Virtumonde Variants & Darksma Downloader [Closed] - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works
  • 4 Pages +
  • 1
  • 2
  • 3
  • Last »

Virtumonde Variants & Darksma Downloader [Closed] Removed Most of Virtumonde Trojan Variants, Darksma, Smitfraud

#1 Rampag3

  • Group: Member
  • Posts: 36
  • Joined: 17-December 08

Posted 17 December 2008 - 06:11 PM

My computer was recently infected :) (2 days ago) :) with 2 variants of Virtumonde, Virtumonde.generic, Virtumonde, Smitfraud, Darksma downloader & a list of others; after running Adaware 2008, McAfee, Intelinet, CA Antispy, Spybot Search & Destroy & VundoFix.exe (which by the way completely missed the Vundo.H & Vundo Trojans. :beer:

I then downloaded AVG Free, Malwarebytes Anti-Malware & Rogue Remover FREE: These 3 programs pretty much took care of the Virtumonde Trojan & Darksma but Spybot SD is still picking up 2-3 traces of the Virtumonde that none of the other programs for whatever reason are picking up.

It was surprising to see that all the programs pretty much recognized & "removed" the Virtumonde Trojans temporarily; but all missed the Smitfraud & Darksma. Smitfraud was picked up & taken care of by AVG Free & Darksma was picked up by CA Antispy that came with my AT&T Uverse & Yahoo service, this also "temporarilly" removed it. :no: AVG Free & Malwarebytes pretty much cleaned up everything else.

Thanks to you guys my issues have been mostly resolved but I still need help. I think my computer is still infected when I bring up Mozilla it brings up Yahoo but when I click on either Yahoo email or visit Google, Gmail it takes me to the following link: http://www.att.net/s/s.dll?spage=search/er...l=en&tab=wm

The following is the result of the Hijackthis log, can someone please explain what I'm reading here & tell me what other steps to take.

This 1st part was my initial results after running Virtumundobegone a few times but before I ran AVG Free, Malwarebytes Anti-Malware & Rogue Remover FREE.


[12/17/2008, 1:16:06] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Carlos\Desktop\VirtumundoBeGone(2).exe" )
[12/17/2008, 2:02:34] - Detected System Information:
[12/17/2008, 2:02:34] - Windows Version: 5.1.2600, Service Pack 3
[12/17/2008, 2:02:34] - Current Username: Carlos (Admin)
[12/17/2008, 2:02:34] - Windows is in NORMAL mode.
[12/17/2008, 2:02:34] - Searching for Browser Helper Objects:
[12/17/2008, 2:02:34] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} ()
[12/17/2008, 2:02:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:02:34] - No filename found. Continuing.
[12/17/2008, 2:02:34] - BHO 2: {2bfa5287-38ac-45b3-aa59-c8a554615ba7} ()
[12/17/2008, 2:02:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:02:34] - Checking for HKLM\...\Winlogon\Notify\criqvv
[12/17/2008, 2:02:34] - Key not found: HKLM\...\Winlogon\Notify\criqvv, continuing.
[12/17/2008, 2:02:34] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[12/17/2008, 2:02:34] - BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[12/17/2008, 2:02:34] - BHO 5: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} ()
[12/17/2008, 2:02:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:02:34] - Checking for HKLM\...\Winlogon\Notify\xxyxyXRI
[12/17/2008, 2:02:34] - Found: HKLM\...\Winlogon\Notify\xxyxyXRI - This is probably Virtumundo.
[12/17/2008, 2:02:34] - Assigning {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} MSEvents Object
[12/17/2008, 2:02:34] - BHO list has been changed! Starting over...
[12/17/2008, 2:02:34] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} ()
[12/17/2008, 2:02:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:02:34] - No filename found. Continuing.
[12/17/2008, 2:02:34] - BHO 2: {2bfa5287-38ac-45b3-aa59-c8a554615ba7} ()
[12/17/2008, 2:02:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:02:34] - Checking for HKLM\...\Winlogon\Notify\criqvv
[12/17/2008, 2:02:34] - Key not found: HKLM\...\Winlogon\Notify\criqvv, continuing.
[12/17/2008, 2:02:34] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[12/17/2008, 2:02:34] - BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[12/17/2008, 2:02:34] - BHO 5: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (MSEvents Object)
[12/17/2008, 2:02:34] - ALERT: Found MSEvents Object!
[12/17/2008, 2:02:34] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/17/2008, 2:02:34] - BHO 7: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} (McAfee SiteAdvisor BHO)
[12/17/2008, 2:02:34] - BHO 8: {BB21F9F6-F56F-4D45-ACBF-6662FC8C0205} ()
[12/17/2008, 2:02:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:02:34] - Checking for HKLM\...\Winlogon\Notify\khfDvuts
[12/17/2008, 2:02:34] - Key not found: HKLM\...\Winlogon\Notify\khfDvuts, continuing.
[12/17/2008, 2:02:34] - BHO 9: {DBC80044-A445-435b-BC74-9C25C1C588A9} (Java™ Plug-In 2 SSV Helper)
[12/17/2008, 2:02:34] - Finished Searching Browser Helper Objects
[12/17/2008, 2:02:34] - *** Detected MSEvents Object
[12/17/2008, 2:02:34] - Trying to remove MSEvents Object...
[12/17/2008, 2:02:35] - Terminating Process: IEXPLORE.EXE
[12/17/2008, 2:02:35] - Terminating Process: RUNDLL32.EXE
[12/17/2008, 2:02:35] - Disabling Automatic Shell Restart
[12/17/2008, 2:02:35] - Terminating Process: EXPLORER.EXE
[12/17/2008, 2:02:35] - Suspending the NT Session Manager System Service
[12/17/2008, 2:02:35] - Terminating Windows NT Logon/Logoff Manager
[12/17/2008, 2:02:35] - Re-enabling Automatic Shell Restart
[12/17/2008, 2:02:35] - File to disable: C:\WINDOWS\system32\xxyxyXRI.dll
[12/17/2008, 2:02:35] - Renaming C:\WINDOWS\system32\xxyxyXRI.dll -> C:\WINDOWS\system32\xxyxyXRI.dll.vir
[12/17/2008, 2:02:35] - ! File rename was unsucessful.
[12/17/2008, 2:02:35] - Attempting to Deny Access to C:\WINDOWS\system32\xxyxyXRI.dll
[12/17/2008, 2:02:36] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[12/17/2008, 2:02:36] - processed file: C:\WINDOWS\system32\xxyxyXRI.dll

[12/17/2008, 2:02:36] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[12/17/2008, 2:02:36] - Removing HKLM\...\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
[12/17/2008, 2:02:36] - Removing HKCR\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
[12/17/2008, 2:02:36] - Adding Kill Bit for ActiveX for GUID: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
[12/17/2008, 2:02:37] - Deleting ATLEvents/MSEvents Registry entries
[12/17/2008, 2:02:37] - Removing HKLM\...\Winlogon\Notify\xxyxyXRI
[12/17/2008, 2:02:37] - Searching for Browser Helper Objects:
[12/17/2008, 2:02:37] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} ()
[12/17/2008, 2:02:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:02:37] - No filename found. Continuing.
[12/17/2008, 2:02:37] - BHO 2: {2bfa5287-38ac-45b3-aa59-c8a554615ba7} ()
[12/17/2008, 2:02:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:02:37] - Checking for HKLM\...\Winlogon\Notify\criqvv
[12/17/2008, 2:02:37] - Key not found: HKLM\...\Winlogon\Notify\criqvv, continuing.
[12/17/2008, 2:02:37] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[12/17/2008, 2:02:37] - BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[12/17/2008, 2:02:37] - BHO 5: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} ()
[12/17/2008, 2:02:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:02:37] - Checking for HKLM\...\Winlogon\Notify\xxyxyXRI
[12/17/2008, 2:02:37] - Key not found: HKLM\...\Winlogon\Notify\xxyxyXRI, continuing.
[12/17/2008, 2:02:37] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/17/2008, 2:02:37] - BHO 7: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} (McAfee SiteAdvisor BHO)
[12/17/2008, 2:02:37] - BHO 8: {BB21F9F6-F56F-4D45-ACBF-6662FC8C0205} ()
[12/17/2008, 2:02:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:02:37] - Checking for HKLM\...\Winlogon\Notify\khfDvuts
[12/17/2008, 2:02:37] - Key not found: HKLM\...\Winlogon\Notify\khfDvuts, continuing.
[12/17/2008, 2:02:37] - BHO 9: {DBC80044-A445-435b-BC74-9C25C1C588A9} (Java™ Plug-In 2 SSV Helper)
[12/17/2008, 2:02:37] - Finished Searching Browser Helper Objects
[12/17/2008, 2:02:37] - Finishing up...
[12/17/2008, 2:02:37] - A restart is needed.
[12/17/2008, 2:02:37] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[12/17/2008, 2:02:56] - Attempting to Restart via STOP error (Blue Screen!)

