taskeng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\QuickCam\Quickcam.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Users\Administrator\AppData\Local\Microsoft\Live Mesh\Bin\Servicing\0.9.3103.2\MoeMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Administrator\AppData\Local\Microsoft\Live Mesh\GacBase\Moe.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
C:\Windows\explorer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Downloads\dss.exe
C:\Program Files\HijackThis\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F3 - REG:win.ini: Run=C:\Windows\system32\userinit.exe,
O2 - BHO: (no name) - {42A30138-2DA5-463F-B8FA-DEB74952F4C4} - C:\Windows\System32\jkkjifGA.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MoeMonitor.exe] "C:\Users\Administrator\AppData\Local\Microsoft\Live Mesh\Bin\Servicing\0.9.3103.2\MoeMonitor.exe"
O4 - HKCU\..\Run: [MSSMSGS] rundll32.exe winfsy32.rom,bAVRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Google Calendar Sync.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = ?
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.3.24.3\gears.dll
O9 - Extra 'Tools' menuitem: &Google Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.3.24.3\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O16 - DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} (WLCTSCControl Class) - https://www.mesh.com...103.3/TSWeb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\System32\browseui.dll
O22 - SharedTaskScheduler: Ave's FolderBg - {73526E5A-FD53-4BE7-B5E2-D3C89D7413DC} - C:\Windows\System32\Branding\folderbg\VistaFolderBackground.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c8d8e04ad8f56d) (gupdate1c8d8e04ad8f56d) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Program Files\Nero\Nero8\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\System32\IoctlSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe


--
End of file - 11288 bytes

-- Files created between 2008-06-27 and 2008-07-27 -----------------------------

2008-07-27 18:37:23 102400 --a------ C:\Windows\system32\bublag.dll
2008-07-27 18:37:19 102400 --a------ C:\Windows\system32\ajcxifei.dll
2008-07-27 18:32:01 93696 --a------ C:\Windows\system32\neqaijvd.dll
2008-07-27 18:29:42 0 d-------- C:\VundoFix Backups
2008-07-26 21:45:59 83968 --a------ C:\Windows\system32\bvdnwedb.dll
2008-07-26 21:40:54 858288 --ahs---- C:\Windows\system32\AGfijkkj.ini2
2008-07-26 21:40:33 283136 --a------ C:\Windows\system32\jkkjifGA.dll
2008-07-26 21:01:15 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-07-26 20:30:37 5702 --ah----- C:\Windows\nod32restoretemdono.reg
2008-07-26 18:05:35 0 d-------- C:\Windows\system32\371186
2008-07-26 18:05:28 145 --a------ C:\Windows\system32\winver.bat
2008-07-26 18:04:52 125952 --a------ C:\Windows\system32\winupdate.exe
2008-07-26 18:04:41 2 --a------ C:\546637617
2008-07-26 18:04:38 13312 --a------ C:\xxdxsn.exe
2008-07-26 18:04:38 50688 --a------ C:\cuhv.exe
2008-07-26 16:42:01 0 d-------- C:\Windows\system32\appmgmt
2008-07-25 19:02:03 0 d-------- C:\Program Files\Live Mesh
2008-07-24 19:44:34 0 d-------- C:\Program Files\Orca
2008-07-15 17:51:53 0 d-------- C:\Program Files\cryptload
2008-07-11 23:22:24 0 d-------- C:\Users\All Users\Last.fm
2008-07-11 23:21:53 0 d-------- C:\Program Files\Last.fm
2008-07-06 21:54:53 0 d-------- C:\Program Files\Twessenger
2008-07-06 18:38:58 0 d-------- C:\Program Files\Vista Rainbar
2008-07-06 13:48:33 0 d-------- C:\Windows\Sun
2008-07-04 21:00:01 57344 --a------ C:\Windows\system32\CiAPI.dll <Not Verified; Palm, Inc.; Palm CDK>
2008-07-04 21:00:01 122880 --a------ C:\Windows\ctpu.exe <Not Verified; Beiks, LLC; Pilot Catapult>
2008-07-04 21:00:00 0 d-------- C:\Program Files\TapTarget.com
2008-07-04 20:59:48 57344 --a------ C:\Windows\ResENU.dll <Not Verified; Beiks, LLC; Pilot Catapult>
2008-07-04 17:39:46 0 d-------- C:\temp
2008-07-04 16:53:31 0 d-------- C:\Program Files\SplashData
2008-07-03 17:26:46 0 d-------- C:\Program Files\QTTabbar
2008-07-03 13:02:41 0 d-------- C:\Program Files\Common Files\GeoVid
2008-07-03 13:02:40 180224 --a------ C:\Windows\system32\xvidvfw.dll
2008-07-03 13:02:40 765952 --a------ C:\Windows\system32\xvidcore.dll
2008-07-03 13:02:40 0 d-------- C:\Users\All Users\GeoVid
2008-07-03 13:02:39 1712128 --a------ C:\Windows\system32\gdiplus.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-03 13:02:39 60416 --a------ C:\Windows\system32\dsetup.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Windows®>
2008-07-03 13:00:08 0 d-------- C:\Program Files\GeoVid
2008-06-29 18:05:00 0 d-------- C:\Program Files\zSuite
2008-06-29 13:20:49 0 d-------- C:\Program Files\ThatLook
2008-06-29 13:20:47 297472 --a------ C:\Windows\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2008-06-29 13:20:44 0 -rahs---- C:\MSDOS.SYS
2008-06-29 13:20:44 0 -rahs---- C:\IO.SYS
2008-06-29 12:58:02 0 d-------- C:\Program Files\VPSS
2008-06-28 11:24:17 0 d-------- C:\Users\Administrator\.thumbnails
2008-06-28 11:21:37 0 d-------- C:\Users\Administrator\.gimp-2.4
2008-06-28 11:20:52 0 d-------- C:\Program Files\GIMP-2.0
2008-06-28 01:32:11 0 d-------- C:\Users\All Users\Google
2008-06-27 21:22:13 0 d-------- C:\Users\All Users\Rosetta Stone
2008-06-27 21:22:13 0 d-------- C:\Program Files\Rosetta Stone
2008-06-27 21:01:10 0 d-------- C:\Users\All Users\Nero
2008-06-27 21:01:10 0 d-------- C:\Program Files\Nero
2008-06-27 21:01:10 0 d-------- C:\Program Files\Common Files\Nero


-- Find3M Report ---------------------------------------------------------------

2008-07-27 21:46:44 0 d-------- C:\Users\Administrator\AppData\Roaming\uTorrent
2008-07-26 15:40:00 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-24 19:45:32 0 d-------- C:\Users\Administrator\AppData\Roaming\Orca Profiles
2008-07-24 17:10:24 0 d-------- C:\Program Files\Google
2008-07-12 12:25:13 0 d-------- C:\Users\Administrator\AppData\Roaming\Twessenger
2008-07-12 08:04:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-12 08:04:11 0 d-------- C:\Program Files\Palm
2008-07-12 08:03:14 0 d-------- C:\Users\Administrator\AppData\Roaming\Flock
2008-07-10 03:12:24 0 d-------- C:\Program Files\Windows Mail
2008-07-08 22:07:06 0 d-------- C:\Program Files\Picasa2
2008-07-03 13:36:21 0 d-------- C:\Users\Administrator\AppData\Roaming\GeoVid
2008-07-03 13:02:41 0 d-------- C:\Program Files\Common Files
2008-06-30 20:26:15 0 d-------- C:\Users\Administrator\AppData\Roaming\gtk-2.0
2008-06-28 11:39:35 0 d-------- C:\Users\Administrator\AppData\Roaming\Adobe
2008-06-27 21:06:02 0 d-------- C:\Users\Administrator\AppData\Roaming\Nero
2008-06-26 10:50:12 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-26 09:57:21 0 d-------- C:\Program Files\Bonjour
2008-06-26 09:44:31 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-25 23:34:06 662 --ah----- C:\os049389.bin
2008-06-25 20:50:49 0 d-------- C:\Program Files\Common Files\Vbox
2008-06-25 20:04:34 0 d-------- C:\Program Files\%temp&
2008-06-25 19:54:38 0 d-------- C:\Users\Administrator\AppData\Roaming\ESET
2008-06-24 23:41:55 156380 --ah----- C:\Windows\system32\mlfcache.dat
2008-06-24 00:28:15 0 d-------- C:\Program Files\Logitech
2008-06-24 00:25:16 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-06-24 00:25:02 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-24 00:23:59 0 d-------- C:\Program Files\QuickCam
2008-06-23 23:37:11 222 --ah----- C:\Windows\sysreg.dat
2008-06-23 19:42:10 0 d-------- C:\Users\Administrator\AppData\Roaming\Notepad++
2008-06-23 18:10:28 0 d-------- C:\Program Files\Notepad++
2008-06-23 16:59:05 0 d-------- C:\Program Files\Java
2008-06-23 16:55:15 0 d-------- C:\Program Files\Common Files\Java
2008-06-23 16:20:10 0 d-------- C:\Users\Administrator\AppData\Roaming\GetRightToGo
2008-06-23 13:58:09 0 d-------- C:\Program Files\1Time
2008-06-22 20:42:09 0 d-------- C:\Users\Administrator\AppData\Roaming\MessengerGadget
2008-06-22 19:50:53 0 d-------- C:\Program Files\1Click DVD Copy Pro
2008-06-22 19:07:18 0 d-------- C:\Users\Administrator\AppData\Roaming\Vso
2008-06-22 19:07:18 34 --a------ C:\Users\Administrator\AppData\Roaming\pcouffin.log
2008-06-22 19:06:43 7887 --a------ C:\Users\Administrator\AppData\Roaming\pcouffin.cat
2008-06-22 01:10:09 0 d-------- C:\Program Files\Real Alternative
2008-06-22 01:10:06 0 d-------- C:\Users\Administrator\AppData\Roaming\Real
2008-06-22 00:34:52 0 d-------- C:\Program Files\Essentials Codec Pack
2008-06-21 18:47:44 0 d-------- C:\Users\Administrator\AppData\Roaming\muvee Technologies
2008-06-21 11:01:13 0 d-------- C:\Program Files\Cucusoft
2008-06-21 10:27:00 0 d-------- C:\Program Files\QuickTime
2008-06-21 10:24:33 0 d-------- C:\Program Files\Apple Software Update
2008-06-21 10:21:50 74 --a------ C:\autoexec.bat
2008-06-21 10:21:04 0 d-------- C:\Program Files\Common Files\muvee Technologies
2008-06-21 10:20:29 0 d-------- C:\Program Files\muvee Technologies
2008-06-19 03:01:04 0 d-------- C:\Program Files\MSXML 4.0
2008-06-19 02:30:17 0 d-------- C:\Program Files\Palm Inc
2008-06-19 02:24:41 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-06-19 02:07:39 0 d-------- C:\Users\Administrator\AppData\Roaming\Arcsoft
2008-06-19 02:06:48 0 d-------- C:\Users\Administrator\AppData\Roaming\HotSync
2008-06-19 01:45:57 0 d-------- C:\Program Files\Messenger Plus! Live
2008-06-19 01:33:58 0 d-------- C:\Users\Administrator\AppData\Roaming\WinRAR
2008-06-18 23:07:55 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-18 22:15:49 0 d-------- C:\Program Files\Windows Live
2008-06-18 22:15:30 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-17 08:04:14 0 d-------- C:\Users\Administrator\AppData\Roaming\Mozilla
2008-06-16 21:40:34 0 d-------- C:\Program Files\Microsoft Games
2008-06-16 21:15:26 0 d-------- C:\Program Files\CONEXANT
2008-06-16 20:38:42 0 d-------- C:\Program Files\Hawking
2008-06-16 18:47:37 0 d-------- C:\Program Files\Evernote
2008-06-16 18:47:22 0 d-------- C:\Users\Administrator\AppData\Roaming\InstallShield
2008-06-16 18:24:38 0 d-------- C:\Program Files\Zune
2008-06-16 18:21:19 0 d-------- C:\Program Files\uTorrent
2008-06-16 18:03:05 0 d-------- C:\Users\Administrator\AppData\Roaming\Intel
2008-06-16 18:02:56 56 --a------ C:\Windows\system32\IHV_Install.bat
2008-06-16 18:02:42 0 d-------- C:\Program Files\PROnetworks
2008-06-16 18:01:47 0 d-------- C:\Program Files\Intel
2008-06-16 17:33:59 0 d-------- C:\Users\Administrator\AppData\Roaming\Launchy
2008-06-16 17:33:53 0 d-------- C:\Program Files\Launchy
2008-06-16 17:32:01 0 d-------- C:\Program Files\RocketDock
2008-06-16 17:31:04 0 d-------- C:\Users\Administrator\AppData\Roaming\Macromedia
2008-06-16 17:31:00 1160 --a------ C:\Windows\mozver.dat
2008-06-16 17:18:36 0 d-------- C:\Users\Administrator\AppData\Roaming\Identities
2008-06-16 17:09:24 0 d-------- C:\Program Files\MSBuild
2008-06-16 17:05:57 0 d-------- C:\Program Files\Microsoft Works
2008-06-16 17:05:04 0 d-------- C:\Program Files\Microsoft.NET
2008-06-16 16:52:15 0 --a------ C:\Windows\nsreg.dat
2008-06-16 15:05:17 0 d-------- C:\Program Files\7-Zip
2008-06-16 15:04:35 0 d-------- C:\Program Files\Stardock
2008-06-16 14:58:59 174 --ahs---- C:\Program Files\desktop.ini
2008-06-16 14:56:41 0 --a------ C:\Windows\system32\atiicdxx.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42A30138-2DA5-463F-B8FA-DEB74952F4C4}]
07/26/2008 09:40 PM 283136 --a------ C:\Windows\system32\jkkjifGA.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [04/04/2008 05:41 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 10:00 AM]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [04/29/2008 10:56 PM]
"HotSync"="C:\Program Files\PalmSource\Desktop\HotSync.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [04/08/2007 12:44 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [07/25/2007 04:02 PM]
"LogitechQuickCamRibbon"="C:\Program Files\QuickCam\Quickcam.exe" [07/25/2007 04:06 PM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [02/18/2008 05:29 PM]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [02/20/2008 11:06 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [04/04/2008 05:41 AM]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [09/02/2007 04:58 PM]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [02/25/2008 09:23 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [04/04/2008 05:46 AM]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [02/28/2008 06:07 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [04/04/2008 05:47 AM]
"MoeMonitor.exe"="C:\Users\Administrator\AppData\Local\Microsoft\Live Mesh\Bin\Servicing\0.9.3103.2\MoeMonitor.exe" [07/25/2008 07:00 PM]
"MSSMSGS"="winfsy32.rom,bAVRun" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [8/24/2007 7:45:42 AM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe [5/27/2008 12:48:52 PM]
HotSync Manager.lnk - C:\Program Files\Palm\Hotsync.exe [1/3/2008 6:28:08 PM]
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [6/16/2008 5:33:51 PM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [6/25/2008 6:05:52 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"=0 (0x0)
"EnableInstallerDetection"=0 (0x0)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{73526E5A-FD53-4BE7-B5E2-D3C89D7413DC}"= C:\Windows\System32\Branding\folderbg\VistaFolderBackground.dll [04/05/2008 06:04 AM 90112]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\jkkjifGA