[12/17/2008, 2:18:59] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Carlos\Desktop\VirtumundoBeGone(2).exe" )
[12/17/2008, 2:19:11] - Detected System Information:
[12/17/2008, 2:19:11] - Windows Version: 5.1.2600, Service Pack 3
[12/17/2008, 2:19:11] - Current Username: Carlos (Admin)
[12/17/2008, 2:19:11] - Windows is in NORMAL mode.
[12/17/2008, 2:19:11] - Searching for Browser Helper Objects:
[12/17/2008, 2:19:11] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} ()
[12/17/2008, 2:19:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:19:11] - No filename found. Continuing.
[12/17/2008, 2:19:11] - BHO 2: {2bfa5287-38ac-45b3-aa59-c8a554615ba7} ()
[12/17/2008, 2:19:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:19:11] - Checking for HKLM\...\Winlogon\Notify\criqvv
[12/17/2008, 2:19:11] - Key not found: HKLM\...\Winlogon\Notify\criqvv, continuing.
[12/17/2008, 2:19:11] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[12/17/2008, 2:19:11] - BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[12/17/2008, 2:19:11] - BHO 5: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} ()
[12/17/2008, 2:19:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:19:11] - Checking for HKLM\...\Winlogon\Notify\xxyxyXRI
[12/17/2008, 2:19:11] - Found: HKLM\...\Winlogon\Notify\xxyxyXRI - This is probably Virtumundo.
[12/17/2008, 2:19:11] - Assigning {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} MSEvents Object
[12/17/2008, 2:19:11] - BHO list has been changed! Starting over...
[12/17/2008, 2:19:11] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} ()
[12/17/2008, 2:19:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:19:11] - No filename found. Continuing.
[12/17/2008, 2:19:11] - BHO 2: {2bfa5287-38ac-45b3-aa59-c8a554615ba7} ()
[12/17/2008, 2:19:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:19:11] - Checking for HKLM\...\Winlogon\Notify\criqvv
[12/17/2008, 2:19:11] - Key not found: HKLM\...\Winlogon\Notify\criqvv, continuing.
[12/17/2008, 2:19:11] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[12/17/2008, 2:19:11] - BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[12/17/2008, 2:19:11] - BHO 5: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (MSEvents Object)
[12/17/2008, 2:19:11] - ALERT: Found MSEvents Object!
[12/17/2008, 2:19:11] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/17/2008, 2:19:11] - BHO 7: {ADDA45A2-9069-4D38-8A34-EA0252F31972} ()
[12/17/2008, 2:19:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:19:11] - Checking for HKLM\...\Winlogon\Notify\khfDvuts
[12/17/2008, 2:19:11] - Key not found: HKLM\...\Winlogon\Notify\khfDvuts, continuing.
[12/17/2008, 2:19:11] - BHO 8: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} (McAfee SiteAdvisor BHO)
[12/17/2008, 2:19:11] - BHO 9: {DBC80044-A445-435b-BC74-9C25C1C588A9} (Java™ Plug-In 2 SSV Helper)
[12/17/2008, 2:19:11] - Finished Searching Browser Helper Objects
[12/17/2008, 2:19:11] - *** Detected MSEvents Object
[12/17/2008, 2:19:11] - Trying to remove MSEvents Object...
[12/17/2008, 2:19:12] - Terminating Process: IEXPLORE.EXE
[12/17/2008, 2:19:13] - Terminating Process: RUNDLL32.EXE
[12/17/2008, 2:19:13] - Disabling Automatic Shell Restart
[12/17/2008, 2:19:13] - Terminating Process: EXPLORER.EXE
[12/17/2008, 2:19:13] - Suspending the NT Session Manager System Service
[12/17/2008, 2:19:13] - Terminating Windows NT Logon/Logoff Manager
[12/17/2008, 2:19:13] - Re-enabling Automatic Shell Restart
[12/17/2008, 2:19:13] - File to disable: C:\WINDOWS\system32\xxyxyXRI.dll
[12/17/2008, 2:19:13] - Renaming C:\WINDOWS\system32\xxyxyXRI.dll -> C:\WINDOWS\system32\xxyxyXRI.dll.vir
[12/17/2008, 2:19:13] - ! File rename was unsucessful.
[12/17/2008, 2:19:13] - Attempting to Deny Access to C:\WINDOWS\system32\xxyxyXRI.dll
[12/17/2008, 2:19:13] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[12/17/2008, 2:19:14] - processed file: C:\WINDOWS\system32\xxyxyXRI.dll

[12/17/2008, 2:19:14] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[12/17/2008, 2:19:14] - Removing HKLM\...\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
[12/17/2008, 2:19:14] - Removing HKCR\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
[12/17/2008, 2:19:14] - Adding Kill Bit for ActiveX for GUID: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
[12/17/2008, 2:19:14] - Deleting ATLEvents/MSEvents Registry entries
[12/17/2008, 2:19:14] - Removing HKLM\...\Winlogon\Notify\xxyxyXRI
[12/17/2008, 2:19:14] - Searching for Browser Helper Objects:
[12/17/2008, 2:19:14] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} ()
[12/17/2008, 2:19:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:19:14] - No filename found. Continuing.
[12/17/2008, 2:19:14] - BHO 2: {2bfa5287-38ac-45b3-aa59-c8a554615ba7} ()
[12/17/2008, 2:19:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:19:14] - Checking for HKLM\...\Winlogon\Notify\criqvv
[12/17/2008, 2:19:14] - Key not found: HKLM\...\Winlogon\Notify\criqvv, continuing.
[12/17/2008, 2:19:14] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[12/17/2008, 2:19:14] - BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[12/17/2008, 2:19:14] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/17/2008, 2:19:14] - BHO 6: {ADDA45A2-9069-4D38-8A34-EA0252F31972} ()
[12/17/2008, 2:19:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2008, 2:19:14] - Checking for HKLM\...\Winlogon\Notify\khfDvuts
[12/17/2008, 2:19:14] - Key not found: HKLM\...\Winlogon\Notify\khfDvuts, continuing.
[12/17/2008, 2:19:14] - BHO 7: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} (McAfee SiteAdvisor BHO)
[12/17/2008, 2:19:14] - BHO 8: {DBC80044-A445-435b-BC74-9C25C1C588A9} (Java™ Plug-In 2 SSV Helper)
[12/17/2008, 2:19:14] - Finished Searching Browser Helper Objects
[12/17/2008, 2:19:14] - Finishing up...
[12/17/2008, 2:19:14] - A restart is needed.
[12/17/2008, 2:19:14] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[12/17/2008, 2:19:23] - Attempting to Restart via STOP error (Blue Screen!)

:) Here is my Hijackthis log startup:

StartupList report, 12/17/2008, 5:00:17 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16762)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\QuickTime\qttask.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

dla = C:\WINDOWS\system32\dla\tfswctrl.exe
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
MaxtorOneTouch = C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
mxomssmenu = "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
NeroFilterCheck = C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
InCD = C:\Program Files\Nero\Nero 7\InCD\InCD.exe
Acrobat Assistant 8.0 = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
Adobe_ID0EYTHM = C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
ISUSPM Startup = C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
mcagent_exe = C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
McENUI = C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
Kernel and Hardware Abstraction Layer = KHALMNPR.EXE
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Disk Monitor = C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre6\bin\jusched.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

(Default) = C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/servlet/P...000049.000000d2

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[AdobeUpdater]
=

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=jrugpg.dll,avgrsstx.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
WormRadar.com IESiteBlocker.NavFilter - C:\Program Files\AVG\AVG8\avgssie.dll - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Yahoo!\Common\yiesrvc.dll - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
(no name) - C:\Program Files\Java\jre6\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - (no file) - {82fd5216-c710-43a9-b8c3-a9e56fd22e13}
(no name) - C:\WINDOWS\system32\khfDvuts.dll (file missing) - {901CE412-BB4C-45F1-A9B7-5EFD60184BF1}
(no name) - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll - {B164E929-A1B6-4A06-B104-2CD0E90A88FF}
(no name) - (no file) - {BB21F9F6-F56F-4D45-ACBF-6662FC8C0205}
(no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}

--------------------------------------------------

Enumerating Task Scheduler jobs:

ejxygare.job
McDefragTask.job
McQcTask.job

--------------------------------------------------

Enumerating Download Program Files:

[Office Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\OGACheckControl.DLL
CODEBASE = http://download.microsoft.com/download/e/4.../OGAControl.cab

[Shockwave ActiveX Control]
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft....k/?LinkID=39204

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdat...b?1169404667234

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\FlDbg9c.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\system32\WPRO_40_1340woem.tmp||C:\WINDOWS\system32\WPRO_40_1340woem_nm.tmp||C:\DOCUME~1\Carlos\LOCALS~1\Temp\~nsu.tmp\Au_.exe||C:\DOCUME~1\Carlos\LOCALS~1\Temp\~nsu.tmp||C:\Config.Msi\8f8a70.rbf||C:\Config.Msi\8f8a78.rbf||C:\Config.Msi\8f8a7a.rbf||C:\WINDOWS\system32\SET7F.tmp => C:\WINDOWS\system32\mshtml.dll||~

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
End of report, 11,584 bytes
Report generated in 0.266 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only



:) Here is the Hijackthis log after running every program known to mankind. :no:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:05 PM, on 12/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\QuickTime\qttask.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = About:Blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = About:Blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {82fd5216-c710-43a9-b8c3-a9e56fd22e13} - (no file)
O2 - BHO: (no name) - {901CE412-BB4C-45F1-A9B7-5EFD60184BF1} - C:\WINDOWS\system32\khfDvuts.dll (file missing)
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - {BB21F9F6-F56F-4D45-ACBF-6662FC8C0205} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/servlet/P...000049.000000d2
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169404667234
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - (no CLSID) - (no file)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: jrugpg.dll,avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Inpqmc - Nero AG - (no file)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 15051 bytes


Thank you guys in advance & I look forward to your response. :) :yes:

#2 SpySentinel

  • Group: Retired Staff
  • Posts: 5,152
  • Joined: 22-September 07

Posted 17 December 2008 - 08:27 PM

Hey Rampag3,

Welcome to Geeks to Go! My name is SpySentinel and I will be helping you fix your computer problem.
Sorry to hear that your computer is infected. Lets see if we can get rid of this infection.



Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools


  • Double click on ComboFix.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#3 Rampag3

  • Group: Member
  • Posts: 36
  • Joined: 17-December 08

Posted 17 December 2008 - 09:45 PM

Thank you SpySentinel for your quick response. I look forward to any further instructions. :) :)

Rampag3

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------



Here are the Combofix log results:

ComboFix 08-12-17.01 - Carlos 2008-12-17 20:57:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.431 [GMT -6:00]
Running from: c:\documents and settings\Carlos\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cpfacmnf.ini
c:\windows\system32\ebskrfmc.ini
c:\windows\system32\pgsaljcq.ini
c:\windows\system32\wswuvnfa.ini
c:\windows\Tasks\ejxygare.job
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.

2008-12-17 19:32 . 2008-12-17 19:32 <DIR> d-------- c:\windows\system32\LogFiles
2008-12-17 17:16 . 2008-12-17 17:17 <DIR> d-------- c:\program files\ERUNT
2008-12-17 16:27 . 2008-12-17 16:27 <DIR> d-------- c:\program files\Trend Micro
2008-12-17 16:20 . 2008-12-17 16:20 <DIR> d-------- c:\program files\Photosynth
2008-12-17 14:42 . 2008-12-17 14:44 <DIR> d-------- c:\program files\RogueRemover FREE
2008-12-17 05:25 . 2008-12-17 12:03 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-17 05:04 . 2008-12-17 05:12 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-17 05:04 . 2008-12-17 05:26 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-17 05:04 . 2008-12-17 05:26 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-17 02:52 . 2008-12-17 02:52 <DIR> d-------- c:\documents and settings\Carlos\Application Data\Malwarebytes
2008-12-17 02:51 . 2008-12-17 02:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-17 02:51 . 2008-12-17 02:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-17 02:51 . 2008-12-03 19:58 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-17 02:51 . 2008-12-03 19:58 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-17 02:19 . 2008-12-17 02:19 0 --a------ c:\windows\system32\xxyxyXRI.dll.vir
2008-12-17 01:53 . 2008-11-28 10:56 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-16 20:32 . 2008-12-16 20:32 <DIR> d-------- c:\documents and settings\Carlos\Application Data\McAfee
2008-12-15 23:03 . 2008-12-15 23:03 <DIR> d-------- c:\program files\Lavasoft
2008-12-15 23:03 . 2008-12-15 23:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-08 04:40 . 2008-12-17 02:41 0 --a------ C:\proc.id
2008-12-08 04:40 . 2008-12-17 02:41 0 --a------ C:\asdasd.asdasd
2008-11-30 19:29 . 2008-11-30 19:29 <DIR> d-------- c:\documents and settings\Carlos\Application Data\Logitech
2008-11-30 19:20 . 2008-11-30 19:20 130,208 -r------- c:\windows\bwUnin-8.1.1.87-8876480SL.exe
2008-11-30 19:16 . 2008-11-30 19:16 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-11-30 19:16 . 2008-11-30 19:16 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-11-30 19:15 . 2008-11-30 19:15 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-11-30 19:13 . 2008-05-02 02:38 301,656 --a------ c:\windows\system32\BtCoreIf.dll
2008-11-30 19:13 . 2008-05-02 02:39 170,512 --a------ c:\windows\system32\kemutb.dll
2008-11-30 19:13 . 2008-05-02 02:39 145,936 --a------ c:\windows\system32\KemUtil.dll
2008-11-30 19:13 . 2008-05-02 02:40 117,264 --a------ c:\windows\system32\KemWnd.dll
2008-11-30 19:13 . 2008-05-02 02:40 84,496 --a------ c:\windows\system32\KemXML.dll
2008-11-30 19:12 . 2008-11-30 19:20 <DIR> d-------- c:\program files\Logitech
2008-11-30 19:12 . 2008-11-30 19:22 <DIR> d-------- c:\program files\Common Files\Logishrd
2008-11-30 19:12 . 2008-11-30 19:12 <DIR> d-------- c:\documents and settings\Carlos\Application Data\InstallShield
2008-11-30 19:12 . 2008-11-30 19:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logitech
2008-11-30 19:11 . 2008-11-30 19:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\LogiShrd
2008-11-30 19:03 . 2008-04-13 12:45 60,032 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2008-11-30 19:03 . 2008-04-13 12:45 60,032 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2008-11-30 19:03 . 2008-04-13 18:11 21,504 --a------ c:\windows\system32\hidserv.dll
2008-11-30 19:03 . 2008-04-13 18:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-11-30 19:03 . 2008-04-13 12:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-30 19:03 . 2008-04-13 12:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-11-30 19:03 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-30 19:03 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-11-30 19:02 . 2008-04-13 12:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-30 19:02 . 2008-04-13 12:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-11-28 15:39 . 2008-11-28 15:39 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-28 15:25 . 2008-11-28 15:25 <DIR> d-------- c:\documents and settings\Carlos\Application Data\com.raptr.Raptr.848BBC53270CAC248E8FA0F339176201CDEB525F.1
2008-11-28 15:23 . 2008-11-28 15:24 <DIR> d-------- c:\documents and settings\Carlos\Application Data\Raptr
2008-11-28 14:49 . 2008-11-28 17:27 682,280 --a------ c:\windows\system32\pbsvc.exe
2008-11-28 10:57 . 2008-11-28 10:56 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-24 17:54 . 2008-12-17 21:10 11,767 --a------ c:\windows\system32\Config.MPF
2008-11-23 19:31 . 2008-11-23 19:31 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-11-23 17:58 . 2008-11-23 17:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-11-23 17:55 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-11-23 17:55 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-11-23 17:55 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-11-23 17:55 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-11-23 17:55 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-11-23 17:55 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-11-23 17:54 . 2008-11-23 17:54 <DIR> d-------- c:\program files\McAfee.com
2008-11-23 17:54 . 2008-11-23 17:58 <DIR> d-------- c:\program files\McAfee
2008-11-23 17:54 . 2008-11-23 17:55 <DIR> d-------- c:\program files\Common Files\McAfee
2008-11-23 17:48 . 2008-11-23 17:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-11-23 17:43 . 2008-12-14 05:22 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy
2008-11-23 17:29 . 2008-11-23 17:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 00:55 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-17 11:03 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-17 07:36 --------- d-----w c:\program files\Java
2008-12-16 06:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-16 05:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-14 19:06 137,688 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-14 19:05 202,040 ----a-w c:\windows\system32\PnkBstrB.exe
2008-12-11 19:37 --------- d-----w c:\program files\Common Files\Express Digital
2008-12-06 17:19 --------- d-----w c:\documents and settings\Carlos\Application Data\LimeWire
2008-12-01 01:20 --------- d-----w c:\program files\InstallShield Installation Information
2008-11-28 23:27 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-11-28 23:27 22,328 ----a-w c:\documents and settings\Carlos\Application Data\PnkBstrK.sys
2008-11-28 23:13 --------- d--h--w c:\program files\Activision
2008-11-24 23:51 --------- d-----w c:\program files\Yahoo!
2008-11-23 23:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-23 18:44 --------- d-----w c:\program files\ATT Internet Tools
2008-11-23 18:25 --------- d-----w c:\program files\Canon
2008-11-23 17:58 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2008-11-21 10:02 --------- d-----w c:\program files\ATTToolbar
2008-11-21 09:20 --------- d-----w c:\documents and settings\Carlos\Application Data\Lavasoft
2008-11-15 04:58 --------- d-----w c:\program files\DIFX
2008-11-15 04:57 --------- d-----w c:\program files\LeapFrog
2008-11-15 04:52 --------- d-----w c:\documents and settings\All Users\Application Data\Leapfrog
2008-10-29 13:30 --------- d-----w c:\documents and settings\Carlos\Application Data\SUPERAntiSpyware.com
2008-10-26 14:31 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-03-26 01:48 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-04-16 03:24 6,820,632 ---ha-w c:\program files\FirefoxGoogleToolbarSetup.exe
2008-11-21 09:19 94,208 ----a-w c:\program files\mozilla firefox\components\blsfflock.dll
2008-06-04 23:42 8 --sha-r c:\windows\system32\D48564AF07.sys
2008-08-26 16:37 5,018 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Mozilla Firefox\firefox.exe" [2008-12-17 307704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-01 257088]
"MaxtorOneTouch"="c:\program files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2006-07-18 1028096]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"Disk Monitor"="c:\program files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe" [2003-10-28 438784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-28 136600]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-11-30 91440]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-30 805392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)
"NoColorChoice"= 0 (0x0)
"NoSizeChoice"= 0 (0x0)
"NoVisualStyleChoice"= 0 (0x0)
"NoDispSettingsPage"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jrugpg.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Carlos^Start Menu^Programs^Startup^Delta Force-Black Hawk Down Team Sabre Registration.lnk]
backup=c:\windows\pss\Delta Force-Black Hawk Down Team Sabre Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Adobe\\Adobe GoLive CS\\GoLive.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NovaLogic\\Joint Operations Typhoon Rising\\expansion\\jox01\\PACK.EXE"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Watch.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcshell.exe"=
"c:\\Program Files\\McAfee\\MHN\\McENUI.exe"=
"c:\\Program Files\\CCleaner\\ccleaner.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3sp.exe"=
"c:\\Program Files\\ExpressDigital\\Darkroom WE\\Darkroom WE.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LDMConf.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop CS\\Plug-Ins\\MysticalTTC.exe"=
"c:\\Program Files\\Auto FX Software\\PGE\\PGE.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\unins001.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\lsupdatemanager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-17 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-17 231704]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;"c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe" [2008-11-04 991232]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-11-23 203280]
S3 Asmaundsiqsn;Asmaundsiqsn; []
S3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2007-06-19 18560]
S3 Inpqmc;Inpqmc; []
S3 Isapsrnbchp;Isapsrnbchp; []
S3 Vei78xoet;Vei78xoet;c:\windows\system32\drivers\crusoe.sys [2002-08-28 36736]
S3 Wuaptstppqsn;Wuaptstppqsn; []
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{82fd5216-c710-43a9-b8c3-a9e56fd22e13} - (no file)
BHO-{901CE412-BB4C-45F1-A9B7-5EFD60184BF1} - (no file)
BHO-{BB21F9F6-F56F-4D45-ACBF-6662FC8C0205} - (no file)
Notify-!SASWinLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = About:Blank
mSearchURL = about:blank
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Carlos\Application Data\Mozilla\Firefox\Profiles\rhn7243g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\Carlos\Application Data\Mozilla\Firefox\Profiles\rhn7243g.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\Carlos\Application Data\Mozilla\Firefox\Profiles\rhn7243g.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\blsfflock.dll
FF - plugin: c:\documents and settings\Carlos\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 21:07:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Carlos\LOCALS~1\Temp\lucene-117dade710fc8c674504f25b5860cb50-commit.lock 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Maxtor\Utils\SyncServices.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\program files\Photodex\ProShowGold\scsiaccess.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-12-17 21:16:48 - machine was rebooted [Carlos]
ComboFix-quarantined-files.txt 2008-12-18 03:16:36

Pre-Run: 20,589,916,160 bytes free
Post-Run: 20,562,243,584 bytes free

349 --- E O F --- 2008-12-17 19:48:41

#4 SpySentinel

  • Group: Retired Staff
  • Posts: 5,152
  • Joined: 22-September 07

Posted 18 December 2008 - 03:07 PM

You're welcome :)


You are using peer-to-peer programs, specifically LimeWire.
These are what we call an optional removal. However, anytime you are running any type of peer-to-peer application, you are more prone to infection by malware, and this is probably how you became infected in the first place. The choice to remove them is entirely up to you, but I would strongly recommend that you do.
If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix.



  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • c:\windows\system32\xxyxyXRI.dll.vir
    • C:\proc.id
    • C:\asdasd.asdasd


  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

#5 Rampag3

  • Group: Member
  • Posts: 36
  • Joined: 17-December 08

Posted 18 December 2008 - 11:03 PM

I will remove & thank you! After I got home from work this evening, I found that Malwarebytes & Ad-Aware both found additional Vondu Trojan infections. The Malwarebytes program found 7 & Adware found a trace of an MRU file. I removed the infections & attempted to submit those 3 files as instructed thing is I received upload errors for all 3 files. The errors basically stated that the files could not be found. Not sure what's going on, I may have removed them by running those programs prior to finding your current instructions & then attempting to upload files. blushing.gif

At any rate I've gone ahead & attached the Malwarebytes log as well as ran the Hijackthis & attached both the starter log & scan log again, I also included the Combofix log.


Thanks again! :)




:) Malwarebytes Log :)


Malwarebytes' Anti-Malware 1.31
Database version: 1512
Windows 5.1.2600 Service Pack 3

12/18/2008 9:17:03 PM
mbam-log-2008-12-18 (21-17-03).txt

Scan type: Full Scan (C:\|F:\|H:\|)
Objects scanned: 411423
Time elapsed: 20 hour(s), 31 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1133\A0365610.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1147\A0367598.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1147\A0367599.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1147\A0367600.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1148\A0367606.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1148\A0367637.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1148\A0367646.dll (Trojan.Vundo) -> Quarantined and deleted successfully.






:) Starter log :)

StartupList report, 12/18/2008, 9:55:33 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16762)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Carlos\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

dla = C:\WINDOWS\system32\dla\tfswctrl.exe
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
MaxtorOneTouch = C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
mxomssmenu = "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
NeroFilterCheck = C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
InCD = C:\Program Files\Nero\Nero 7\InCD\InCD.exe
Acrobat Assistant 8.0 = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
Adobe_ID0EYTHM = C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
ISUSPM Startup = C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
mcagent_exe = C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
McENUI = C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
Kernel and Hardware Abstraction Layer = KHALMNPR.EXE
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Disk Monitor = C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre6\bin\jusched.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
AdobeUpdater = "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

(Default) = C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/servlet/P...000049.000000d2

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[AdobeUpdater]
=

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser

[{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath = rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=jrugpg.dll,avgrsstx.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
WormRadar.com IESiteBlocker.NavFilter - C:\Program Files\AVG\AVG8\avgssie.dll - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Yahoo!\Common\yiesrvc.dll - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
(no name) - C:\Program Files\Java\jre6\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll - {B164E929-A1B6-4A06-B104-2CD0E90A88FF}
(no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}

--------------------------------------------------

Enumerating Task Scheduler jobs:

McDefragTask.job
McQcTask.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Office Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\OGACheckControl.DLL
CODEBASE = http://download.microsoft.com/download/e/4.../OGAControl.cab

[Shockwave ActiveX Control]
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft....k/?LinkID=39204

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdat...b?1169404667234

[Java Plug-in 1.6.0_10]
InProcServer32 = C:\Program Files\Java\jre6\bin\jp2iexp.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Java Plug-in 1.5.0_11]
InProcServer32 = C:\Program Files\Java\jre6\bin\jp2iexp.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.6.0_10]
InProcServer32 = C:\Program Files\Java\jre6\bin\jp2iexp.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Java Plug-in 1.6.0_10]
InProcServer32 = C:\Program Files\Java\jre6\bin\npjpi160_10.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\FlDbg9c.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Lavasoft Ad-Aware Service: "C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe" (autostart)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
Adobe Version Cue CS3: "C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (manual start)
AdobeVersionCue: C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe (manual start)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG8 WatchDog: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (autostart)
AVG AVI Loader Driver x86: \SystemRoot\System32\Drivers\avgldx86.sys (system)
AVG On-access Scanner Minifilter Driver x86: \SystemRoot\System32\Drivers\avgmfx86.sys (system)