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
GPSvcGroup GPSvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration



-- End of Deckard's System Scanner: finished at 2008-07-27 21:47:13 ------------
  • 0

#4
tom.a.gill

tom.a.gill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
its not giving me an extra this time for some reason
  • 0

#5
tom.a.gill

tom.a.gill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
hmm.. this is the one i had prior.

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Windows Windows Vista™ Extreme Edition (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: AMD Turion™ 64 Mobile Technology ML-34
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 1469.58 MiB / 717 MiB
Pagefile Memory (total/avail): 3199.26 MiB / 2170.58 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1885.66 MiB

C: is Fixed (NTFS) - 24.41 GiB total, 2.67 GiB free.
D: is Fixed (FAT32) - 87.33 GiB total, 7.94 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HTS421212H9AT00 ATA Device - 111.79 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 24.41 GiB - C:
\PARTITION1 - Unknown - 87.37 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: ESET NOD32 Antivirus 3.0 v3.0 (ESET, spol. s r. o.)
AS: ESET NOD32 Antivirus 3.0 v3.0 (ESET, spol. s r. o.)
AS: Spybot - Search and Destroy v1.0.0.6 (Safer Networking Ltd.)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Administrator\AppData\Roaming
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HEAVENH-6KCR1WR
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Administrator
LOCALAPPDATA=C:\Users\Administrator\AppData\Local
LOGONSERVER=\\HEAVENH-6KCR1WR
MOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Crash Reports
MOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exe
MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\crashreporter-override.ini
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2402
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\ADMINI~1\AppData\Local\Temp
TMP=C:\Users\ADMINI~1\AppData\Local\Temp
USERDOMAIN=HEAVENH-6KCR1WR
USERNAME=Administrator
USERPROFILE=C:\Users\Administrator
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Windows\UNNeroBackItUp.exe /UNINSTALL
--> C:\Windows\UNNeroMediaHome.exe /UNINSTALL
--> C:\Windows\UNNeroShowTime.exe /UNINSTALL
--> C:\Windows\UNNeroVision.exe /UNINSTALL
--> C:\Windows\UNRecode.exe /UNINSTALL
--> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {926CC8AE-8414-43DF-8EB4-CF26D9C3C663}
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
1Click DVD Copy Pro 3.1.8.3 --> "C:\Program Files\1Click DVD Copy Pro\unins000.exe"
1Time ver 2.2 --> "C:\Program Files\1Time\unins000.exe"
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
ADDS Flight Path Tool --> C:\Windows\system32\javaws.exe -uninstall -prompt "http://adds.aviation...cation/fpt.php"
ADDS HEMS Tool --> C:\Windows\system32\javaws.exe -uninstall -prompt "http://weather.aero/...hems/hems.jnlp"
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color Common Settings --> C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings --> MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Illustrator CS3 --> C:\Program Files\Common Files\Adobe\Installers\a04a925a57548091300ada368235fc6\Setup.exe
Adobe Illustrator CS3 --> MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Setup --> MsiExec.exe /I{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}
Adobe Setup --> MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup --> MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Atheros AR5007 Wireless LAN - USB --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{581CE7EA-A30D-0000-A215-088635773309}\Setup.exe" -l0x9
Conexant AC-Link Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -Iqta0300a.INF
Cucusoft Ultimate DVD + Video Converter Suite 7.6.7.5 --> "C:\Program Files\Cucusoft\Ultimate-Converter\unins000.exe"
DeskScapes --> C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\UNWISE.EXE C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\INSTALL.LOG
ESET NOD32 Antivirus --> MsiExec.exe /I{7D974ACA-4EE5-412C-8E6A-A5B57B305727}
Evernote --> C:\Program Files\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\setup.exe -runfromtemp -l0x0009 -removeonly
GIMP 2.4.6 --> "C:\Program Files\GIMP-2.0\setup\unins000.exe"
Google Calendar Sync --> "C:\Program Files\Google\Google Calendar Sync\uninstall.exe"
Google Gears --> MsiExec.exe /I{8A7F9328-7B91-3E20-80BF-85F35C8B0C0E}
Google Update --> MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall
Intel® PROSet/Wireless Software --> C:\Windows\Installer\iProInst.exe
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Last.fm 1.5.1.30182 --> "C:\Program Files\Last.fm\unins000.exe"
Launchy 2.0 --> "C:\Program Files\Launchy\unins000.exe"
Live Mesh --> MsiExec.exe /X{DCB4E1D9-B187-4B54-971E-1478485C9A53}
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\Setup.exe" -l0x9 UNINSTALL
Logitech QuickCam --> MsiExec.exe /X{364EC092-93CF-4DDC-9D7A-7278452028E0}
Logitech® Camera Driver --> "C:\Program Files\Common Files\LogiShrd\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
mCore --> MsiExec.exe /I{F5D7FAB5-A1FD-4DD3-983E-4155B09D7102}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
muvee autoProducer 6.1 --> C:\Program Files\InstallShield Installation Information\{7B312BFD-6C04-4409-AB6F-DD41CCD67463}\setup.exe -runfromtemp -l0x0009 -removeonly
MVision --> MsiExec.exe /I{35725FBC-A136-4A46-9F29-091759D9BB93}
Nero 8 Ultra Edition HD --> MsiExec.exe /X{22101996-62AE-4369-8CEF-581A12221033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NOD32 v3.0.642 FiX1.2 by TemDono (31 days remaining forever up --> "C:\Program Files\ESET\ESET NOD32 Antivirus\unins000.exe"
NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Expire in 2050) --> "C:\Program Files\ESET\ESET Smart Security\unins000.exe"
Notepad++ --> C:\Program Files\Notepad++\uninstall.exe
Orca (remove only) --> "C:\Program Files\Orca\uninst.exe"
Palm Desktop by ACCESS --> MsiExec.exe /X{FD6034A3-655C-49F0-B496-D4CBFD74D7A7}
Palm Outlook Conduits Updater --> MsiExec.exe /I{616A66CD-D36D-4E24-8B67-33AFDFF48061}
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Real Alternative 1.8.0 Lite --> "C:\Program Files\Real Alternative\unins000.exe"
RocketDock 1.3.5 --> "C:\Program Files\RocketDock\unins000.exe"
Rosetta Stone V3 --> MsiExec.exe /X{7210BCFE-ED8D-4261-8537-81B5A4BDFA2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_0300107B\HXFSETUP.EXE -U -Iqta0300m.inf
SplashID --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9DBBC53C-AD7B-44ED-91A7-7568B51182F8}\setup.exe" -l0x9
SplashMoney --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8AAE5284-700D-4AB0-B0FB-57B5C8A7D93B}\setup.exe" -l0x9
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TapTarget.com iSpin for PalmOS --> C:\Windows\ctpu.exe -uC:\Program Files\TapTarget.com\iSpin\install.log -lC:\Windows\ResENU.dll
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\Program Files\InstallShield Installation Information\{607398CF-354B-4E21-B1BC-549424BFD04C}\setup.exe -runfromtemp -l0x0409
ThatLook --> C:\Windows\uninst.exe -f"C:\Program Files\ThatLook\TNLImage\DeIsL1.isu" -c"C:\Program Files\ThatLook\TNLImage\_ISREG32.DLL"
Twessenger --> MsiExec.exe /I{2B2345F7-8402-4589-91D0-187D5531EDFB}
Update for Microsoft Office Outlook 2007 (KB952142) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb953463) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {1B78D541-9FF1-4330-ADD8-CED14F0C1E8E}
VideoAvatar --> "C:\Program Files\GeoVid\Video Avatar\unins000.exe"
Vista Rainbar 4.3 --> C:\Program Files\Vista Rainbar\Uninstall.exe
VistaBootPRO 3.3 --> MsiExec.exe /I{6C9FA746-8759-4040-A436-42922CB3492E}
Visual C++ 8.0 ATL (x86) WinSXS MSM --> MsiExec.exe /I{97F81AF1-0E47-DC99-FF1F-C8B3B9A1E18E}
Visual C++ 8.0 CRT (x86) WinSXS MSM --> MsiExec.exe /I{98CB24AD-52FB-DB5F-FF1F-C8B3B9A1E18E}
Windows Essentials Media Codec Pack 1.0 --> C:\Program Files\Essentials Codec Pack\uninst.exe
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows Sound Schemes --> RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\UltSound.inf,Uninstall
WinRAR archiver --> C:\Program Files\WinRar\uninstall.exe
zSuite --> C:\Program Files\zSuite\Uninstall.exe
Zune --> C:\Program Files\Zune\ZuneSetup.exe /x
Zune --> MsiExec.exe /X{FF70513F-E3A7-402F-84FB-B7810A064BE2}
Zune Language Pack (ES) --> MsiExec.exe /X{EE4ACABF-531E-419A-9225-B8E0FA4955AF}
Zune Language Pack (FR) --> MsiExec.exe /X{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}


-- Application Event Log -------------------------------------------------------

Event Record #/Type2894 / Error
Event Submitted/Written: 07/27/2008 06:03:10 PM
Event ID/Source: 8194 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {0b51319d-c135-4639-9317-fc1e5ac56ff9}

Event Record #/Type2892 / Error
Event Submitted/Written: 07/27/2008 06:02:19 PM
Event ID/Source: 1008 / Perflib
Event Description:
PNRPsvcC:\Windows\system32\pnrpperf.dll4

Event Record #/Type2891 / Error
Event Submitted/Written: 07/27/2008 06:02:18 PM
Event ID/Source: 1010 / Perflib
Event Description:
EmdCacheC:\Windows\system32\emdmgmt.dll4

Event Record #/Type2890 / Error
Event Submitted/Written: 07/27/2008 06:01:47 PM
Event ID/Source: 33 / SideBySide
Event Description:
Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Event Record #/Type2882 / Success
Event Submitted/Written: 07/27/2008 05:15:33 PM
Event ID/Source: 5617 / WinMgmt
Event Description:




-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type29236 / Warning
Event Submitted/Written: 07/27/2008 06:19:54 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HEAVENH-6KCR1WR27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HEAVENH-6KCR1WR27 can't undo changes that you allow.

For more information please see the following:
%HEAVENH-6KCR1WR275

Scan ID: {B6CCEC09-9CD0-4C64-AFDE-CE8B9D766F03}

User: HEAVENH-6KCR1WR\Administrator

Name: %HEAVENH-6KCR1WR271

ID: %HEAVENH-6KCR1WR272

Severity ID: %HEAVENH-6KCR1WR273

Category ID: %HEAVENH-6KCR1WR274

Path Found: %HEAVENH-6KCR1WR276

Alert Type: %HEAVENH-6KCR1WR278

Detection Type: 1.1.1600.02

Event Record #/Type29235 / Warning
Event Submitted/Written: 07/27/2008 06:19:54 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HEAVENH-6KCR1WR27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HEAVENH-6KCR1WR27 can't undo changes that you allow.

For more information please see the following:
%HEAVENH-6KCR1WR275

Scan ID: {EC5D1853-ED5A-414B-9519-52E63DECAB07}

User: HEAVENH-6KCR1WR\Administrator

Name: %HEAVENH-6KCR1WR271

ID: %HEAVENH-6KCR1WR272

Severity ID: %HEAVENH-6KCR1WR273

Category ID: %HEAVENH-6KCR1WR274

Path Found: %HEAVENH-6KCR1WR276

Alert Type: %HEAVENH-6KCR1WR278

Detection Type: 1.1.1600.02

Event Record #/Type29234 / Warning
Event Submitted/Written: 07/27/2008 06:19:54 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HEAVENH-6KCR1WR27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HEAVENH-6KCR1WR27 can't undo changes that you allow.

For more information please see the following:
%HEAVENH-6KCR1WR275

Scan ID: {62C31EFB-E4E5-40FB-BF71-6F11B79DC469}

User: HEAVENH-6KCR1WR\Administrator

Name: %HEAVENH-6KCR1WR271

ID: %HEAVENH-6KCR1WR272

Severity ID: %HEAVENH-6KCR1WR273

Category ID: %HEAVENH-6KCR1WR274

Path Found: %HEAVENH-6KCR1WR276

Alert Type: %HEAVENH-6KCR1WR278

Detection Type: 1.1.1600.02

Event Record #/Type29233 / Warning
Event Submitted/Written: 07/27/2008 06:19:54 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HEAVENH-6KCR1WR27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HEAVENH-6KCR1WR27 can't undo changes that you allow.

For more information please see the following:
%HEAVENH-6KCR1WR275

Scan ID: {CB243760-6E71-4E63-AD3B-5879A98F5071}

User: HEAVENH-6KCR1WR\Administrator

Name: %HEAVENH-6KCR1WR271

ID: %HEAVENH-6KCR1WR272

Severity ID: %HEAVENH-6KCR1WR273

Category ID: %HEAVENH-6KCR1WR274

Path Found: %HEAVENH-6KCR1WR276

Alert Type: %HEAVENH-6KCR1WR278

Detection Type: 1.1.1600.02

Event Record #/Type29231 / Warning
Event Submitted/Written: 07/27/2008 06:14:32 PM
Event ID/Source: 1006 / WinDefend
Event Description:
%HEAVENH-6KCR1WR27 scan has detected spyware or other potentially unwanted software.

For more information please see the following:
%HEAVENH-6KCR1WR275

Scan ID: {0C161B42-1233-4FCC-8335-DE4D441DDA96}

Scan Type: %HEAVENH-6KCR1WR01

Scan Parameters: %HEAVENH-6KCR1WR09

User: HEAVENH-6KCR1WR\Administrator

Name: %HEAVENH-6KCR1WR271

ID: %HEAVENH-6KCR1WR272

Severity ID: %HEAVENH-6KCR1WR273

Category ID: %HEAVENH-6KCR1WR274

Path Found: %HEAVENH-6KCR1WR276

Detection Type: 1.1.1600.02



-- End of Deckard's System Scanner: finished at 2008-07-27 18:20:48 ------------
  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

WARNING!
Looking at your system now, one or more of the identified infections is a backdoor Trojan. If this computer is ever used for on-line banking, I suggest you do the following IMMEDIATELY:

  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Please refrain from using this computer for online-banking/financial purpose until we give it all clear



You have more than just Vundo.. Lets kick that vundo out first :)



Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




NEXT


Please read my post CAREFULLY before proceed with this step. Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.
For more information regarding this download, please visit this webpage

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Please go HERE to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: DO NOT mouseclick combofix's window while it's running. That may cause it to stall**



Regards
fenzodahl512
  • 0

#7
tom.a.gill

tom.a.gill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks for helping me with this.. i think i messed up a bit. I originally ran combofix in safe mode.. but then the restart happened an a bunch of stuff opened. So i figured i so i disabled EVERYTHING and ran again.. the problem now is you cantsee what was deleted in the first run.. but it was about 8 lines of the jkkjiga and yvvy stuff..

here is the second log.. again sorry i messed that up

ComboFix 08-07-27.5 - Administrator 2008-07-28 8:57:43.2 - NTFSx86
Windows Windows Vista™ Extreme Edition 6.0.6001.1.1252.1.1033.18.848 [GMT -4:00]
Running from: D:\Downloads\ComboFix.exe
* Resident AV is active

.
/wow section - STAGE 40
SED: can't read MWindows.dat: No such file or directory
The syntax of the command is incorrect.


((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.