basic2: System32\DRIVERS\HSF_BSC2.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##: "C:\Program Files\Bonjour\mDNSResponder.exe" (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
catchme: \??\C:\ComboFix\catchme.sys (manual start)
Canon Camera Access Library 8: C:\Program Files\Canon\CAL\CALMAIN.exe (autostart)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (disabled)
Wired AutoConfig: %SystemRoot%\System32\svchost.exe -k dot3svc (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
drvmcdb: system32\drivers\drvmcdb.sys (system)
drvnddm: system32\drivers\drvnddm.sys (autostart)
IntelŪ PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Extensible Authentication Protocol Service: %SystemRoot%\System32\svchost.exe -k eapsvcs (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
FLEXnet Licensing Service: "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
FLY Fusion: system32\DRIVERS\FlyUsb.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
Health Key and Certificate Management Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
HSFHWBS2: System32\DRIVERS\HSFHWBS2.sys (manual start)
HSF_DP: System32\DRIVERS\HSF_DP.sys (manual start)
hsf_msft: System32\DRIVERS\HSF_MSFT.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: %systemroot%\system32\imapi.exe (manual start)
InCD File System: system32\drivers\InCDFs.sys (disabled)
InCDPass: system32\drivers\InCDPass.sys (system)
InCD Reader: system32\drivers\InCDRm.sys (system)
InCD Helper: C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (autostart)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (autostart)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Java Quick Starter: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Logitech SetPoint Keyboard Driver: system32\DRIVERS\L8042Kbd.sys (manual start)
SetPoint PS/2 Mouse Filter Driver: system32\DRIVERS\L8042mou.Sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logitech Bluetooth Service: C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe (manual start)
LeapFrog Connect Device Service: "C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe" (autostart)
Logitech SetPoint KMDF HID Filter Driver: system32\DRIVERS\LHidFilt.Sys (manual start)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Logitech SetPoint KMDF Mouse Filter Driver: system32\DRIVERS\LMouFilt.Sys (manual start)
SetPoint Mouse Filter Driver: system32\DRIVERS\LMouKE.Sys (manual start)
MaxBackServiceInt: "C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe" (autostart)
McAfee SiteAdvisor Service: "C:\Program Files\McAfee\SiteAdvisor\McSACore.exe" (autostart)
McAfee Services: C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (autostart)
McAfee Network Agent: "c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe" (autostart)
McAfee Scanner: C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (manual start)
McAfee Proxy Service: c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (autostart)
McAfee Real-time Scanner: C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (autostart)
McAfee SystemGuards: C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (manual start)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
McAfee Inc. mfeavfk: system32\drivers\mfeavfk.sys (manual start)
McAfee Inc. mfebopk: system32\drivers\mfebopk.sys (manual start)
McAfee Inc. mfehidk: system32\drivers\mfehidk.sys (system)
McAfee Inc. mferkdk: system32\drivers\mferkdk.sys (manual start)
McAfee Inc. mfesmfk: system32\drivers\mfesmfk.sys (manual start)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
MPFP: System32\Drivers\Mpfp.sys (system)
McAfee Personal Firewall Service: "C:\Program Files\McAfee\MPF\MPFSrv.exe" (autostart)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Maxtor OneTouch Security Driver: system32\DRIVERS\mxopswd.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Network Access Protection Agent: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NBService: C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Monitor Driver: System32\DRIVERS\NMnt.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
MaxSyncService: "C:\Program Files\Maxtor\Utils\SyncServices.exe" (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
OMCI: \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS (system)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
PnkBstrA: C:\WINDOWS\system32\PnkBstrA.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
ProtexisLicensing: "C:\Program Files\Common Files\Protexis\License Service\PSIService.exe" (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
RIM Virtual Serial Port v2: system32\DRIVERS\RimSerial.sys (manual start)
Rksample: System32\DRIVERS\HSF_SAMP.sys (manual start)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ScsiAccess: C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
smwdm: system32\drivers\smwdm.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
DB CIF Cam: System32\Drivers\Capt905c.sys (manual start)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
sscdbhk5: system32\drivers\sscdbhk5.sys (system)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
ssrtln: system32\drivers\ssrtln.sys (system)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{8323A8A6-B825-4485-B89A-D791EEF55FDF} (manual start)
symlcbrd: \??\C:\WINDOWS\System32\drivers\symlcbrd.sys (autostart)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
tfsnboio: system32\dla\tfsnboio.sys (autostart)
tfsncofs: system32\dla\tfsncofs.sys (autostart)
tfsndrct: system32\dla\tfsndrct.sys (autostart)
tfsndres: system32\dla\tfsndres.sys (autostart)
tfsnifs: system32\dla\tfsnifs.sys (autostart)
tfsnopio: system32\dla\tfsnopio.sys (autostart)
tfsnpool: system32\dla\tfsnpool.sys (autostart)
tfsnudf: system32\dla\tfsnudf.sys (autostart)
tfsnudfa: system32\dla\tfsnudfa.sys (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
Vei78xoet: C:\WINDOWS\system32\drivers\crusoe.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Wdf01000: system32\DRIVERS\Wdf01000.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
winachsf: System32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WMDM PMSP Service: C:\WINDOWS\System32\MsPMSPSv.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\Carlos\LOCALS~1\TEMPOR~1\Content.IE5\index.dat||C:\DOCUME~1\Carlos\LOCALS~1\History\History.IE5\desktop.ini||C:\DOCUME~1\Carlos\LOCALS~1\History\History.IE5\index.dat||C:\Program Files\Adobe\Acrobat 8.0\AcroPatch\31625pdfshell.dll => C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll|C:\Program Files\Adobe\Acrobat 8.0\AcroPatch\31661acrotray.exe => C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe|C:\Program Files\Adobe\Acrobat 8.0\AcroPatch\31667adistres.dll => C:\Program Files\Adobe\Acrobat 8.0\Acrobat\adistres.dll|C:\Program Files\Adobe\Acrobat 8.0\AcroPatch\32063Acrotray.exe => C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe|C:\Program Files\Adobe\Acrobat 8.0\AcroPatch\32350AdobeUpdater.exe => C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe|C:\Program Files\Adobe\Acrobat 8.0\AcroPatch||C:\Documents and Settings\All Users\Application Data\AdobeUpdater.rbt


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 43,514 bytes
Report generated in 0.516 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#6 Rampag3

  • Group: Member
  • Posts: 36
  • Joined: 17-December 08

Posted 18 December 2008 - 11:41 PM

Here is the Hijack log as well as well as the Combofix log, sorry but it did not all fit on the prev reply.

:) Hijackthis Log :)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:15 PM, on 12/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = About:Blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = About:Blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {82fd5216-c710-43a9-b8c3-a9e56fd22e13} - (no file)
O2 - BHO: (no name) - {901CE412-BB4C-45F1-A9B7-5EFD60184BF1} - (no file)
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - {BB21F9F6-F56F-4D45-ACBF-6662FC8C0205} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/servlet/P...000049.000000d2
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169404667234
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - (no CLSID) - (no file)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: jrugpg.dll,avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Inpqmc - Nero AG - (no file)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 14385 bytes










:) Combofix Log :)


ComboFix 08-12-17.01 - Carlos 2008-12-18 22:47:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.363 [GMT -6:00]
Running from: c:\documents and settings\Carlos\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 )))))))))))))))))))))))))))))))
.