2008-07-28 08:50 . 2008-07-28 08:50 <DIR> d-------- C:\Windows\System32\349168
2008-07-27 18:29 . 2008-07-27 18:29 <DIR> d-------- C:\VundoFix Backups
2008-07-27 18:16 . 2008-07-27 18:16 <DIR> d-------- C:\Deckard
2008-07-26 21:36 . 2008-07-26 21:36 91 --a------ C:\Windows\wininit.ini
2008-07-26 21:01 . 2008-07-26 21:21 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-07-26 21:01 . 2008-07-26 21:21 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-07-26 21:01 . 2008-07-26 21:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-26 20:30 . 2008-03-03 14:25 5,702 --ah----- C:\Windows\nod32restoretemdono.reg
2008-07-26 18:05 . 2008-07-26 20:38 <DIR> d-------- C:\Windows\System32\371186
2008-07-26 18:05 . 2008-07-28 08:50 145 --a------ C:\Windows\System32\winver.bat
2008-07-26 18:04 . 2008-07-26 18:04 50,688 --a------ C:\cuhv.exe
2008-07-26 18:04 . 2008-07-26 18:04 32,768 --a------ C:\Windows\System32\winfsy32.rom
2008-07-26 18:04 . 2008-07-26 18:04 13,312 --a------ C:\xxdxsn.exe
2008-07-26 18:04 . 2008-07-26 18:04 2 --a------ C:\546637617
2008-07-25 19:02 . 2008-07-25 19:02 <DIR> d-------- C:\Program Files\Live Mesh
2008-07-25 19:02 . 2008-07-25 19:02 121,984 --a------ C:\Windows\System32\rdpdispd.dll
2008-07-25 19:02 . 2008-07-25 19:02 12,288 --a------ C:\Windows\System32\drivers\rdpdispm.sys
2008-07-24 19:45 . 2008-07-24 19:45 <DIR> d-------- C:\Users\Administrator\AppData\Roaming\Orca Profiles
2008-07-24 19:44 . 2008-07-24 19:45 <DIR> d-------- C:\Program Files\Orca
2008-07-24 18:09 . 2008-07-24 18:11 210,454,727 --a------ C:\Windows\MEMORY.DMP
2008-07-15 17:51 . 2008-07-15 17:54 <DIR> d-------- C:\Program Files\cryptload
2008-07-11 23:22 . 2008-07-11 23:22 <DIR> d-------- C:\Users\All Users\Last.fm
2008-07-11 23:22 . 2008-07-11 23:22 <DIR> d-------- C:\ProgramData\Last.fm
2008-07-11 23:21 . 2008-07-11 23:21 <DIR> d-------- C:\Program Files\Last.fm
2008-07-11 19:15 . 2008-06-25 21:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-11 19:15 . 2008-06-25 21:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-11 19:15 . 2008-06-25 23:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-08 22:42 . 2007-05-16 16:45 3,497,832 --a------ C:\Windows\System32\d3dx9_34.dll
2008-07-06 21:58 . 2008-07-12 12:25 <DIR> d-------- C:\Users\Administrator\AppData\Roaming\Twessenger
2008-07-06 21:54 . 2008-07-06 21:54 <DIR> d-------- C:\Program Files\Twessenger
2008-07-06 18:38 . 2008-07-06 18:38 <DIR> d-------- C:\Program Files\Vista Rainbar
2008-07-06 13:48 . 2008-07-06 13:48 <DIR> d-------- C:\Windows\Sun
2008-07-04 22:13 . 2008-04-01 15:41 <DIR> d-------- C:\temp\utilities
2008-07-04 22:13 . 2008-04-01 15:41 <DIR> d-------- C:\temp\lr_skins
2008-07-04 22:13 . 2008-04-01 15:41 <DIR> d-------- C:\temp\icons
2008-07-04 22:13 . 2008-04-01 15:41 <DIR> d-------- C:\temp\hr_skins
2008-07-04 22:13 . 2008-04-01 15:41 <DIR> d-------- C:\temp\clock_skins
2008-07-04 22:13 . 2006-03-09 21:42 357,888 --a------ C:\temp\CSCPDA.exe
2008-07-04 21:00 . 2008-07-04 21:00 <DIR> d-------- C:\Program Files\TapTarget.com
2008-07-04 21:00 . 2004-01-19 12:12 122,880 --a------ C:\Windows\ctpu.exe
2008-07-04 21:00 . 2002-06-19 04:32 57,344 --a------ C:\Windows\System32\CiAPI.dll
2008-07-04 20:59 . 2004-01-10 10:50 57,344 --a------ C:\Windows\ResENU.dll
2008-07-04 19:39 . 2008-07-04 19:39 <DIR> d-------- C:\temp\ZLTCrystal
2008-07-04 17:41 . 2008-07-12 08:04 15 --a------ C:\Windows\MobilePaint.ini
2008-07-04 17:39 . 2008-07-04 22:14 <DIR> d-------- C:\temp
2008-07-04 16:53 . 2008-07-04 16:58 <DIR> d-------- C:\Program Files\SplashData
2008-07-03 17:26 . 2008-07-03 17:33 <DIR> d-------- C:\Program Files\QTTabbar
2008-07-03 13:36 . 2008-07-03 13:36 <DIR> d-------- C:\Users\Administrator\AppData\Roaming\GeoVid
2008-07-03 13:02 . 2008-07-03 13:02 <DIR> d-------- C:\Users\All Users\GeoVid
2008-07-03 13:02 . 2008-07-03 13:02 <DIR> d-------- C:\ProgramData\GeoVid
2008-07-03 13:02 . 2008-07-03 13:02 <DIR> d-------- C:\Program Files\Common Files\GeoVid
2008-07-03 13:02 . 2004-08-18 16:00 1,712,128 --a------ C:\Windows\System32\gdiplus.dll
2008-07-03 13:02 . 2003-03-19 09:12 1,047,552 --a------ C:\Windows\System32\mfc71u.dll
2008-07-03 13:02 . 2007-06-28 19:52 765,952 --a------ C:\Windows\System32\xvidcore.dll
2008-07-03 13:02 . 2007-06-28 19:54 180,224 --a------ C:\Windows\System32\xvidvfw.dll
2008-07-03 13:02 . 2003-03-19 07:05 89,088 --a------ C:\Windows\System32\atl71.dll
2008-07-03 13:02 . 2005-06-07 16:11 60,416 --a------ C:\Windows\System32\dsetup.dll
2008-07-03 13:00 . 2008-07-03 13:00 <DIR> d-------- C:\Program Files\GeoVid
2008-07-02 22:20 . 2008-07-26 20:23 69 --a------ C:\Windows\NeroDigital.ini
2008-07-02 22:18 . 2008-07-02 22:18 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-06-29 18:13 . 2008-06-29 18:13 140,288 --a------ C:\Windows\System32\COMDLG32.OCX
2008-06-29 18:05 . 2008-06-29 18:05 <DIR> d-------- C:\Program Files\zSuite
2008-06-29 13:20 . 2008-06-29 13:20 <DIR> d-------- C:\Program Files\ThatLook
2008-06-29 13:20 . 1996-07-18 13:06 297,472 --a------ C:\Windows\uninst.exe
2008-06-29 13:20 . 2000-07-19 14:42 126 --a------ C:\Windows\TL_Image.ini
2008-06-29 12:58 . 2008-06-29 13:12 <DIR> d-------- C:\Program Files\VPSS
2008-06-28 11:24 . 2008-06-30 20:26 <DIR> d-------- C:\Users\Administrator\AppData\Roaming\gtk-2.0
2008-06-28 11:24 . 2008-06-28 11:24 <DIR> d-------- C:\Users\Administrator\.thumbnails
2008-06-28 11:21 . 2008-06-30 21:20 <DIR> d-------- C:\Users\Administrator\.gimp-2.4
2008-06-28 11:20 . 2008-06-28 11:21 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-06-28 01:32 . 2008-06-28 01:32 <DIR> d-------- C:\Users\All Users\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 12:21 --------- d-----w C:\Users\Administrator\AppData\Roaming\uTorrent
2008-07-28 01:40 --------- d-----w C:\ProgramData\Rosetta Stone
2008-07-27 00:25 --------- d-----w C:\ProgramData\ESET
2008-07-27 00:25 --------- d-----w C:\Program Files\ESET
2008-07-26 19:40 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-24 21:10 --------- d-----w C:\Program Files\Google
2008-07-12 12:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-12 12:04 --------- d-----w C:\Program Files\Palm
2008-07-12 12:03 --------- d-----w C:\Users\Administrator\AppData\Roaming\Flock
2008-07-11 23:21 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-10 07:12 --------- d-----w C:\Program Files\Windows Mail
2008-07-09 02:07 --------- d-----w C:\Program Files\Picasa2
2008-07-01 01:58 140 ----a-w C:\Users\Administrator\.hemsFavorites.dat
2008-06-28 01:22 --------- d-----w C:\Program Files\Rosetta Stone
2008-06-28 01:13 --------- d-----w C:\Program Files\Nero
2008-06-28 01:06 --------- d-----w C:\Users\Administrator\AppData\Roaming\Nero
2008-06-28 01:03 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-28 01:01 --------- d-----w C:\ProgramData\Nero
2008-06-26 16:03 --------- d-----w C:\ProgramData\FLEXnet
2008-06-26 15:01 --------- d-----w C:\ProgramData\ALM
2008-06-26 14:50 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-26 13:57 --------- d-----w C:\Program Files\Bonjour
2008-06-26 13:44 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-06-26 03:34 662 ---ha-w C:\os049389.bin
2008-06-26 00:50 --------- d-----w C:\Program Files\Common Files\Vbox
2008-06-26 00:04 --------- d-----w C:\Program Files\%temp&
2008-06-25 23:54 --------- d-----w C:\Users\Administrator\AppData\Roaming\ESET
2008-06-25 22:05 130,208 ------r C:\Windows\bwUnin-8.1.1.87-8876480SL.exe
2008-06-24 04:28 127,034 ------r C:\Windows\bwUnin-8.1.1.50-8876480SL.exe
2008-06-24 04:28 --------- d-----w C:\Program Files\Logitech
2008-06-24 04:25 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-06-24 04:25 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-24 04:23 --------- d-----w C:\ProgramData\Logitech
2008-06-24 04:23 --------- d-----w C:\ProgramData\LogiShrd
2008-06-24 04:23 --------- d-----w C:\Program Files\QuickCam
2008-06-23 23:42 --------- d-----w C:\Users\Administrator\AppData\Roaming\Notepad++
2008-06-23 22:10 --------- d-----w C:\Program Files\Notepad++
2008-06-23 20:59 --------- d-----w C:\Program Files\Java
2008-06-23 20:55 --------- d-----w C:\Program Files\Common Files\Java
2008-06-23 20:20 --------- d-----w C:\Users\Administrator\AppData\Roaming\GetRightToGo
2008-06-23 17:58 --------- d-----w C:\Program Files\1Time
2008-06-23 00:42 --------- d-----w C:\Users\Administrator\AppData\Roaming\MessengerGadget
2008-06-22 23:50 --------- d-----w C:\Program Files\1Click DVD Copy Pro
2008-06-22 23:34 --------- d-----w C:\ProgramData\vsosdk
2008-06-22 23:07 --------- d-----w C:\Users\Administrator\AppData\Roaming\Vso
2008-06-22 23:06 47,360 ----a-w C:\Windows\system32\drivers\pcouffin.sys
2008-06-22 23:06 47,360 ----a-w C:\Users\Administrator\AppData\Roaming\pcouffin.sys
2008-06-22 05:10 --------- d-----w C:\Program Files\Real Alternative
2008-06-22 04:34 --------- d-----w C:\Program Files\Essentials Codec Pack
2008-06-21 22:47 --------- d-----w C:\Users\Administrator\AppData\Roaming\muvee Technologies
2008-06-21 15:01 --------- d-----w C:\Program Files\Cucusoft
2008-06-21 14:27 --------- d-----w C:\Program Files\QuickTime
2008-06-21 14:25 --------- d-----w C:\ProgramData\Apple Computer
2008-06-21 14:24 --------- d-----w C:\ProgramData\Apple
2008-06-21 14:24 --------- d-----w C:\Program Files\Apple Software Update
2008-06-21 14:21 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2008-06-21 14:20 --------- d-----w C:\Program Files\muvee Technologies
2008-06-21 14:19 --------- d-----w C:\ProgramData\muvee Technologies
2008-06-20 13:33 0 ---ha-w C:\Windows\system32\drivers\Msft_User_ZuneDriver_01_00_00.Wdf
2008-06-19 07:01 --------- d-----w C:\Program Files\MSXML 4.0
2008-06-19 06:30 --------- d-----w C:\Program Files\Palm Inc
2008-06-19 06:24 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-06-19 06:07 --------- d-----w C:\Users\Administrator\AppData\Roaming\Arcsoft
2008-06-19 06:06 --------- d-----w C:\Users\Administrator\AppData\Roaming\HotSync
2008-06-19 06:06 --------- d-----w C:\ProgramData\HotSync
2008-06-19 05:47 --------- d-----w C:\ProgramData\Messenger Plus!
2008-06-19 05:45 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-06-19 03:07 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-19 02:15 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-19 02:15 --------- d-----w C:\Program Files\Windows Live
2008-06-19 02:02 --------- d-----w C:\ProgramData\WLInstaller
2008-06-17 01:40 --------- d-----w C:\Program Files\Microsoft Games
2008-06-17 01:15 --------- d-----w C:\Program Files\CONEXANT
2008-06-17 00:38 --------- d-----w C:\Program Files\Hawking
2008-06-16 22:47 --------- d-----w C:\Users\Administrator\AppData\Roaming\InstallShield
2008-06-16 22:47 --------- d-----w C:\Program Files\Evernote
2008-06-16 22:24 --------- d-----w C:\Program Files\Zune
2008-06-16 22:21 --------- d-----w C:\Program Files\uTorrent
2008-06-16 22:03 --------- d-----w C:\Users\Administrator\AppData\Roaming\Intel
2008-06-16 22:03 --------- d-----w C:\ProgramData\Roaming
2008-06-16 22:02 --------- d-----w C:\ProgramData\Intel
2008-06-16 22:02 --------- d-----w C:\Program Files\PROnetworks
2008-06-16 22:01 --------- d-----w C:\Program Files\Intel
2008-06-16 21:33 --------- d-----w C:\Users\Administrator\AppData\Roaming\Launchy
2008-06-16 21:33 --------- d-----w C:\Program Files\Launchy
2008-06-16 21:32 --------- d-----w C:\Program Files\RocketDock
2008-06-16 21:09 --------- d-----w C:\Program Files\MSBuild
2008-06-16 21:05 --------- d-----w C:\Program Files\Microsoft.NET
2008-06-16 21:05 --------- d-----w C:\Program Files\Microsoft Works
2008-06-16 19:05 --------- d-----w C:\Program Files\7-Zip
2008-06-16 19:04 --------- d-----w C:\ProgramData\Stardock
2008-06-16 19:04 --------- d-----w C:\Program Files\Stardock
2008-06-16 18:58 174 --sha-w C:\Program Files\desktop.ini
2008-05-10 03:35 564,736 ----a-w C:\Windows\System32\emdmgmt.dll
2008-05-08 21:59 90,112 ----a-w C:\Windows\System32\wshext.dll
2008-05-08 21:59 430,080 ----a-w C:\Windows\System32\vbscript.dll
2008-05-08 21:59 180,224 ----a-w C:\Windows\System32\scrobj.dll
2008-05-08 21:59 172,032 ----a-w C:\Windows\System32\scrrun.dll
2008-05-08 21:59 155,648 ----a-w C:\Windows\System32\wscript.exe
2008-05-08 21:58 135,168 ----a-w C:\Windows\System32\cscript.exe
.

((((((((((((((((((((((((((((( [email protected]_ 8.44.21.80 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-28 12:36:35 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-07-28 13:05:38 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-07-28 12:36:35 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-28 13:05:37 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-28 13:05:37 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1
- 2008-07-28 12:36:28 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-28 13:05:28 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-28 12:36:28 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-28 13:05:28 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-28 12:36:28 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-28 13:05:28 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-28 12:14:58 102,194 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-07-28 13:04:10 97,592 ----a-w C:\Windows\System32\perfc009.dat
- 2008-07-28 12:14:58 598,588 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-07-28 13:04:10 585,388 ----a-w C:\Windows\System32\perfh009.dat
- 2008-07-28 12:26:43 6,934 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-492835491-2563465948-1679816886-500_UserData.bin
+ 2008-07-28 12:57:54 7,210 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-492835491-2563465948-1679816886-500_UserData.bin
- 2008-07-28 12:26:43 50,006 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-28 12:57:54 50,330 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-07-28 12:27:09 6,340 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-07-28 12:54:21 6,442 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-07-28 12:26:38 35,830 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-07-28 12:57:49 36,262 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 16:58 495616]
"MSSMSGS"="winfsy32.rom" [2008-07-26 18:04 32768 C:\Windows\System32\winfsy32.rom]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{73526E5A-FD53-4BE7-B5E2-D3C89D7413DC}"= "C:\Windows\System32\Branding\folderbg\VistaFolderBackground.dll" [2008-04-05 06:04 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-492835491-2563465948-1679816886-500]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A0F5032C-562E-4294-88F4-23F3551F3821}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{DD0B86FB-66AF-43B7-A884-CF1EB496B133}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{51EC491B-CE04-4F8A-8A0B-1C40AD06FB7D}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{71D074E8-D0C2-41B2-B9C0-F5EB2CC1C14A}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3B658EE7-0523-45EA-9D28-915E3369399B}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0641A39D-23C9-412E-B46D-3C66F3CD3EF0}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{0F01261E-C68F-4DEE-8594-A0DF45C9256A}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{2D5149EF-A948-431F-93F8-CA5AC3CA2D0B}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{BB9E8F01-821C-4D58-8841-843F8BF7AAAC}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{3F8DCEF5-D661-475D-92B6-43DA4AD71EEF}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C3A210CE-0C7B-41DE-AA2B-3BAE0F87FCD8}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{1DA3B0D0-8DC8-40AA-A077-CFB5FB88860C}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{50C81BF6-A385-49A2-BA0B-398FED93468F}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{B01104F4-0737-4CD7-9162-40B15939262F}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{92DEBC75-C669-49E6-A1D5-39AB667A73A3}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{169EBD80-FA5B-42C9-AE37-2924F8E00438}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{25E240E7-C831-4AF5-B78F-36C59F3980D6}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{18AA2D5D-4F75-4C1F-BB17-87059D1FEEBC}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{3EF9A686-2521-446A-8ADC-7FCE1E3FC131}"= inRosettaStoneLtdServices.exe:Rosetta Stone Online Component (inbound)
"{1BC7ABBC-4A34-497B-8584-2C2A7C5F274D}"= RosettaStoneVersion3.exe:Rosetta Stone V3 Application (inbound)
"{5B23BFAB-E7CA-4FB3-9A79-9F3D6F4AB95C}"= UDP:C:\Users\Administrator\AppData\Local\Microsoft\Live Mesh\GacBase\Moe.exe:Live Mesh
"{69AD61A0-D3D6-46F7-9B9E-F12DB51CB888}"= TCP:C:\Users\Administrator\AppData\Local\Microsoft\Live Mesh\GacBase\Moe.exe:Live Mesh

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DisabledInterfaces"= {7A113B22-EF58-4F8A-A63E-FB8639E5E7FC},{A9AE043F-3ED2-48E9-92C9-DCC9846E28A0}

R1 epfwtdir;epfwtdir;C:\Windows\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 09:42]
R2 wlcrasvc;Live Mesh Remote Desktop;C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe [2008-07-25 19:02]
R3 HSFHWATI;HSFHWATI;C:\Windows\system32\DRIVERS\HSFHWATI.sys [2005-01-25 16:26]
R3 RDPDISPM;RDPDISPM;C:\Windows\system32\DRIVERS\rdpdispm.sys [2008-07-25 19:02]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 03:30]
S2 gupdate1c8d8e04ad8f56d;Google Update Service (gupdate1c8d8e04ad8f56d);C:\Program Files\Google\Update\GoogleUpdate.exe [2008-07-25 17:09]
S3 athrusb;Atheros Wireless LAN USB device driver;C:\Windows\system32\DRIVERS\athrusb.sys [2006-12-22 23:05]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\Windows\system32\ZuneWlanCfgSvc.exe [2008-04-29 22:56]
S4 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-04-04 05:39]
S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-04-04 05:41]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: Add to Evernote - C:\Program Files\Evernote\Evernote3\enbar.dll/2000
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O16 -: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.3103.3/TSWeb.cab
C:\Windows\Downloaded Program Files\TSWeb.inf
C:\Windows\Downloaded Program Files\utilclasses.dll
C:\Windows\Downloaded Program Files\rdpstream.dll
C:\Windows\Downloaded Program Files\wlcmstscax.dll
C:\Windows\Downloaded Program Files\rdpapi.dll
C:\Windows\Downloaded Program Files\lkrhwlc.dll
C:\Windows\Downloaded Program Files\encoders.dll
C:\Windows\Downloaded Program Files\commengine.dll
C:\Windows\Downloaded Program Files\blackpipe.dll
C:\Windows\Downloaded Program Files\WLCTSCCtl.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 09:05:51
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\System32\audiodg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\IoctlSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
.
**************************************************************************
.
Completion time: 2008-07-28 9:12:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-28 13:12:28
ComboFix2.txt 2008-07-28 12:45:37

Pre-Run: 2,200,764,416 bytes free
Post-Run: 2,043,928,576 bytes free

336 --- E O F --- 2008-07-24 21:19:17
  • 0

#8
tom.a.gill

tom.a.gill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
oh not sure why it says AV is running. ihave it set not to start and is disabled.
  • 0

#9
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
First of all, do all scans in Normal mode, not Safe Mode unless I specify you to do so..

Please show hidden files and folders. Please visit HERE if you don't know how.
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • C:\Windows\System32\rdpdispd.dll
      C:\Windows\ctpu.exe
      C:\Windows\System32\winver.bat
  • Click on the Upload button. You can only submit one file per round..
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.



NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\cuhv.exe
C:\Windows\System32\winfsy32.rom
C:\xxdxsn.exe
C:\546637617

Folder::
C:\Windows\System32\349168
C:\VundoFix Backups
C:\Windows\System32\371186

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • VirScan.org results
  • Combofix.txt
  • A new HijackThis log.

  • 0

#10
tom.a.gill

tom.a.gill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I will post in steps

1. results from C:\Windows\System32\rdpdispd.dll

VirSCAN.org Scanned Report :
Scanner results: All Scanners reported not find malware!
File Name : rdpdispd.dll
File Size : 121984 byte
File Type : PE32 executable for MS Windows (DLL) (native) Intel 80386 32
MD5 : 9aebfd5943bfd07e8716ad2ea11f8bfd
SHA1 : 06b18ef5ddd419cc653cd542e0dd91f8053147a2
Online report : http://virscan.org/r...b0249270b5.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.07.27 2008-07-27 2.17 -
AhnLab V3 2008.07.28.01 2008.07.28 2008-07-28 0.83 -
AntiVir 7.8.1.12 7.0.5.179 2008-07-28 2.12 -
Arcavir 1.0.5 200807271037 2008-07-27 1.19 -
AVAST! 3.0.1 080728-0 2008-07-28 0.01 -
AVG 7.5.51.442 270.5.6/1577 2008-07-28 1.50 -
BitDefender 7.60825.1405165 7.20238 2008-07-28 2.63 -
CA (VET) 9.0.0.143 31.6.5990 2008-07-28 0.56 -
ClamAV 0.93.3 7863 2008-07-28 0.03 -
Comodo 2.11 2.0.0.599 2008-07-28 0.75 -
CP Secure 1.1.0.715 2008.07.26 2008-07-26 5.57 -
Dr.Web 4.44.0.9170 2008.07.28 2008-07-28 3.02 -
ewido 4.0.0.2 2008.07.28 2008-07-28 2.37 -
F-Prot 4.4.4.56 20080727 2008-07-27 0.98 -
F-Secure 5.51.6100 2008.07.28.03 2008-07-28 0.04 -
Fortinet 2.81-3.11 9.358 2008-07-27 1.62 -
ViRobot 20080728 2008.07.28 2008-07-28 0.40 -
Ikarus T3.1.01.34 2008.07.28.71175 2008-07-28 3.10 -
JiangMin 11.0.706 2008.07.28 2008-07-28 1.13 -
Kaspersky 5.5.10 2008.07.28 2008-07-28 0.03 -
KingSoft 2008.1.14.15 2008.7.28.17 2008-07-28 0.54 -
McAfee 5.2.00 5347 2008-07-25 2.19 -
Microsoft 1.3704 2008.07.28 2008-07-28 4.59 -
mks_vir 2.01 2008.07.27 2008-07-27 2.25 -
Norman 5.93.01 5.93.00 2008-07-28 4.66 -
Panda 9.05.01 2008.07.27 2008-07-27 1.82 -
Trend Micro 8.700-1004 5.438.03 2008-07-28 0.03 -
Quick Heal 9.50 2008.07.25 2008-07-25 1.65 -
Rising 20.0 20.55.02.00 2008-07-28 0.73 -
Sophos 2.75.4 4.31 2008-07-28 1.92 -
Sunbelt 3.1.1536.1 2166 2008-07-25 0.45 -
Symantec 1.3.0.24 20080727.004 2008-07-27 0.05 -
nProtect 2008-07-28.00 1721581 2008-07-28 3.22 -
The Hacker 6.2.96 v00389 2008-07-24 0.39 -
VBA32 3.12.8.1 20080728.0803 2008-07-28 1.12 -
VirusBuster 4.5.11.10 10.82.24/596856 2008-07-27 0.84 -
  • 0