2008-12-17 19:32 . 2008-12-17 19:32 <DIR> d-------- c:\windows\system32\LogFiles
2008-12-17 17:16 . 2008-12-17 17:17 <DIR> d-------- c:\program files\ERUNT
2008-12-17 16:27 . 2008-12-17 16:27 <DIR> d-------- c:\program files\Trend Micro
2008-12-17 16:20 . 2008-12-17 16:20 <DIR> d-------- c:\program files\Photosynth
2008-12-17 14:42 . 2008-12-17 14:44 <DIR> d-------- c:\program files\RogueRemover FREE
2008-12-17 05:25 . 2008-12-18 07:55 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-17 05:04 . 2008-12-17 23:53 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-17 05:04 . 2008-12-17 05:26 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-17 05:04 . 2008-12-17 05:26 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-17 02:52 . 2008-12-17 02:52 <DIR> d-------- c:\documents and settings\Carlos\Application Data\Malwarebytes
2008-12-17 02:51 . 2008-12-17 02:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-17 02:51 . 2008-12-17 02:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-17 02:51 . 2008-12-03 19:58 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-17 02:51 . 2008-12-03 19:58 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-17 02:19 . 2008-12-17 02:19 0 --a------ c:\windows\system32\xxyxyXRI.dll.vir
2008-12-17 01:53 . 2008-11-28 10:56 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-16 20:32 . 2008-12-16 20:32 <DIR> d-------- c:\documents and settings\Carlos\Application Data\McAfee
2008-12-15 23:03 . 2008-12-15 23:03 <DIR> d-------- c:\program files\Lavasoft
2008-12-15 23:03 . 2008-12-15 23:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-08 04:40 . 2008-12-17 02:41 0 --a------ C:\proc.id
2008-12-08 04:40 . 2008-12-17 02:41 0 --a------ C:\asdasd.asdasd
2008-11-30 19:29 . 2008-11-30 19:29 <DIR> d-------- c:\documents and settings\Carlos\Application Data\Logitech
2008-11-30 19:20 . 2008-11-30 19:20 130,208 -r------- c:\windows\bwUnin-8.1.1.87-8876480SL.exe
2008-11-30 19:16 . 2008-11-30 19:16 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-11-30 19:16 . 2008-11-30 19:16 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-11-30 19:15 . 2008-11-30 19:15 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-11-30 19:13 . 2008-05-02 02:38 301,656 --a------ c:\windows\system32\BtCoreIf.dll
2008-11-30 19:13 . 2008-05-02 02:39 170,512 --a------ c:\windows\system32\kemutb.dll
2008-11-30 19:13 . 2008-05-02 02:39 145,936 --a------ c:\windows\system32\KemUtil.dll
2008-11-30 19:13 . 2008-05-02 02:40 117,264 --a------ c:\windows\system32\KemWnd.dll
2008-11-30 19:13 . 2008-05-02 02:40 84,496 --a------ c:\windows\system32\KemXML.dll
2008-11-30 19:12 . 2008-11-30 19:20 <DIR> d-------- c:\program files\Logitech
2008-11-30 19:12 . 2008-11-30 19:22 <DIR> d-------- c:\program files\Common Files\Logishrd
2008-11-30 19:12 . 2008-11-30 19:12 <DIR> d-------- c:\documents and settings\Carlos\Application Data\InstallShield
2008-11-30 19:12 . 2008-11-30 19:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logitech
2008-11-30 19:11 . 2008-11-30 19:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\LogiShrd
2008-11-30 19:03 . 2008-04-13 12:45 60,032 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2008-11-30 19:03 . 2008-04-13 12:45 60,032 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2008-11-30 19:03 . 2008-04-13 18:11 21,504 --a------ c:\windows\system32\hidserv.dll
2008-11-30 19:03 . 2008-04-13 18:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-11-30 19:03 . 2008-04-13 12:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-30 19:03 . 2008-04-13 12:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-11-30 19:03 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-30 19:03 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-11-30 19:02 . 2008-04-13 12:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-30 19:02 . 2008-04-13 12:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-11-28 15:39 . 2008-11-28 15:39 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-28 15:25 . 2008-11-28 15:25 <DIR> d-------- c:\documents and settings\Carlos\Application Data\com.raptr.Raptr.848BBC53270CAC248E8FA0F339176201CDEB525F.1
2008-11-28 15:23 . 2008-11-28 15:24 <DIR> d-------- c:\documents and settings\Carlos\Application Data\Raptr
2008-11-28 14:49 . 2008-11-28 17:27 682,280 --a------ c:\windows\system32\pbsvc.exe
2008-11-28 10:57 . 2008-11-28 10:56 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-24 17:54 . 2008-12-17 21:10 11,735 --a------ c:\windows\system32\Config.MPF
2008-11-23 19:31 . 2008-11-23 19:31 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-11-23 17:58 . 2008-11-23 17:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-11-23 17:55 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-11-23 17:55 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-11-23 17:55 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-11-23 17:55 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-11-23 17:55 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-11-23 17:55 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-11-23 17:54 . 2008-11-23 17:54 <DIR> d-------- c:\program files\McAfee.com
2008-11-23 17:54 . 2008-11-23 17:58 <DIR> d-------- c:\program files\McAfee
2008-11-23 17:54 . 2008-11-23 17:55 <DIR> d-------- c:\program files\Common Files\McAfee
2008-11-23 17:48 . 2008-11-23 17:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-11-23 17:43 . 2008-12-14 05:22 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy
2008-11-23 17:29 . 2008-11-23 17:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-19 03:54 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-17 11:03 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-17 07:36 --------- d-----w c:\program files\Java
2008-12-16 06:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-16 05:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-14 19:06 137,688 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-14 19:05 202,040 ----a-w c:\windows\system32\PnkBstrB.exe
2008-12-11 19:37 --------- d-----w c:\program files\Common Files\Express Digital
2008-12-06 17:19 --------- d-----w c:\documents and settings\Carlos\Application Data\LimeWire
2008-12-01 01:20 --------- d-----w c:\program files\InstallShield Installation Information
2008-11-28 23:27 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-11-28 23:27 22,328 ----a-w c:\documents and settings\Carlos\Application Data\PnkBstrK.sys
2008-11-28 23:13 --------- d--h--w c:\program files\Activision
2008-11-24 23:51 --------- d-----w c:\program files\Yahoo!
2008-11-23 23:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-23 18:44 --------- d-----w c:\program files\ATT Internet Tools
2008-11-23 18:25 --------- d-----w c:\program files\Canon
2008-11-23 17:58 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2008-11-21 10:02 --------- d-----w c:\program files\ATTToolbar
2008-11-21 09:20 --------- d-----w c:\documents and settings\Carlos\Application Data\Lavasoft
2008-11-15 04:58 --------- d-----w c:\program files\DIFX
2008-11-15 04:57 --------- d-----w c:\program files\LeapFrog
2008-11-15 04:52 --------- d-----w c:\documents and settings\All Users\Application Data\Leapfrog
2008-10-29 13:30 --------- d-----w c:\documents and settings\Carlos\Application Data\SUPERAntiSpyware.com
2008-10-26 14:31 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-03-26 01:48 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-04-16 03:24 6,820,632 ---ha-w c:\program files\FirefoxGoogleToolbarSetup.exe
2008-11-21 09:19 94,208 ----a-w c:\program files\mozilla firefox\components\blsfflock.dll
2008-06-04 23:42 8 --sha-r c:\windows\system32\D48564AF07.sys
2008-08-26 16:37 5,018 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-17_21.15.01.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-31 03:44:18 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
+ 2008-12-18 06:12:12 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
- 2008-03-31 03:44:19 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_3D.exe
+ 2008-12-18 06:12:18 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_3D.exe
- 2008-03-31 03:44:19 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_Standard.exe
+ 2008-12-18 06:12:15 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_Standard.exe
- 2008-03-31 03:44:19 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Distiller.exe
+ 2008-12-18 06:12:16 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Distiller.exe
- 2008-03-31 03:44:19 7,278 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_ELEMENTS_DT.exe
+ 2008-12-18 06:12:16 7,278 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_ELEMENTS_DT.exe
- 2008-03-31 03:44:18 23,558 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
+ 2008-12-18 06:12:11 23,558 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
- 2008-12-18 01:38:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-19 04:26:40 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-18 01:38:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-19 04:26:40 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-18 06:06:54 16,384 ------w c:\windows\Temp\Perflib_Perfdata_648.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-12-14 2356088]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Mozilla Firefox\firefox.exe" [2008-12-17 307704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-01 257088]
"MaxtorOneTouch"="c:\program files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2006-07-18 1028096]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"Disk Monitor"="c:\program files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe" [2003-10-28 438784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-28 136600]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-11-30 91440]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-30 805392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)
"NoColorChoice"= 0 (0x0)
"NoSizeChoice"= 0 (0x0)
"NoVisualStyleChoice"= 0 (0x0)
"NoDispSettingsPage"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jrugpg.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Carlos^Start Menu^Programs^Startup^Delta Force-Black Hawk Down Team Sabre Registration.lnk]
backup=c:\windows\pss\Delta Force-Black Hawk Down Team Sabre Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Adobe\\Adobe GoLive CS\\GoLive.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NovaLogic\\Joint Operations Typhoon Rising\\expansion\\jox01\\PACK.EXE"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Watch.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcshell.exe"=
"c:\\Program Files\\McAfee\\MHN\\McENUI.exe"=
"c:\\Program Files\\CCleaner\\ccleaner.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3sp.exe"=
"c:\\Program Files\\ExpressDigital\\Darkroom WE\\Darkroom WE.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LDMConf.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop CS\\Plug-Ins\\MysticalTTC.exe"=
"c:\\Program Files\\Auto FX Software\\PGE\\PGE.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\unins001.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\lsupdatemanager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-17 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-17 231704]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;"c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe" [2008-11-04 991232]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-11-23 203280]
S3 Asmaundsiqsn;Asmaundsiqsn; []
S3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2007-06-19 18560]
S3 Inpqmc;Inpqmc; []
S3 Isapsrnbchp;Isapsrnbchp; []
S3 Vei78xoet;Vei78xoet;c:\windows\system32\drivers\crusoe.sys [2002-08-28 36736]
S3 Wuaptstppqsn;Wuaptstppqsn; []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = About:Blank
mSearchURL = about:blank
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Carlos\Application Data\Mozilla\Firefox\Profiles\rhn7243g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\Carlos\Application Data\Mozilla\Firefox\Profiles\rhn7243g.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\Carlos\Application Data\Mozilla\Firefox\Profiles\rhn7243g.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\blsfflock.dll
FF - plugin: c:\documents and settings\Carlos\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 22:52:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2008-12-18 22:56:09
ComboFix-quarantined-files.txt 2008-12-19 04:55:52
ComboFix2.txt 2008-12-18 03:16:55

Pre-Run: 20,358,520,832 bytes free
Post-Run: 20,345,552,896 bytes free

331 --- E O F --- 2008-12-17 19:48:41



Thanks again!

#7 SpySentinel

  • Group: Retired Staff
  • Posts: 5,152
  • Joined: 22-September 07

Posted 19 December 2008 - 07:31 AM

Please do not post logs unless I ask for them.

Please post the results of the VirScan I had you do for the 3 files.

Thanks :)

#8 Rampag3

  • Group: Member
  • Posts: 36
  • Joined: 17-December 08

Posted 19 December 2008 - 08:30 PM

As I stated in one of my earlier replies, I received an upload error when I attempted to submit those 3 files you advised to submit. I attempted it again this evening to no avail. Advise as to how to proceed.

Thanks!
Rampag3 :)

#9 SpySentinel

  • Group: Retired Staff
  • Posts: 5,152
  • Joined: 22-September 07

Posted 20 December 2008 - 05:25 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.

  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    o Click Preferences, then click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    o Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

#10 Rampag3

  • Group: Member
  • Posts: 36
  • Joined: 17-December 08

Posted 21 December 2008 - 04:26 AM

Ran some additional scans over night & through out the day, using everything in the arsenal: McAfee, AVG, Malwarebytes, Ad-aware, Spybot SD, Rogue & CA Antispy. No additional traces found until I ran the SUPERAntispyware, five traces of Rogue.Component/Trace. Maybe this is why the computer is still dragging [bleep]. :)

One other thing, McAfee has give me the following pop up several times: Potentially Unwanted Program Detected McAfee has blocked a potentially unwanted program (PUP) on your computer. If you do not recognize it,(which I don't) we recommend that you remove the program. Name: Tool-NirCmd Location: C:/System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1157\A0369335.exe McAfee gives me the option to Remove, Trust or Close Alert Not sure how to proceed with choices. :)


Thanks again Spysentinel. :)

Rampag3 :)

:) :beer: Here is the Combofix Log: :yes: :no:




ComboFix 08-12-17.01 - Carlos 2008-12-21 0:14:00.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.494 [GMT -6:00]
Running from: c:\documents and settings\Carlos\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Carlos\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-20 22:04 . 2008-12-20 22:04 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-19 01:48 . 2008-12-19 01:48 <DIR> d-------- C:\VundoFix Backups
2008-12-17 17:16 . 2008-12-17 17:17 <DIR> d-------- c:\program files\ERUNT
2008-12-17 16:27 . 2008-12-17 16:27 <DIR> d-------- c:\program files\Trend Micro
2008-12-17 16:20 . 2008-12-17 16:20 <DIR> d-------- c:\program files\Photosynth
2008-12-17 14:42 . 2008-12-17 14:44 <DIR> d-------- c:\program files\RogueRemover FREE
2008-12-17 05:25 . 2008-12-19 20:08 <DIR> d-------- C:\$AVG8.VAULT$
2008-12-17 05:04 . 2008-12-20 17:53 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-17 05:04 . 2008-12-17 05:26 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-17 05:04 . 2008-12-17 05:26 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-17 02:52 . 2008-12-17 02:52 <DIR> d-------- c:\documents and settings\Carlos\Application Data\Malwarebytes
2008-12-17 02:51 . 2008-12-17 02:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-17 02:51 . 2008-12-17 02:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-17 02:51 . 2008-12-03 19:58 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-17 02:51 . 2008-12-03 19:58 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-17 01:53 . 2008-11-28 10:56 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-16 20:32 . 2008-12-16 20:32 <DIR> d-------- c:\documents and settings\Carlos\Application Data\McAfee
2008-12-15 23:03 . 2008-12-15 23:03 <DIR> d-------- c:\program files\Lavasoft
2008-12-15 23:03 . 2008-12-15 23:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-30 19:29 . 2008-11-30 19:29 <DIR> d-------- c:\documents and settings\Carlos\Application Data\Logitech
2008-11-30 19:20 . 2008-11-30 19:20 130,208 -r------- c:\windows\bwUnin-8.1.1.87-8876480SL.exe
2008-11-30 19:16 . 2008-11-30 19:16 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-11-30 19:16 . 2008-11-30 19:16 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-11-30 19:15 . 2008-11-30 19:15 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-11-30 19:13 . 2008-05-02 02:38 301,656 --a------ c:\windows\system32\BtCoreIf.dll
2008-11-30 19:13 . 2008-05-02 02:39 170,512 --a------ c:\windows\system32\kemutb.dll
2008-11-30 19:13 . 2008-05-02 02:39 145,936 --a------ c:\windows\system32\KemUtil.dll
2008-11-30 19:13 . 2008-05-02 02:40 117,264 --a------ c:\windows\system32\KemWnd.dll
2008-11-30 19:13 . 2008-05-02 02:40 84,496 --a------ c:\windows\system32\KemXML.dll
2008-11-30 19:12 . 2008-11-30 19:20 <DIR> d-------- c:\program files\Logitech
2008-11-30 19:12 . 2008-11-30 19:22 <DIR> d-------- c:\program files\Common Files\Logishrd
2008-11-30 19:12 . 2008-11-30 19:12 <DIR> d-------- c:\documents and settings\Carlos\Application Data\InstallShield
2008-11-30 19:12 . 2008-11-30 19:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logitech
2008-11-30 19:11 . 2008-11-30 19:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\LogiShrd
2008-11-30 19:03 . 2008-04-13 12:45 60,032 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2008-11-30 19:03 . 2008-04-13 12:45 60,032 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2008-11-30 19:03 . 2008-04-13 18:11 21,504 --a------ c:\windows\system32\hidserv.dll
2008-11-30 19:03 . 2008-04-13 18:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-11-30 19:03 . 2008-04-13 12:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-30 19:03 . 2008-04-13 12:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-11-30 19:03 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-30 19:03 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-11-30 19:02 . 2008-04-13 12:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-30 19:02 . 2008-04-13 12:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-11-28 15:39 . 2008-11-28 15:39 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-28 15:25 . 2008-11-28 15:25 <DIR> d-------- c:\documents and settings\Carlos\Application Data\com.raptr.Raptr.848BBC53270CAC248E8FA0F339176201CDEB525F.1
2008-11-28 15:23 . 2008-11-28 15:24 <DIR> d-------- c:\documents and settings\Carlos\Application Data\Raptr
2008-11-28 14:49 . 2008-11-28 17:27 682,280 --a------ c:\windows\system32\pbsvc.exe
2008-11-28 10:57 . 2008-11-28 10:56 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-24 17:54 . 2008-12-20 18:45 11,735 --a------ c:\windows\system32\Config.MPF
2008-11-23 19:31 . 2008-11-23 19:31 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-11-23 17:58 . 2008-11-23 17:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-11-23 17:55 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-11-23 17:55 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-11-23 17:55 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-11-23 17:55 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-11-23 17:55 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-11-23 17:55 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-11-23 17:54 . 2008-11-23 17:54 <DIR> d-------- c:\program files\McAfee.com
2008-11-23 17:54 . 2008-11-23 17:58 <DIR> d-------- c:\program files\McAfee
2008-11-23 17:54 . 2008-11-23 17:55 <DIR> d-------- c:\program files\Common Files\McAfee
2008-11-23 17:48 . 2008-11-23 17:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-11-23 17:43 . 2008-12-14 05:22 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy
2008-11-23 17:29 . 2008-11-23 17:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 04:32 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-21 04:04 --------- d-----w c:\documents and settings\Carlos\Application Data\SUPERAntiSpyware.com
2008-12-21 04:03 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-17 11:03 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-17 07:36 --------- d-----w c:\program files\Java
2008-12-16 06:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-14 19:06 137,688 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-14 19:05 202,040 ----a-w c:\windows\system32\PnkBstrB.exe
2008-12-11 19:37 --------- d-----w c:\program files\Common Files\Express Digital
2008-12-06 17:19 --------- d-----w c:\documents and settings\Carlos\Application Data\LimeWire
2008-12-01 01:20 --------- d-----w c:\program files\InstallShield Installation Information
2008-11-28 23:27 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-11-28 23:27 22,328 ----a-w c:\documents and settings\Carlos\Application Data\PnkBstrK.sys
2008-11-28 23:13 --------- d-----w c:\program files\Activision
2008-11-24 23:51 --------- d-----w c:\program files\Yahoo!
2008-11-23 23:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-23 18:44 --------- d-----w c:\program files\ATT Internet Tools
2008-11-23 18:25 --------- d-----w c:\program files\Canon
2008-11-23 17:58 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2008-11-21 10:02 --------- d-----w c:\program files\ATTToolbar
2008-11-21 09:20 --------- d-----w c:\documents and settings\Carlos\Application Data\Lavasoft
2008-11-15 04:58 --------- d-----w c:\program files\DIFX
2008-11-15 04:57 --------- d-----w c:\program files\LeapFrog
2008-11-15 04:52 --------- d-----w c:\documents and settings\All Users\Application Data\Leapfrog
2008-10-26 14:31 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-03-26 01:48 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-04-16 03:24 6,820,632 ----a-w c:\program files\FirefoxGoogleToolbarSetup.exe
2008-11-21 09:19 94,208 ----a-w c:\program files\mozilla firefox\components\blsfflock.dll
2008-06-04 23:42 8 --sha-r c:\windows\system32\D48564AF07.sys
2008-08-26 16:37 5,018 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-17_21.15.01.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-31 03:44:18 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
+ 2008-12-18 06:12:12 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
- 2008-03-31 03:44:19 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_3D.exe
+ 2008-12-18 06:12:18 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_3D.exe
- 2008-03-31 03:44:19 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_Standard.exe
+ 2008-12-18 06:12:15 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_Standard.exe
- 2008-03-31 03:44:19 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Distiller.exe
+ 2008-12-18 06:12:16 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Distiller.exe
- 2008-03-31 03:44:19 7,278 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_ELEMENTS_DT.exe
+ 2008-12-18 06:12:16 7,278 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_ELEMENTS_DT.exe
- 2008-03-31 03:44:18 23,558 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
+ 2008-12-18 06:12:11 23,558 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
+ 2008-12-21 04:04:19 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-12-21 04:04:20 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-12-18 01:38:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-21 04:49:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-18 01:38:58 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-21 04:49:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-17 22:09:36 61,354 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-19 07:43:50 61,354 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-17 22:09:36 402,246 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-19 07:43:50 402,246 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-20 03:32:01 16,384 ------w c:\windows\Temp\Perflib_Perfdata_350.dat
+ 2008-12-20 07:24:09 16,384 ------w c:\windows\Temp\Perflib_Perfdata_6b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-12-14 2356088]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Mozilla Firefox\firefox.exe" [2008-12-17 307704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-01 257088]
"MaxtorOneTouch"="c:\program files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2006-07-18 1028096]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"Disk Monitor"="c:\program files\Lexar Media\USB Card Reader Driver v2.1g\Disk_Monitor.exe" [2003-10-28 438784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-28 136600]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-11-30 91440]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-30 805392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"= 0 (0x0)
"NoSizeChoice"= 0 (0x0)
"NoVisualStyleChoice"= 0 (0x0)
"NoDispSettingsPage"= 0 (0x0)
"NoDispAppearancePage"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Carlos^Start Menu^Programs^Startup^Delta Force-Black Hawk Down Team Sabre Registration.lnk]
backup=c:\windows\pss\Delta Force-Black Hawk Down Team Sabre Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Adobe\\Adobe GoLive CS\\GoLive.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NovaLogic\\Joint Operations Typhoon Rising\\expansion\\jox01\\PACK.EXE"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Watch.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcshell.exe"=
"c:\\Program Files\\McAfee\\MHN\\McENUI.exe"=
"c:\\Program Files\\CCleaner\\ccleaner.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3sp.exe"=
"c:\\Program Files\\ExpressDigital\\Darkroom WE\\Darkroom WE.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LDMConf.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop CS\\Plug-Ins\\MysticalTTC.exe"=
"c:\\Program Files\\Auto FX Software\\PGE\\PGE.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\unins001.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\lsupdatemanager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-17 97928]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-17 231704]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;"c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe" [2008-11-04 991232]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-11-23 203280]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S3 Asmaundsiqsn;Asmaundsiqsn; []
S3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2007-06-19 18560]
S3 Inpqmc;Inpqmc; []
S3 Isapsrnbchp;Isapsrnbchp; []
S3 Vei78xoet;Vei78xoet;c:\windows\system32\drivers\crusoe.sys [2002-08-28 36736]
S3 Wuaptstppqsn;Wuaptstppqsn; []