Advertisements


#11
tom.a.gill

tom.a.gill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
For: C:\Windows\ctpu.exe

Report:
VirSCAN.org Scanned Report :
Scanned time : 2008/07/28 11:03:36 (EDT)
Scanner results: All Scanners reported not find malware!
File Name : ctpu.exe
File Size : 122880 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 937f5f28e9761cf21132b56dd287e5fe
SHA1 : 9f463807b88a7bc8f8669cd32d75059f3b42c1f3
Online report : http://virscan.org/r...b074da6694.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.07.27 2008-07-27 2.36 -
AhnLab V3 2008.07.28.01 2008.07.28 2008-07-28 0.86 -
AntiVir 7.8.1.12 7.0.5.179 2008-07-28 2.15 -
Arcavir 1.0.5 200807271037 2008-07-27 1.19 -
AVAST! 3.0.1 080728-0 2008-07-28 0.01 -
AVG 7.5.51.442 270.5.6/1577 2008-07-28 1.51 -
BitDefender 7.60825.1405165 7.20238 2008-07-28 2.63 -
CA (VET) 9.0.0.143 31.6.5990 2008-07-28 0.94 -
ClamAV 0.93.3 7863 2008-07-28 0.03 -
Comodo 2.11 2.0.0.599 2008-07-28 0.43 -
CP Secure 1.1.0.715 2008.07.26 2008-07-26 5.55 -
Dr.Web 4.44.0.9170 2008.07.28 2008-07-28 3.08 -
ewido 4.0.0.2 2008.07.28 2008-07-28 2.45 -
F-Prot 4.4.4.56 20080727 2008-07-27 0.97 -
F-Secure 5.51.6100 2008.07.28.03 2008-07-28 2.83 -
Fortinet 2.81-3.11 9.358 2008-07-27 1.65 -
ViRobot 20080728 2008.07.28 2008-07-28 0.40 -
Ikarus T3.1.01.34 2008.07.28.71175 2008-07-28 3.18 -
JiangMin 11.0.706 2008.07.28 2008-07-28 1.15 -
Kaspersky 5.5.10 2008.07.28 2008-07-28 0.04 -
KingSoft 2008.1.14.15 2008.7.28.17 2008-07-28 0.54 -
McAfee 5.2.00 5347 2008-07-25 2.25 -
Microsoft 1.3704 2008.07.28 2008-07-28 4.94 -
mks_vir 2.01 2008.07.27 2008-07-27 2.33 -
Norman 5.93.01 5.93.00 2008-07-28 4.58 -
Panda 9.05.01 2008.07.27 2008-07-27 1.92 -
Trend Micro 8.700-1004 5.438.03 2008-07-28 0.03 -
Quick Heal 9.50 2008.07.25 2008-07-25 1.64 -
Rising 20.0 20.55.02.00 2008-07-28 0.74 -
Sophos 2.75.4 4.31 2008-07-28 1.92 -
Sunbelt 3.1.1536.1 2166 2008-07-25 0.48 -
Symantec 1.3.0.24 20080727.004 2008-07-27 0.05 -
nProtect 2008-07-28.00 1721581 2008-07-28 3.17 -
The Hacker 6.2.96 v00389 2008-07-24 0.39 -
VBA32 3.12.8.1 20080728.0803 2008-07-28 1.25 -
VirusBuster 4.5.11.10 10.82.24/596856 2008-07-27 0.85 -
  • 0

#12
tom.a.gill

tom.a.gill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
For: C:\Windows\System32\winver.bat

Report:

File winver.bat received on 07.28.2008 17:14:34 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/35 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 49 and 70 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.7.26.0 2008.07.28 -
AntiVir 7.8.1.12 2008.07.28 -
Authentium 5.1.0.4 2008.07.28 -
Avast 4.8.1195.0 2008.07.28 -
AVG 8.0.0.130 2008.07.28 -
BitDefender 7.2 2008.07.28 -
CAT-QuickHeal 9.50 2008.07.25 -
ClamAV 0.93.1 2008.07.28 -
DrWeb 4.44.0.09170 2008.07.28 -
eSafe 7.0.17.0 2008.07.28 -
eTrust-Vet 31.6.5989 2008.07.28 -
Ewido 4.0 2008.07.28 -
F-Prot 4.4.4.56 2008.07.28 -
F-Secure 7.60.13501.0 2008.07.28 -
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.28 -
Ikarus T3.1.1.34.0 2008.07.28 -
Kaspersky 7.0.0.125 2008.07.28 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3303 2008.07.28 -
Norman 5.80.02 2008.07.28 -
Panda 9.0.0.4 2008.07.28 -
PCTools 4.4.2.0 2008.07.28 -
Prevx1 V2 2008.07.28 -
Rising 20.55.02.00 2008.07.28 -
Sophos 4.31.0 2008.07.28 -
Sunbelt 3.1.1536.1 2008.07.28 -
Symantec 10 2008.07.28 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.28 -
VBA32 3.12.8.1 2008.07.28 -
ViRobot 2008.7.26.1311 2008.07.28 -
VirusBuster 4.5.11.0 2008.07.28 -
Webwasher-Gateway 6.6.2 2008.07.28 -
Additional information
File size: 145 bytes
MD5...: 60519625f4dc014027e90173942cae94
SHA1..: 7540503f844d85562df08dee0cf35d35c3d5ef42
SHA256: fdc4f7ee17ff7fd39dc62e148810ee83fec971b1b8bf12096be9e1215c169161
SHA512: 30f72aeeef082a8e2caaacf0f41d3ca020109cab57a88bae819fed91fdb5b956
9fc41819f2694240fc0443eadc8ed337db615d5678dbdb215d644f7f9877a406
PEiD..: -
PEInfo: -
  • 0

#13
tom.a.gill

tom.a.gill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
combofix log:
ComboFix 08-07-27.5 - Administrator 2008-07-28 11:28:11.3 - NTFSx86
Windows Windows Vista™ Extreme Edition 6.0.6001.1.1252.1.1033.18.852 [GMT -4:00]
Running from: D:\Downloads\ComboFix.exe
Command switches used :: D:\Downloads\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\546637617
C:\cuhv.exe
C:\Windows\System32\winfsy32.rom
C:\xxdxsn.exe
.
/wow section - STAGE 40
SED: can't read MWindows.dat: No such file or directory
pv: No matching processes found
SED: can't read MWindows.dat: No such file or directory
The syntax of the command is incorrect.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\546637617
C:\cuhv.exe
C:\VundoFix Backups
C:\Windows\System32\349168
C:\Windows\System32\371186
C:\Windows\System32\winfsy32.rom
C:\xxdxsn.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.

2008-07-28 10:29 . <DIR> C:\Windows\LastGood.Tmp
2008-07-28 09:54 . 2008-07-28 09:54 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-07-28 09:16 . 2008-07-28 09:16 120 --a------ C:\4223.bat
2008-07-27 18:16 . 2008-07-27 18:16 <DIR> d-------- C:\Deckard
2008-07-26 21:36 . 2008-07-26 21:36 91 --a------ C:\Windows\wininit.ini
2008-07-26 21:01 . 2008-07-26 21:21 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-07-26 21:01 . 2008-07-26 21:21 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-07-26 21:01 . 2008-07-26 21:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-26 20:30 . 2008-03-03 14:25 5,702 --ah----- C:\Windows\nod32restoretemdono.reg
2008-07-26 18:05 . 2008-07-28 08:50 145 --a------ C:\Windows\System32\winver.bat
2008-07-25 19:02 . 2008-07-25 19:02 <DIR> d-------- C:\Program Files\Live Mesh
2008-07-25 19:02 . 2008-07-25 19:02 121,984 --a------ C:\Windows\System32\rdpdispd.dll
2008-07-25 19:02 . 2008-07-25 19:02 12,288 --a------ C:\Windows\System32\drivers\rdpdispm.sys
2008-07-24 19:45 . 2008-07-24 19:45 <DIR> d-------- C:\Users\Administrator\AppData\Roaming\Orca Profiles
2008-07-24 19:44 . 2008-07-24 19:45 <DIR> d-------- C:\Program Files\Orca
2008-07-24 18:09 . 2008-07-24 18:11 210,454,727 --a------ C:\Windows\MEMORY.DMP
2008-07-15 17:51 . 2008-07-15 17:54 <DIR> d-------- C:\Program Files\cryptload
2008-07-11 23:22 . 2008-07-11 23:22 <DIR> d-------- C:\Users\All Users\Last.fm
2008-07-11 23:22 . 2008-07-11 23:22 <DIR> d-------- C:\ProgramData\Last.fm
2008-07-11 23:21 . 2008-07-11 23:21 <DIR> d-------- C:\Program Files\Last.fm
2008-07-11 19:15 . 2008-06-25 21:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-11 19:15 . 2008-06-25 21:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-11 19:15 . 2008-06-25 23:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-08 22:42 . 2007-05-16 16:45 3,497,832 --a------ C:\Windows\System32\d3dx9_34.dll
2008-07-06 21:58 . 2008-07-12 12:25 <DIR> d-------- C:\Users\Administrator\AppData\Roaming\Twessenger
2008-07-06 21:54 . 2008-07-06 21:54 <DIR> d-------- C:\Program Files\Twessenger
2008-07-06 18:38 . 2008-07-06 18:38 <DIR> d-------- C:\Program Files\Vista Rainbar
2008-07-06 13:48 . 2008-07-06 13:48 <DIR> d-------- C:\Windows\Sun
2008-07-04 22:13 . 2008-04-01 15:41 <DIR> d-------- C:\temp\utilities
2008-07-04 22:13 . 2008-04-01 15:41 <DIR> d-------- C:\temp\lr_skins
2008-07-04 22:13 . 2008-04-01 15:41 <DIR> d-------- C:\temp\icons
2008-07-04 22:13 . 2008-04-01 15:41 <DIR> d-------- C:\temp\hr_skins
2008-07-04 22:13 . 2008-04-01 15:41 <DIR> d-------- C:\temp\clock_skins
2008-07-04 22:13 . 2006-03-09 21:42 357,888 --a------ C:\temp\CSCPDA.exe
2008-07-04 21:00 . 2008-07-04 21:00 <DIR> d-------- C:\Program Files\TapTarget.com
2008-07-04 21:00 . 2004-01-19 12:12 122,880 --a------ C:\Windows\ctpu.exe
2008-07-04 21:00 . 2002-06-19 04:32 57,344 --a------ C:\Windows\System32\CiAPI.dll
2008-07-04 20:59 . 2004-01-10 10:50 57,344 --a------ C:\Windows\ResENU.dll
2008-07-04 19:39 . 2008-07-04 19:39 <DIR> d-------- C:\temp\ZLTCrystal
2008-07-04 17:41 . 2008-07-12 08:04 15 --a------ C:\Windows\MobilePaint.ini
2008-07-04 17:39 . 2008-07-04 22:14 <DIR> d-------- C:\temp
2008-07-04 16:53 . 2008-07-04 16:58 <DIR> d-------- C:\Program Files\SplashData
2008-07-03 17:26 . 2008-07-03 17:33 <DIR> d-------- C:\Program Files\QTTabbar
2008-07-03 13:36 . 2008-07-03 13:36 <DIR> d-------- C:\Users\Administrator\AppData\Roaming\GeoVid
2008-07-03 13:02 . 2008-07-03 13:02 <DIR> d-------- C:\Users\All Users\GeoVid
2008-07-03 13:02 . 2008-07-03 13:02 <DIR> d-------- C:\ProgramData\GeoVid
2008-07-03 13:02 . 2008-07-03 13:02 <DIR> d-------- C:\Program Files\Common Files\GeoVid
2008-07-03 13:02 . 2004-08-18 16:00 1,712,128 --a------ C:\Windows\System32\gdiplus.dll
2008-07-03 13:02 . 2003-03-19 09:12 1,047,552 --a------ C:\Windows\System32\mfc71u.dll
2008-07-03 13:02 . 2007-06-28 19:52 765,952 --a------ C:\Windows\System32\xvidcore.dll
2008-07-03 13:02 . 2007-06-28 19:54 180,224 --a------ C:\Windows\System32\xvidvfw.dll
2008-07-03 13:02 . 2003-03-19 07:05 89,088 --a------ C:\Windows\System32\atl71.dll
2008-07-03 13:02 . 2005-06-07 16:11 60,416 --a------ C:\Windows\System32\dsetup.dll
2008-07-03 13:00 . 2008-07-03 13:00 <DIR> d-------- C:\Program Files\GeoVid
2008-07-02 22:20 . 2008-07-26 20:23 69 --a------ C:\Windows\NeroDigital.ini
2008-07-02 22:18 . 2008-07-02 22:18 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-06-29 18:13 . 2008-06-29 18:13 140,288 --a------ C:\Windows\System32\COMDLG32.OCX
2008-06-29 18:05 . 2008-06-29 18:05 <DIR> d-------- C:\Program Files\zSuite
2008-06-29 13:20 . 2008-06-29 13:20 <DIR> d-------- C:\Program Files\ThatLook
2008-06-29 13:20 . 1996-07-18 13:06 297,472 --a------ C:\Windows\uninst.exe
2008-06-29 13:20 . 2000-07-19 14:42 126 --a------ C:\Windows\TL_Image.ini
2008-06-29 12:58 . 2008-06-29 13:12 <DIR> d-------- C:\Program Files\VPSS
2008-06-28 11:24 . 2008-06-30 20:26 <DIR> d-------- C:\Users\Administrator\AppData\Roaming\gtk-2.0
2008-06-28 11:24 . 2008-06-28 11:24 <DIR> d-------- C:\Users\Administrator\.thumbnails
2008-06-28 11:21 . 2008-06-30 21:20 <DIR> d-------- C:\Users\Administrator\.gimp-2.4
2008-06-28 11:20 . 2008-06-28 11:21 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-06-28 01:32 . 2008-06-28 01:32 <DIR> d-------- C:\Users\All Users\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 14:46 --------- d-----w C:\Users\Administrator\AppData\Roaming\uTorrent
2008-07-28 14:38 --------- d-----w C:\ProgramData\FLEXnet
2008-07-28 13:51 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-28 01:40 --------- d-----w C:\ProgramData\Rosetta Stone
2008-07-27 00:25 --------- d-----w C:\ProgramData\ESET
2008-07-27 00:25 --------- d-----w C:\Program Files\ESET
2008-07-26 19:40 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-24 21:10 --------- d-----w C:\Program Files\Google
2008-07-12 12:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-12 12:04 --------- d-----w C:\Program Files\Palm
2008-07-12 12:03 --------- d-----w C:\Users\Administrator\AppData\Roaming\Flock
2008-07-11 23:21 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-10 07:12 --------- d-----w C:\Program Files\Windows Mail
2008-07-09 02:07 --------- d-----w C:\Program Files\Picasa2
2008-07-01 01:58 140 ----a-w C:\Users\Administrator\.hemsFavorites.dat
2008-06-28 01:22 --------- d-----w C:\Program Files\Rosetta Stone
2008-06-28 01:13 --------- d-----w C:\Program Files\Nero
2008-06-28 01:06 --------- d-----w C:\Users\Administrator\AppData\Roaming\Nero
2008-06-28 01:03 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-28 01:01 --------- d-----w C:\ProgramData\Nero
2008-06-26 15:01 --------- d-----w C:\ProgramData\ALM
2008-06-26 13:57 --------- d-----w C:\Program Files\Bonjour
2008-06-26 13:44 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-06-26 03:34 662 ---ha-w C:\os049389.bin
2008-06-26 00:50 --------- d-----w C:\Program Files\Common Files\Vbox
2008-06-26 00:04 --------- d-----w C:\Program Files\%temp&
2008-06-25 23:54 --------- d-----w C:\Users\Administrator\AppData\Roaming\ESET
2008-06-25 22:05 130,208 ------r C:\Windows\bwUnin-8.1.1.87-8876480SL.exe
2008-06-24 04:28 127,034 ------r C:\Windows\bwUnin-8.1.1.50-8876480SL.exe
2008-06-24 04:28 --------- d-----w C:\Program Files\Logitech
2008-06-24 04:25 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-06-24 04:25 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-24 04:23 --------- d-----w C:\ProgramData\Logitech
2008-06-24 04:23 --------- d-----w C:\ProgramData\LogiShrd
2008-06-24 04:23 --------- d-----w C:\Program Files\QuickCam
2008-06-23 23:42 --------- d-----w C:\Users\Administrator\AppData\Roaming\Notepad++
2008-06-23 22:10 --------- d-----w C:\Program Files\Notepad++
2008-06-23 20:59 --------- d-----w C:\Program Files\Java
2008-06-23 20:55 --------- d-----w C:\Program Files\Common Files\Java
2008-06-23 20:20 --------- d-----w C:\Users\Administrator\AppData\Roaming\GetRightToGo
2008-06-23 17:58 --------- d-----w C:\Program Files\1Time
2008-06-23 00:42 --------- d-----w C:\Users\Administrator\AppData\Roaming\MessengerGadget
2008-06-22 23:50 --------- d-----w C:\Program Files\1Click DVD Copy Pro
2008-06-22 23:34 --------- d-----w C:\ProgramData\vsosdk
2008-06-22 23:07 --------- d-----w C:\Users\Administrator\AppData\Roaming\Vso
2008-06-22 23:06 47,360 ----a-w C:\Windows\system32\drivers\pcouffin.sys
2008-06-22 23:06 47,360 ----a-w C:\Users\Administrator\AppData\Roaming\pcouffin.sys
2008-06-22 05:10 --------- d-----w C:\Program Files\Real Alternative
2008-06-22 04:34 --------- d-----w C:\Program Files\Essentials Codec Pack
2008-06-21 22:47 --------- d-----w C:\Users\Administrator\AppData\Roaming\muvee Technologies
2008-06-21 15:01 --------- d-----w C:\Program Files\Cucusoft
2008-06-21 14:27 --------- d-----w C:\Program Files\QuickTime
2008-06-21 14:25 --------- d-----w C:\ProgramData\Apple Computer
2008-06-21 14:24 --------- d-----w C:\ProgramData\Apple
2008-06-21 14:24 --------- d-----w C:\Program Files\Apple Software Update
2008-06-21 14:21 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2008-06-21 14:20 --------- d-----w C:\Program Files\muvee Technologies
2008-06-21 14:19 --------- d-----w C:\ProgramData\muvee Technologies
2008-06-20 13:33 0 ---ha-w C:\Windows\system32\drivers\Msft_User_ZuneDriver_01_00_00.Wdf
2008-06-19 07:01 --------- d-----w C:\Program Files\MSXML 4.0
2008-06-19 06:30 --------- d-----w C:\Program Files\Palm Inc
2008-06-19 06:24 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-06-19 06:07 --------- d-----w C:\Users\Administrator\AppData\Roaming\Arcsoft
2008-06-19 06:06 --------- d-----w C:\Users\Administrator\AppData\Roaming\HotSync
2008-06-19 06:06 --------- d-----w C:\ProgramData\HotSync
2008-06-19 05:47 --------- d-----w C:\ProgramData\Messenger Plus!
2008-06-19 05:45 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-06-19 03:07 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-19 02:15 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-19 02:15 --------- d-----w C:\Program Files\Windows Live
2008-06-19 02:02 --------- d-----w C:\ProgramData\WLInstaller
2008-06-17 01:40 --------- d-----w C:\Program Files\Microsoft Games
2008-06-17 01:15 --------- d-----w C:\Program Files\CONEXANT
2008-06-17 00:38 --------- d-----w C:\Program Files\Hawking
2008-06-16 22:47 --------- d-----w C:\Users\Administrator\AppData\Roaming\InstallShield
2008-06-16 22:47 --------- d-----w C:\Program Files\Evernote
2008-06-16 22:24 --------- d-----w C:\Program Files\Zune
2008-06-16 22:21 --------- d-----w C:\Program Files\uTorrent
2008-06-16 22:03 --------- d-----w C:\Users\Administrator\AppData\Roaming\Intel
2008-06-16 22:03 --------- d-----w C:\ProgramData\Roaming
2008-06-16 22:02 --------- d-----w C:\ProgramData\Intel
2008-06-16 22:02 --------- d-----w C:\Program Files\PROnetworks
2008-06-16 22:01 --------- d-----w C:\Program Files\Intel
2008-06-16 21:33 --------- d-----w C:\Users\Administrator\AppData\Roaming\Launchy
2008-06-16 21:33 --------- d-----w C:\Program Files\Launchy
2008-06-16 21:32 --------- d-----w C:\Program Files\RocketDock
2008-06-16 21:09 --------- d-----w C:\Program Files\MSBuild
2008-06-16 21:05 --------- d-----w C:\Program Files\Microsoft.NET
2008-06-16 21:05 --------- d-----w C:\Program Files\Microsoft Works
2008-06-16 19:05 --------- d-----w C:\Program Files\7-Zip
2008-06-16 19:04 --------- d-----w C:\ProgramData\Stardock
2008-06-16 19:04 --------- d-----w C:\Program Files\Stardock
2008-06-16 18:58 174 --sha-w C:\Program Files\desktop.ini
2008-05-10 03:35 564,736 ----a-w C:\Windows\System32\emdmgmt.dll
2008-05-08 21:59 90,112 ----a-w C:\Windows\System32\wshext.dll
2008-05-08 21:59 430,080 ----a-w C:\Windows\System32\vbscript.dll
2008-05-08 21:59 180,224 ----a-w C:\Windows\System32\scrobj.dll
2008-05-08 21:59 172,032 ----a-w C:\Windows\System32\scrrun.dll
2008-05-08 21:59 155,648 ----a-w C:\Windows\System32\wscript.exe
2008-05-08 21:58 135,168 ----a-w C:\Windows\System32\cscript.exe
.