*Newly Created Service* - SASDIFSV
*Newly Created Service* - SASENUM
*Newly Created Service* - SASKUTIL
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{82fd5216-c710-43a9-b8c3-a9e56fd22e13} - (no file)
BHO-{901CE412-BB4C-45F1-A9B7-5EFD60184BF1} - (no file)
BHO-{BB21F9F6-F56F-4D45-ACBF-6662FC8C0205} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = About:Blank
mSearchURL = about:blank
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Carlos\Application Data\Mozilla\Firefox\Profiles\rhn7243g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\Carlos\Application Data\Mozilla\Firefox\Profiles\rhn7243g.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\Carlos\Application Data\Mozilla\Firefox\Profiles\rhn7243g.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\blsfflock.dll
FF - plugin: c:\documents and settings\Carlos\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 00:18:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\avgrsstx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(884)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-21 0:21:45
ComboFix-quarantined-files.txt 2008-12-21 06:21:27
ComboFix2.txt 2008-12-19 04:56:17
ComboFix3.txt 2008-12-18 03:16:55

Pre-Run: 20,340,215,808 bytes free
Post-Run: 20,326,371,328 bytes free

354 --- E O F --- 2008-12-17 19:48:41



:no: ;) Here is the Super Anti-Spyware scan log :) :)




SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/21/2008 at 03:56 AM

Application Version : 4.23.1006

Core Rules Database Version : 3680
Trace Rules Database Version: 1659

Scan type : Complete Scan
Total Scan Time : 03:31:05

Memory items scanned : 539
Memory threats detected : 0
Registry items scanned : 7106
Registry threats detected : 5
File items scanned : 27907
File threats detected : 0

Rogue.Component/Trace
HKLM\Software\Microsoft\FB728861
HKLM\Software\Microsoft\FB728861#fb728861
HKLM\Software\Microsoft\FB728861#Version
HKU\S-1-5-21-1409082233-1606980848-682003330-1004\Software\Microsoft\CS41275
HKU\S-1-5-21-1409082233-1606980848-682003330-1004\Software\Microsoft\FIAS4018

#11 SpySentinel

  • Group: Retired Staff
  • Posts: 5,152
  • Joined: 22-September 07

Posted 21 December 2008 - 05:08 PM

Your welcome.

Regarding what McAfee found, since it is in the System Restore, we will deal with it once you are clean, I will have you reset system restore which will take care of it.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/...rweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

#12 Rampag3

  • Group: Member
  • Posts: 36
  • Joined: 17-December 08

Posted 24 December 2008 - 09:27 PM

I was finally able to finish running Dr. Web let me know what I need to do next. Thanks! :)

And by the way have a wonderful Merry Christmas.

#13 SpySentinel

  • Group: Retired Staff
  • Posts: 5,152
  • Joined: 22-September 07

Posted 26 December 2008 - 04:09 PM

Quote

And by the way have a wonderful Merry Christmas.


Thanks same to you. Hope you and your family had a wonderful Christmas.


Can you please post the Dr.Web CureIt Log?

Thanks!

#14 Rampag3

  • Group: Member
  • Posts: 36
  • Joined: 17-December 08

Posted 28 December 2008 - 06:37 PM

Her's the Dr.Web Cureit log. Not sure if I saved this correctly, it was coming up as an Excel file for some reason but I went ahead & changed it notepad. When I attempted to bring it up with Excel there was nothing there.

I'm thinking I may still be infected, my browser continues to take me to the same att website that I mentioned in an earlier post. One other thing when I run Malwarebytes it keeps bringing up one of my other programs (Intelinet) & all its contents as a Rogue, you know anything about Intelinet, do I need to have Malewarebytes remove it?

Thanks! :)



stream001\uninstll.exe;C:\DELL\Drivers\R64177\EL2k3_CD.exe\\Windows\access\EarthLink Setup.msi\stream001;Probably STPAGE.Trojan;;
stream001;C:\DELL\Drivers\R64177\EL2k3_CD.exe\\Windows\access\EarthLink Setup.msi;Archive contains infected objects;;
\Windows\access\EarthLink Setup.msi;C:\DELL\Drivers\R64177\EL2k3_CD.exe\\Windows\access;Archive contains infected objects;;
EL2k3_CD.exe;C:\DELL\Drivers\R64177;Archive contains infected objects;Moved.;
RegUBP2b-Carlos.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
data002\32788R22FWJFW\mtee.cfexe;C:\Documents and Settings\Carlos\Desktop\ComboFix.exe\data002;Probably Trojan.Packed.258;;
data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Carlos\Desktop\ComboFix.exe\data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Carlos\Desktop\ComboFix.exe;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\Carlos\Desktop;Archive contains infected objects;Moved.;
VirtumundoBeGone(2).exe\data005;C:\Documents and Settings\Carlos\Desktop\VirtumundoBeGone(2).exe;Tool.Prockill;;
VirtumundoBeGone(2).exe;C:\Documents and Settings\Carlos\Desktop;Archive contains infected objects;Moved.;
Process.exe;C:\Documents and Settings\Carlos\Desktop\smitRem;Tool.Prockill;Moved.;
pv.exe;C:\Documents and Settings\Carlos\Desktop\smitRem;Program.PrcView.3741;Moved.;
smitRem.exe\smitRem/Process.exe;C:\Documents and Settings\Carlos\Desktop\Unused Desktop Shortcuts\smitRem.exe;Tool.Prockill;;
smitRem.exe\smitRem/pv.exe;C:\Documents and Settings\Carlos\Desktop\Unused Desktop Shortcuts\smitRem.exe;Program.PrcView.3741;;
smitRem.exe;C:\Documents and Settings\Carlos\Desktop\Unused Desktop Shortcuts;Archive contains infected objects;Moved.;
A0367580.exe\data005;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1145\A0367580.exe;Tool.Prockill;;
A0367580.exe;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1145;Archive contains infected objects;Moved.;
A0367673.exe\data005;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1148\A0367673.exe;Tool.Prockill;;
A0367673.exe;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1148;Archive contains infected objects;Moved.;
A0368120.reg;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1154;Trojan.StartPage.1505;Deleted.;
A0368271.reg;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1155;Trojan.StartPage.1505;Deleted.;
A0368283.EXE;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1155;Program.PsExec.170;Moved.;
A0369278.reg;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1155;Trojan.StartPage.1505;Deleted.;
A0369283.exe\data005;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1155\A0369283.exe;Tool.Prockill;;
A0369283.exe;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1155;Archive contains infected objects;Moved.;
A0369346.EXE;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1158;Program.PsExec.170;Moved.;
A0369423.reg;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1158;Trojan.StartPage.1505;Deleted.;
stream001\uninstll.exe;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1158\A0369557.exe\\Windows\access\EarthLink Setup;Probably STPAGE.Trojan;;
stream001;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1158\A0369557.exe\\Windows\access\EarthLink Setup;Archive contains infected objects;;
\Windows\access\EarthLink Setup.msi;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1158\A0369557.exe\\Windows\access;Archive contains infected objects;;
A0369557.exe;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1158;Archive contains infected objects;Moved.;
A0369559.reg;C:\System Volume Information\_restore{9226F5F5-1179-4841-A1B3-8172EA2C68DF}\RP1158;Trojan.StartPage.1505;Deleted.;
ExpressDigital Darkroom Web Edition V8.7.msi\stream004;C:\WINDOWS\Downloaded Installations\{1069FD79-7493-468C-97EE-C80B1C75AFCF}\ExpressDigital Darkroom Web Edition V8.7.msi;Dialer.Accessor.origin;;
ExpressDigital Darkroom Web Edition V8.7.msi\stream009;C:\WINDOWS\Downloaded Installations\{1069FD79-7493-468C-97EE-C80B1C75AFCF}\ExpressDigital Darkroom Web Edition V8.7.msi;Dialer.Accessor.origin;;
ExpressDigital Darkroom Web Edition V8.7.msi;C:\WINDOWS\Downloaded Installations\{1069FD79-7493-468C-97EE-C80B1C75AFCF};Archive contains infected objects;Moved.;
ExpressDigital Darkroom Web Edition V8.7.msi\stream004;C:\WINDOWS\Downloaded Installations\{46610EBF-1BBB-430D-A2A9-B1889C3FF38B}\ExpressDigital Darkroom Web Edition V8.7.msi;Dialer.Accessor.origin;;
ExpressDigital Darkroom Web Edition V8.7.msi\stream009;C:\WINDOWS\Downloaded Installations\{46610EBF-1BBB-430D-A2A9-B1889C3FF38B}\ExpressDigital Darkroom Web Edition V8.7.msi;Dialer.Accessor.origin;;
ExpressDigital Darkroom Web Edition V8.7.msi;C:\WINDOWS\Downloaded Installations\{46610EBF-1BBB-430D-A2A9-B1889C3FF38B};Archive contains infected objects;Moved.;
8fd220a.msi\stream003;C:\WINDOWS\Installer\8fd220a.msi;Dialer.Accessor.origin;;
8fd220a.msi\stream007;C:\WINDOWS\Installer\8fd220a.msi;Dialer.Accessor.origin;;
8fd220a.msi;C:\WINDOWS\Installer;Archive contains infected objects;Moved.;

#15 SpySentinel

  • Group: Retired Staff
  • Posts: 5,152
  • Joined: 22-September 07

Posted 29 December 2008 - 01:45 PM

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Share this topic:


  • 4 Pages +
  • 1
  • 2
  • 3
  • Last »
(Please log in, or register to add a reply.)