((((((((((((((((((((((((((((( [email protected]_ 8.44.21.80 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-28 15:26:55 6,365,184 ----a-w C:\Windows\ERDNT\Hiv-backup\SCHEMA.DAT
- 2008-07-26 20:41:47 51,200 ----a-w C:\Windows\inf\infpub.dat
+ 2008-07-28 14:29:16 51,200 ----a-w C:\Windows\inf\infpub.dat
- 2008-07-26 20:41:47 86,016 ----a-w C:\Windows\inf\infstor.dat
+ 2008-07-28 14:29:16 86,016 ----a-w C:\Windows\inf\infstor.dat
- 2008-07-26 20:41:47 86,016 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-07-28 14:29:15 86,016 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-07-28 14:29:06 295,606 ----a-r C:\Windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe
+ 2008-07-28 14:29:08 295,606 ----a-r C:\Windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat_3D.exe
+ 2008-07-28 14:29:07 295,606 ----a-r C:\Windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat_Standard.exe
+ 2008-07-28 14:29:07 25,214 ----a-r C:\Windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Distiller.exe
+ 2008-07-28 14:29:07 7,278 ----a-r C:\Windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_ELEMENTS_DT.exe
+ 2008-07-28 14:29:06 23,558 ----a-r C:\Windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
+ 2007-12-12 19:06:42 295,606 ----a-r C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2008-07-28 12:36:35 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-07-28 15:34:10 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-07-28 15:34:10 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1
- 2008-07-28 12:36:35 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-28 15:34:10 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-28 15:34:10 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1
+ 2006-09-29 10:56:38 28,248 ----a-r C:\Windows\System32\AdobePDF.dll
- 2008-07-28 12:36:28 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-28 15:34:01 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-28 12:36:28 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-28 15:34:01 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-28 12:36:28 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-28 15:34:01 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-09-29 10:55:52 24,456 ------w C:\Windows\System32\DriverStore\FileRepository\adobepdf.inf_97e81172\I386\ADREGP.DLL
+ 2006-09-29 10:56:06 190,072 ------w C:\Windows\System32\DriverStore\FileRepository\adobepdf.inf_97e81172\I386\ADUIGP.DLL
- 2008-06-28 19:03:29 1,631,760 ----a-w C:\Windows\System32\FNTCACHE.DAT
+ 2008-07-28 15:34:11 1,631,816 ----a-w C:\Windows\System32\FNTCACHE.DAT
+ 2004-02-20 20:15:42 40,960 ----a-r C:\Windows\System32\MFC71CHS.DLL
+ 2004-02-20 20:15:42 45,056 ----a-r C:\Windows\System32\MFC71CHT.DLL
+ 2004-02-20 20:15:42 65,536 ----a-r C:\Windows\System32\MFC71DEU.DLL
+ 2003-10-17 16:44:08 57,344 ----a-r C:\Windows\System32\MFC71ENU.DLL
+ 2004-02-20 20:15:42 61,440 ----a-r C:\Windows\System32\MFC71ESP.DLL
+ 2004-02-20 20:15:42 61,440 ----a-r C:\Windows\System32\MFC71FRA.DLL
+ 2004-02-20 20:15:42 61,440 ----a-r C:\Windows\System32\MFC71ITA.DLL
+ 2004-02-20 20:15:42 49,152 ----a-r C:\Windows\System32\MFC71JPN.DLL
+ 2004-02-20 20:15:42 49,152 ----a-r C:\Windows\System32\MFC71KOR.DLL
- 2008-07-28 12:14:58 102,194 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-07-28 13:12:14 102,194 ----a-w C:\Windows\System32\perfc009.dat
- 2008-07-28 12:14:58 598,588 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-07-28 13:12:15 598,588 ----a-w C:\Windows\System32\perfh009.dat
- 2008-07-11 23:49:17 6,553,600 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-07-28 15:32:31 6,553,600 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2006-09-29 10:55:52 24,456 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\ADREGP.DLL
+ 2006-09-29 10:56:06 190,072 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\ADUIGP.DLL
+ 2008-04-04 09:39:35 731,648 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\PS5UI.DLL
+ 2008-04-04 09:39:36 543,744 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\PSCRIPT5.DLL
+ 2006-10-23 03:37:38 24,456 ----a-w C:\Windows\System32\spool\drivers\w32x86\ADReGP.dll
+ 2006-10-23 03:37:52 190,072 ----a-w C:\Windows\System32\spool\drivers\w32x86\ADUIGP.DLL
+ 2003-05-05 20:47:20 129,024 ----a-w C:\Windows\System32\spool\drivers\w32x86\PS5UI.DLL
+ 2003-05-05 20:47:20 455,168 ----a-w C:\Windows\System32\spool\drivers\w32x86\PSCRIPT5.DLL
- 2008-07-28 12:26:43 6,934 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-492835491-2563465948-1679816886-500_UserData.bin
+ 2008-07-28 13:07:07 7,394 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-492835491-2563465948-1679816886-500_UserData.bin
- 2008-07-28 12:26:43 50,006 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-28 13:07:07 50,410 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-07-28 12:27:09 6,340 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-07-28 12:54:21 6,442 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-07-28 12:26:38 35,830 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-07-28 12:57:49 36,262 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-07-11 23:23:45 34,683,214 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-07-28 14:29:58 34,687,099 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-07-28 14:29:39 1,093,632 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.163_none_0c187ef99ee1d25a\mfc80.dll
+ 2008-07-28 14:29:39 1,080,320 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.163_none_0c187ef99ee1d25a\mfc80u.dll
+ 2008-07-28 14:29:38 69,632 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.163_none_0c187ef99ee1d25a\mfcm80.dll
+ 2008-07-28 14:29:39 57,856 ----a-w C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.163_none_0c187ef99ee1d25a\mfcm80u.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 16:58 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\Windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-07-28 10:29:06 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{73526E5A-FD53-4BE7-B5E2-D3C89D7413DC}"= "C:\Windows\System32\Branding\folderbg\VistaFolderBackground.dll" [2008-04-05 06:04 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-492835491-2563465948-1679816886-500]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A0F5032C-562E-4294-88F4-23F3551F3821}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{DD0B86FB-66AF-43B7-A884-CF1EB496B133}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{51EC491B-CE04-4F8A-8A0B-1C40AD06FB7D}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{71D074E8-D0C2-41B2-B9C0-F5EB2CC1C14A}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3B658EE7-0523-45EA-9D28-915E3369399B}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0641A39D-23C9-412E-B46D-3C66F3CD3EF0}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{0F01261E-C68F-4DEE-8594-A0DF45C9256A}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{2D5149EF-A948-431F-93F8-CA5AC3CA2D0B}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{BB9E8F01-821C-4D58-8841-843F8BF7AAAC}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{3F8DCEF5-D661-475D-92B6-43DA4AD71EEF}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C3A210CE-0C7B-41DE-AA2B-3BAE0F87FCD8}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{1DA3B0D0-8DC8-40AA-A077-CFB5FB88860C}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{50C81BF6-A385-49A2-BA0B-398FED93468F}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{B01104F4-0737-4CD7-9162-40B15939262F}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{92DEBC75-C669-49E6-A1D5-39AB667A73A3}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{169EBD80-FA5B-42C9-AE37-2924F8E00438}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{25E240E7-C831-4AF5-B78F-36C59F3980D6}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{18AA2D5D-4F75-4C1F-BB17-87059D1FEEBC}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{3EF9A686-2521-446A-8ADC-7FCE1E3FC131}"= inRosettaStoneLtdServices.exe:Rosetta Stone Online Component (inbound)
"{1BC7ABBC-4A34-497B-8584-2C2A7C5F274D}"= RosettaStoneVersion3.exe:Rosetta Stone V3 Application (inbound)
"{5B23BFAB-E7CA-4FB3-9A79-9F3D6F4AB95C}"= UDP:C:\Users\Administrator\AppData\Local\Microsoft\Live Mesh\GacBase\Moe.exe:Live Mesh
"{69AD61A0-D3D6-46F7-9B9E-F12DB51CB888}"= TCP:C:\Users\Administrator\AppData\Local\Microsoft\Live Mesh\GacBase\Moe.exe:Live Mesh

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DisabledInterfaces"= {7A113B22-EF58-4F8A-A63E-FB8639E5E7FC},{A9AE043F-3ED2-48E9-92C9-DCC9846E28A0}

R1 epfwtdir;epfwtdir;C:\Windows\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 09:42]
R2 wlcrasvc;Live Mesh Remote Desktop;C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe [2008-07-25 19:02]
R3 HSFHWATI;HSFHWATI;C:\Windows\system32\DRIVERS\HSFHWATI.sys [2005-01-25 16:26]
R3 RDPDISPM;RDPDISPM;C:\Windows\system32\DRIVERS\rdpdispm.sys [2008-07-25 19:02]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 03:30]
S2 gupdate1c8d8e04ad8f56d;Google Update Service (gupdate1c8d8e04ad8f56d);C:\Program Files\Google\Update\GoogleUpdate.exe [2008-07-25 17:09]
S3 athrusb;Atheros Wireless LAN USB device driver;C:\Windows\system32\DRIVERS\athrusb.sys [2006-12-22 23:05]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\Windows\system32\ZuneWlanCfgSvc.exe [2008-04-29 22:56]
S4 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-04-04 05:39]
S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-04-04 05:41]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MSSMSGS - winfsy32.rom


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 11:34:27
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\System32\audiodg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\IoctlSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\System32\wbem\WMIADAP.exe
C:\Windows\System32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
.
**************************************************************************
.
Completion time: 2008-07-28 11:41:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-28 15:41:04
ComboFix2.txt 2008-07-28 13:12:37
ComboFix3.txt 2008-07-28 12:45:37

Pre-Run: 833,495,040 bytes free
Post-Run: 586,903,552 bytes free

388 --- E O F --- 2008-07-24 21:19:17
  • 0

#14
tom.a.gill

tom.a.gill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
New HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:14 AM, on 7/28/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.3.24.3\gears.dll
O9 - Extra 'Tools' menuitem: &Google Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.3.24.3\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} (WLCTSCControl Class) - https://www.mesh.com...103.3/TSWeb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\deskscapes.dll
O22 - SharedTaskScheduler: StardockDreamController - {EC654325-1273-C2A9-2B7C-45D29BCE68FF} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DreamControl.dll
O22 - SharedTaskScheduler: Stardock Vista ControlPanel Extension - {EC654325-1273-C2A9-2B7C-45D29BCE68FD} - C:\PROGRA~1\Stardock\OBJECT~1\DESKSC~1\DesktopControlPanel.dll
O22 - SharedTaskScheduler: Ave's FolderBg - {73526E5A-FD53-4BE7-B5E2-D3C89D7413DC} - C:\Windows\System32\Branding\folderbg\VistaFolderBackground.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c8d8e04ad8f56d) (gupdate1c8d8e04ad8f56d) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 9471 bytes
  • 0

#15
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Looks good...


Please delete this file manually: C:\4223.bat


------------------------


Please show hidden files and folders. Please visit HERE if you don't know how.
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • C:\Program Files\Google\Update\GoogleUpdate.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.


------------------------


Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Please post the following logs in your next reply...

1. VirScan.org result
2. Malwarebytes'
3. A fresh DSS log (after Malwarebytes' step)


Regards
fenzodahl512
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP