[teh.wyman]

I'm trying to fix my friend's computer and usually I can figure out these things on my own, but this is a behemoth of a virus. He installed what he thought was a patch for a game and it turned out to be malware of some kind. I believe this is a variant of the XPAntivir2008 virus, and I have followed steps to remove it, but there are still remnants of something left over. Any help with this will be greatly appreciated.

Symptoms include:

• Disabling of a lot of items by administrator including regedit (resolved), display properties, and other items
• Sluggish system
• Many options taken out of the Start menu (Program files, User Menu, Documents, Run, Search, etc.)
• Redirection of links in IE to random unrelated sites (happens in safe mode)
• Not allowing update.windows.com to open (happens in safe mode)
• Not allowing update of any AV databases
• Not allowing opening of anything but IE to access the internet
• Random named dll's in system32 folder (resolved)
• Background set to a website and not resettable
• Deletion of all previous System Restore points
• Will not allow the installation of some programs
• Will not allow access to AV websites (Trendmicro, eset, etc.)

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:26 AM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CPrintEnhancer Object - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Microsoft Office Groove.lnk = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6923 bytes

[Advertisements]

Hello

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Double-click smitfraudfix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Next



Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[loophole]

Hello

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Double-click smitfraudfix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Next



Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[teh.wyman]

Thank you for the quick reply. After posting last night, I downloaded and installed Kaspersky AV and it seems to have taken care of most of the problem. After running the applications you suggested, the problem is even closer to being resolved. I am still unable to change the desktop wallpaper, but that should be fixed with some modifications to the group policy settings. Thank you very much for your time.

SmitfraudFix:
SmitFraudFix v2.329

Scan done at 20:37:58.73, Mon 07/14/2008
Run from C:\Documents and Settings\MyName\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\MyName


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\MyName\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MyN~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 65.164.201.148
DNS Server Search Order: 76.7.255.188

HKLM\SYSTEM\CCS\Services\Tcpip\..\{312BA2FB-8195-4878-BDB5-2DA57B536636}: DhcpNameServer=65.164.201.148 76.7.255.188
HKLM\SYSTEM\CS1\Services\Tcpip\..\{312BA2FB-8195-4878-BDB5-2DA57B536636}: DhcpNameServer=65.164.201.148 76.7.255.188
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.164.201.148 76.7.255.188
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.164.201.148 76.7.255.188


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Combofix:
ComboFix 08-07-14.2 - MyName 2008-07-14 20:42:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.629 [GMT -6:00]
Running from: C:\Documents and Settings\MyName\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\msnimport.exe
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbdll.old
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\fkvhypoy.ini
C:\WINDOWS\system32\gdngmwkd.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mswinup.exe
C:\WINDOWS\system32\RXwaJkkj.ini
C:\WINDOWS\system32\RXwaJkkj.ini2
C:\WINDOWS\system32\VuCcbcdd.ini
C:\WINDOWS\system32\VuCcbcdd.ini2
C:\WINDOWS\system32\winsvcup.exe
C:\WINDOWS\system32\winupsvc.exe
C:\WINDOWS\system32\wpxgfqtg.ini
C:\WINDOWS\system32\YHhOonmp.ini
C:\WINDOWS\system32\YHhOonmp.ini2
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.

2008-07-14 20:38 . 2008-07-14 20:38 804 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-14 20:37 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-14 20:37 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-14 20:37 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-14 20:37 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-07-14 20:37 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-07-14 20:37 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-07-14 20:37 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-14 20:37 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-14 20:37 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-14 01:42 . 2008-07-14 02:18 <DIR> d-------- C:\HJT
2008-07-14 00:05 . 2008-07-14 00:05 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-13 23:55 . 2008-07-14 20:41 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-13 23:55 . 2008-07-14 20:41 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-13 23:53 . 2008-07-13 23:53 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-13 23:53 . 2008-07-14 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-13 23:53 . 2008-07-14 20:50 4,526,624 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-13 23:53 . 2008-07-14 20:49 62,720 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-13 23:53 . 2008-07-14 20:50 14,624 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-13 23:53 . 2008-07-14 20:49 3,440 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-13 23:36 . 2008-04-22 22:16 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-13 23:36 . 2007-04-17 03:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-13 23:36 . 2007-03-07 23:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-13 23:36 . 2008-04-22 22:16 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-13 23:36 . 2008-04-22 22:16 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-13 23:36 . 2008-04-22 22:16 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-13 23:36 . 2008-04-22 22:16 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-13 23:36 . 2008-04-22 22:16 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-13 23:36 . 2008-04-22 01:39 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-13 23:21 . 2008-07-13 23:21 <DIR> d-------- C:\kav
2008-07-13 21:07 . 2008-07-14 03:02 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-07-13 20:53 . 2008-07-13 20:54 <DIR> d-------- C:\Program Files\Opera
2008-07-13 20:18 . 2008-07-13 21:04 <DIR> d-------- C:\Program Files\ESET
2008-07-13 19:27 . 2008-07-13 22:37 2,148 --a------ C:\WINDOWS\system32\wpa.dbl
2008-07-13 19:23 . 2008-07-14 02:13 0 --a------ C:\WINDOWS\win.ini
2008-07-13 19:23 . 2008-07-14 20:51 0 --a------ C:\WINDOWS\system.ini
2008-07-13 17:33 . 2008-07-13 17:33 <DIR> d-------- C:\VundoFix Backups
2008-07-13 17:05 . 2008-07-13 21:14 <DIR> d--hs---- C:\Documents and Settings\MyName\Temporary Internet Files
2008-07-13 14:53 . 2008-07-13 14:57 <DIR> d-------- C:\Program Files\Unlocker
2008-07-12 23:29 . 2008-07-12 23:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-07-12 20:55 . 2008-07-13 14:40 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-12 20:54 . 2008-07-12 20:55 <DIR> d-------- C:\Program Files\CCleaner
2008-07-12 20:45 . 2008-07-12 20:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-07-12 17:31 . 2008-07-12 17:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-12 17:31 . 2008-07-12 17:31 <DIR> d-------- C:\Documents and Settings\MyName\Application Data\Lavasoft
2008-07-04 18:27 . 2008-07-04 18:27 <DIR> d-------- C:\Program Files\Ubisoft
2008-06-28 23:01 . 2008-06-28 23:01 <DIR> d-------- C:\WINDOWS\Installing Adobe Acrobat Reader
2008-06-28 20:39 . 2008-06-28 20:39 0 --a------ C:\WINDOWS\PowerReg.dat
2008-06-20 11:41 . 2008-06-20 11:41 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 04:44 . 2008-06-20 04:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 07:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-14 05:29 --------- d-----w C:\Program Files\Symantec
2008-07-14 02:31 --------- d-----w C:\Program Files\Download Manager
2008-07-12 23:24 --------- d-----w C:\Program Files\RGB
2008-07-09 23:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-05 00:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-05 00:24 --------- d-----w C:\Program Files\Electronic Arts
2008-06-29 05:01 --------- d-----w C:\Program Files\Microsoft Games
2008-06-21 05:23 --------- d-----w C:\Program Files\THQ
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 00:56 34,312 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-06-11 00:48 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-06-11 00:47 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-06-01 02:12 --------- d-----w C:\Program Files\Common Files\i2 Shared
2008-06-01 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2008-05-24 03:44 --------- d-----w C:\Program Files\Starcraft
2008-05-24 03:32 223,128 ----a-w C:\WINDOWS\system32\drivers\vaxscsi.sys
2008-05-24 03:32 --------- d-----w C:\Program Files\Alcohol Soft
2008-05-24 03:28 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd0253.sys
2008-05-24 03:28 643,072 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-05-24 02:31 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2008-04-09 22:35 1,052 ----a-w C:\Documents and Settings\MyName\Application Data\wklnhst.dat
2007-11-19 21:20 22,328 ----a-w C:\Documents and Settings\MyName\Application Data\PnkBstrK.sys
2007-10-12 16:48 8,422 ----a-w C:\Program Files\install.log
2007-06-10 21:01 67,568 ----a-w C:\Documents and Settings\MyName\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

C:\Documents and Settings\MyName\Start Menu\Programs\Startup\
Microsoft Office Groove.lnk - C:\Program Files\Microsoft Office\Office12\GROOVE.EXE [2006-10-27 16:37:44 338216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-27 17:02:06 581693]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=C:\WINDOWS\pss\Vongo Tray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sound Station.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sound Station.lnk
backup=C:\WINDOWS\pss\Sound Station.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^MyName^Start Menu^Programs^StartUp^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\MyName\Start Menu\Programs\StartUp\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^MyName^Start Menu^Programs^StartUp^HOTLLAMA Update Check.lnk]
path=C:\Documents and Settings\MyName\Start Menu\Programs\StartUp\HOTLLAMA Update Check.lnk
backup=C:\WINDOWS\pss\HOTLLAMA Update Check.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^MyName^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=C:\Documents and Settings\MyName\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=C:\WINDOWS\pss\Vongo Tray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^MyName^Start Menu^Programs^StartUp^Xfire.lnk]
path=C:\Documents and Settings\MyName\Start Menu\Programs\StartUp\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a------ 2008-02-08 18:36 227856 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2006-02-22 09:03 40960 C:\Program Files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 09:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
--a------ 2008-06-10 18:52 1447168 C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 17:30 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 17:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-04-15 12:26 7561216 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-04-15 12:26 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2006-03-07 14:38 131072 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--------- 2006-04-11 22:54 102400 C:\Program Files\Hp\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-21 08:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
--------- 2005-10-11 11:23 1187840 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--------- 2006-02-09 10:52 643072 C:\WINDOWS\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-03 23:46 761948 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
--a------ 2005-03-28 19:24 28616 C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2006-04-18 05:29 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
--a------ 2007-07-06 06:46 177152 C:\WINDOWS\system32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-04-15 17:26 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Vongo Service"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"ose"=3 (0x3)
"NSCService"=2 (0x2)
"navapsvc"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"StarWindService"=2 (0x2)
"PnkBstrA"=2 (0x2)
"odserv"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"hpqwmiex"=2 (0x2)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"AVP"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\UT2004\\System\\UT2004.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"F:\\Games\\BF2.exe"=
"F:\\Games\\RavenShield\\system\\RavenShield.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"F:\\Games\\FEAR.exe"=
"F:\\Games\\FEARMP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"F:\\Games\\star wars battlefront\\BF2.exe"=
"F:\\Games\\supcom\\Supreme Commander\\bin\\SupremeCommander.exe"=
"F:\\Games\\supcom\\GPGNet\\GPG.Multiplayer.Client.exe"=
"F:\\Games\\Chernobyl\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"F:\\Games\\Chernobyl\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"F:\\Games\\neverwinter nights 2\\nwn2main.exe"=
"F:\\Games\\neverwinter nights 2\\nwn2main_amdxp.exe"=
"F:\\Games\\neverwinter nights 2\\nwupdate.exe"=
"F:\\Games\\neverwinter nights 2\\nwn2server.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London Demo\\Launcher.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"F:\\music\\Limewire\\LimeWire.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"=
"C:\\Soldat\\Soldat.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=
"C:\\Program Files\\ESET\\ESET NOD32 Antivirus\\egui.exe"=
"F:\\Games\\Half Life\\SteamApps\\bullseye659\\dark messiah might and magic multi-player\\mm.exe"=
"C:0\\Games\\Half Life\\SteamApps\\bullseye659\\dark messiah might and magic multi-player\\mm.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 18:56]
R1 SbPd;SbPd;C:\WINDOWS\system32\Drivers\SbPd.sys [2006-07-23 10:02]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 uafilter;uafilter;C:\WINDOWS\system32\DRIVERS\uafilter.sys [2003-09-18 10:21]
S4 DNADownloader;DNADownloader;C:\Program Files\GameSpot\DownloadManager_Win32.exe []
S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 15:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b9cf965-982f-11db-b9cc-0013025c0ed7}]
\Shell\AutoRun\command - G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b9cf966-982f-11db-b9cc-0013025c0ed7}]
\Shell\AutoRun\command - G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bb7186f-5f2f-11dc-ba1e-0013025c0ed7}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0634618-7762-11dc-ba2e-0013025c0ed7}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{F8AC36D7-F602-4B69-99B5-2A812E05779F} - (no file)
Notify-WgaLogon - (no file)
MSConfigStartUp-38f594ae - C:\WINDOWS\system32\dkwmgndg.dll
MSConfigStartUp-ccApp - c:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-DIGStream - C:\Program Files\DIGStream\digstream.exe
MSConfigStartUp-Steam - F:\Games\Half Life\\Steam.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 20:52:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2008-07-14 21:06:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 03:06:41

Pre-Run: 14,371,610,624 bytes free
Post-Run: 18,950,184,960 bytes free

344 --- E O F --- 2008-07-14 09:04:24

HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:55:30, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CPrintEnhancer Object - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF17827.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Microsoft Office Groove.lnk = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7307 bytes

Edited by teh.wyman, 16 July 2008 - 12:00 AM.

[loophole]

Logs look pretty good, a couple things to remove, lets do this first

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System. XP SP2



Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

[teh.wyman]

Thanks again, for the reply.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

[loophole]

that looks fine, I have to go yo bed but will reply with further instructions tomorrow

[loophole]

Open notepad and copy/paste the text in RED below into it:



Driver::
clbdriver

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]


Save this as CFScript.txt, in the same location as ComboFix.exe (desktop)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Next

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit. Please post the log with a new Hijack log

[teh.wyman]

Sorry for the delay between replies:

Combofix:

ComboFix 08-07-14.2 - MyName 2008-07-20 20:27:02.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.511 [GMT -6:00]
Running from: C:\Documents and Settings\MyName\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MyName\Desktop\CFScript.txt
.

(((((((((((((((((((((((((   Files Created from 2008-06-21 to 2008-07-21  )))))))))))))))))))))))))))))))
.

2008-07-20 20:21 . 2008-07-20 20:21	<DIR>	d--------	C:\Documents and Settings\MyName\Application Data\TrueCrypt
2008-07-19 17:55 . 2008-07-19 17:57	<DIR>	d--------	C:\Program Files\Diablo
2008-07-19 17:55 . 2008-07-19 17:55	118,784	--a------	C:\WINDOWS\DiabUnin.exe
2008-07-19 17:55 . 2008-07-19 17:57	5,991	--a------	C:\WINDOWS\DiabUnin.dat
2008-07-19 17:55 . 2008-07-19 17:55	2,829	--a------	C:\WINDOWS\DiabUnin.pif
2008-07-18 10:53 . 2008-07-18 10:53	21,840	--a------	C:\WINDOWS\system32\SIntfNT.dll
2008-07-18 10:53 . 2008-07-18 10:53	17,212	--a------	C:\WINDOWS\system32\SIntf32.dll
2008-07-18 10:53 . 2008-07-18 10:53	12,067	--a------	C:\WINDOWS\system32\SIntf16.dll
2008-07-18 10:37 . 2008-07-18 10:37	94,208	--a------	C:\WINDOWS\DIIUnin.exe
2008-07-18 10:37 . 2008-07-18 10:54	35,291	--a------	C:\WINDOWS\DIIUnin.dat
2008-07-18 10:37 . 2008-07-18 10:37	2,829	--a------	C:\WINDOWS\DIIUnin.pif
2008-07-18 10:23 . 2008-07-20 17:52	<DIR>	d--------	C:\Program Files\Diablo II
2008-07-17 22:58 . 2008-07-17 22:58	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-07-14 21:18 . 2008-07-14 21:18	10,752	--a------	C:\WINDOWS\system32\dllcache\clb.dll
2008-07-14 21:18 . 2008-07-14 21:18	10,752	--a------	C:\WINDOWS\system32\clb.dll
2008-07-14 20:38 . 2008-07-14 20:38	804	--a------	C:\WINDOWS\system32\tmp.reg
2008-07-14 20:37 . 2007-09-06 00:22	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2008-07-14 20:37 . 2006-04-27 17:49	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2008-07-14 20:37 . 2008-05-29 09:35	86,528	--a------	C:\WINDOWS\system32\VACFix.exe
2008-07-14 20:37 . 2008-05-18 21:40	82,944	--a------	C:\WINDOWS\system32\IEDFix.exe
2008-07-14 20:37 . 2008-07-02 13:33	82,432	--a------	C:\WINDOWS\system32\IEDFix.C.exe
2008-07-14 20:37 . 2008-05-23 18:21	81,920	--a------	C:\WINDOWS\system32\404Fix.exe
2008-07-14 20:37 . 2003-06-05 21:13	53,248	--a------	C:\WINDOWS\system32\Process.exe
2008-07-14 20:37 . 2004-07-31 18:50	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2008-07-14 20:37 . 2007-10-04 00:36	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2008-07-14 01:42 . 2008-07-14 21:55	<DIR>	d--------	C:\HJT
2008-07-14 00:05 . 2008-07-14 00:05	<DIR>	d--h-----	C:\WINDOWS\system32\GroupPolicy
2008-07-13 23:55 . 2008-07-14 20:41	96,966	--a------	C:\WINDOWS\system32\drivers\klin.dat
2008-07-13 23:55 . 2008-07-14 20:41	88,774	--a------	C:\WINDOWS\system32\drivers\klick.dat
2008-07-13 23:53 . 2008-07-13 23:53	<DIR>	d--------	C:\Program Files\Kaspersky Lab
2008-07-13 23:53 . 2008-07-16 23:03	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-13 23:53 . 2008-07-20 20:30	4,992,544	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-13 23:53 . 2008-07-16 23:02	64,040	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-13 23:53 . 2008-07-20 20:30	39,968	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-13 23:53 . 2008-07-16 23:02	4,064	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-13 23:36 . 2008-04-22 22:16	6,066,176	---------	C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-13 23:36 . 2007-04-17 03:32	2,455,488	---------	C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-13 23:36 . 2007-03-07 23:10	991,232	---------	C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-13 23:36 . 2008-04-22 22:16	459,264	---------	C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-13 23:36 . 2008-04-22 22:16	383,488	---------	C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-13 23:36 . 2008-04-22 22:16	267,776	---------	C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-13 23:36 . 2008-04-22 22:16	63,488	---------	C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-13 23:36 . 2008-04-22 22:16	52,224	---------	C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-13 23:36 . 2008-04-22 01:39	13,824	---------	C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-13 23:21 . 2008-07-13 23:21	<DIR>	d--------	C:\kav
2008-07-13 21:07 . 2008-07-14 03:02	1,374	--a------	C:\WINDOWS\imsins.BAK
2008-07-13 20:53 . 2008-07-13 20:54	<DIR>	d--------	C:\Program Files\Opera
2008-07-13 20:18 . 2008-07-13 21:04	<DIR>	d--------	C:\Program Files\ESET
2008-07-13 19:27 . 2008-07-15 23:22	2,206	--a------	C:\WINDOWS\system32\wpa.dbl
2008-07-13 19:23 . 2008-07-14 02:13	0	--a------	C:\WINDOWS\win.ini
2008-07-13 19:23 . 2008-07-20 20:30	0	--a------	C:\WINDOWS\system.ini
2008-07-13 17:33 . 2008-07-13 17:33	<DIR>	d--------	C:\VundoFix Backups
2008-07-13 17:05 . 2008-07-13 21:14	<DIR>	d--hs----	C:\Documents and Settings\MyName\Temporary Internet Files
2008-07-13 14:53 . 2008-07-13 14:57	<DIR>	d--------	C:\Program Files\Unlocker
2008-07-12 23:29 . 2008-07-12 23:29	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-07-12 20:55 . 2008-07-13 14:40	<DIR>	d--------	C:\Program Files\Yahoo!
2008-07-12 20:54 . 2008-07-12 20:55	<DIR>	d--------	C:\Program Files\CCleaner
2008-07-12 20:45 . 2008-07-12 20:45	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\ESET
2008-07-12 17:31 . 2008-07-12 17:31	<DIR>	d--------	C:\Program Files\Lavasoft
2008-07-12 17:31 . 2008-07-12 17:31	<DIR>	d--------	C:\Documents and Settings\MyName\Application Data\Lavasoft
2008-07-04 18:27 . 2008-07-04 18:27	<DIR>	d--------	C:\Program Files\Ubisoft
2008-06-28 23:01 . 2008-06-28 23:01	<DIR>	d--------	C:\WINDOWS\Installing Adobe Acrobat Reader
2008-06-28 20:39 . 2008-06-28 20:39	0	--a------	C:\WINDOWS\PowerReg.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 23:56	---------	d-----w	C:\Program Files\LimeWire
2008-07-19 21:53	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-16 05:24	112,144	----a-w	C:\WINDOWS\system32\drivers\kl1.sys
2008-07-14 07:44	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-07-14 05:29	---------	d-----w	C:\Program Files\Symantec
2008-07-14 02:31	---------	d-----w	C:\Program Files\Download Manager
2008-07-12 23:24	---------	d-----w	C:\Program Files\RGB
2008-07-05 00:51	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-07-05 00:24	---------	d-----w	C:\Program Files\Electronic Arts
2008-06-29 05:01	---------	d-----w	C:\Program Files\Microsoft Games
2008-06-29 01:14	98,304	----a-w	C:\WINDOWS\system32\CmdLineExt.dll
2008-06-21 05:23	---------	d-----w	C:\Program Files\THQ
2008-06-20 17:41	245,248	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41	245,248	------w	C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41	148,992	----a-w	C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44	138,368	------w	C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10	272,128	------w	C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10	272,128	------w	C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 00:56	34,312	----a-w	C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-06-11 00:48	53,256	----a-w	C:\WINDOWS\system32\drivers\easdrv.sys
2008-06-11 00:47	39,944	----a-w	C:\WINDOWS\system32\drivers\eamon.sys
2008-06-01 02:12	---------	d-----w	C:\Program Files\Common Files\i2 Shared
2008-06-01 00:18	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2008-05-24 03:44	---------	d-----w	C:\Program Files\Starcraft
2008-05-24 03:32	223,128	----a-w	C:\WINDOWS\system32\drivers\vaxscsi.sys
2008-05-24 03:32	---------	d-----w	C:\Program Files\Alcohol Soft
2008-05-24 03:28	96,256	----a-w	C:\WINDOWS\system32\drivers\sptd0253.sys
2008-05-24 03:28	643,072	----a-w	C:\WINDOWS\system32\drivers\sptd.sys
2008-05-24 02:31	94,208	----a-w	C:\WINDOWS\ScUnin.exe
2008-05-08 12:28	202,752	------w	C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 04:55	1,288,192	----a-w	C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55	1,288,192	------w	C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 04:16	3,591,680	----a-w	C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40	625,664	----a-w	C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39	70,656	----a-w	C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-21 06:56	474,112	------w	C:\WINDOWS\system32\dllcache\shlwapi.dll
2008-04-21 06:56	151,040	------w	C:\WINDOWS\system32\dllcache\cdfview.dll
2008-04-21 06:56	1,499,136	------w	C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-04-21 06:56	1,054,208	------w	C:\WINDOWS\system32\dllcache\danim.dll
2008-04-21 06:56	1,024,000	------w	C:\WINDOWS\system32\dllcache\browseui.dll
2008-04-09 22:35	1,052	----a-w	C:\Documents and Settings\MyName\Application Data\wklnhst.dat
2007-11-19 21:20	22,328	----a-w	C:\Documents and Settings\MyName\Application Data\PnkBstrK.sys
2007-10-12 16:48	8,422	----a-w	C:\Program Files\install.log
2007-06-10 21:01	67,568	----a-w	C:\Documents and Settings\MyName\Application Data\GDIPFONTCACHEV1.DAT
2006-10-03 08:43	2,402,550	----a-w	C:\WINDOWS\inf\SET93.tmp
.

(((((((((((((((((((((((((((((   snapshot@2008-07-14_20.58.11.18   )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-27 03:55:38	138,024	----a-r	C:\WINDOWS\Installer\$PatchCache$\Managed\[u]0[/u]0002109030000000000000000F01FEC\12.0.4518\IMPMAIL.DLL
+ 2006-10-27 22:16:36	46,864	----a-r	C:\WINDOWS\Installer\$PatchCache$\Managed\[u]0[/u]0002109030000000000000000F01FEC\12.0.4518\OUTLRPC.DLL
- 2008-07-09 23:24:37	1,165,584	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-07-19 21:53:15	1,165,584	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-07-09 23:24:37	20,240	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-07-19 21:53:16	20,240	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-07-09 23:24:37	159,504	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-07-19 21:53:15	159,504	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-07-09 23:24:37	184,080	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-07-19 21:53:15	184,080	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-07-09 23:24:37	217,864	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-07-19 21:53:15	217,864	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-07-09 23:24:37	18,704	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-07-19 21:53:16	18,704	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-07-09 23:24:37	35,088	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-07-19 21:53:16	35,088	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-07-09 23:24:37	845,584	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-07-19 21:53:15	845,584	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-07-09 23:24:37	922,384	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-07-19 21:53:15	922,384	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-07-09 23:24:37	272,648	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-07-19 21:53:16	272,648	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-07-09 23:24:37	888,080	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-07-19 21:53:16	888,080	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-07-09 23:24:37	1,172,240	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-07-19 21:53:15	1,172,240	----a-r	C:\WINDOWS\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 09:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 20:49 454656]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-15 12:26 7561216]

C:\Documents and Settings\MyName\Start Menu\Programs\Startup\
Microsoft Office Groove.lnk - C:\Program Files\Microsoft Office\Office12\GROOVE.EXE [2006-10-27 16:37:44 338216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-02-27 17:02:06 581693]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=C:\WINDOWS\pss\Vongo Tray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sound Station.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sound Station.lnk
backup=C:\WINDOWS\pss\Sound Station.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^MyName^Start Menu^Programs^StartUp^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\MyName\Start Menu\Programs\StartUp\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^MyName^Start Menu^Programs^StartUp^HOTLLAMA Update Check.lnk]
path=C:\Documents and Settings\MyName\Start Menu\Programs\StartUp\HOTLLAMA Update Check.lnk
backup=C:\WINDOWS\pss\HOTLLAMA Update Check.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^MyName^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=C:\Documents and Settings\MyName\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=C:\WINDOWS\pss\Vongo Tray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^MyName^Start Menu^Programs^StartUp^Xfire.lnk]
path=C:\Documents and Settings\MyName\Start Menu\Programs\StartUp\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a------ 2008-02-08 18:36 227856 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
--a------ 2006-02-22 09:03 40960 C:\Program Files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 09:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
--a------ 2008-06-10 18:52 1447168 C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-12-10 21:52 49152 C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 17:30 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 17:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-04-15 12:26 7561216 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-04-15 12:26 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2006-03-07 14:38 131072 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--------- 2006-04-11 22:54 102400 C:\Program Files\Hp\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-21 08:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
--------- 2005-10-11 11:23 1187840 C:\WINDOWS\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--------- 2006-02-09 10:52 643072 C:\WINDOWS\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-03-03 23:46 761948 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
--a------ 2005-03-28 19:24 28616 C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2006-04-18 05:29 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
--a------ 2007-07-06 06:46 177152 C:\WINDOWS\system32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-04-15 17:26 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Vongo Service"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"ose"=3 (0x3)
"NSCService"=2 (0x2)
"navapsvc"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"StarWindService"=2 (0x2)
"PnkBstrA"=2 (0x2)
"odserv"=3 (0x3)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"hpqwmiex"=2 (0x2)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"AVP"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Soldat\\Soldat.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=
"C:\\Program Files\\ESET\\ESET NOD32 Antivirus\\egui.exe"=
"C:0\\Games\\Half Life\\SteamApps\\bullseye659\\dark messiah might and magic multi-player\\mm.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"C:\\Program Files\\Diablo\\Diablo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 18:56]
R1 SbPd;SbPd;C:\WINDOWS\system32\Drivers\SbPd.sys [2006-07-23 10:02]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 uafilter;uafilter;C:\WINDOWS\system32\DRIVERS\uafilter.sys [2003-09-18 10:21]
S4 DNADownloader;DNADownloader;C:\Program Files\GameSpot\DownloadManager_Win32.exe []
S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 15:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b9cf965-982f-11db-b9cc-0013025c0ed7}]
\Shell\AutoRun\command - G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b9cf966-982f-11db-b9cc-0013025c0ed7}]
\Shell\AutoRun\command - G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bb7186f-5f2f-11dc-ba1e-0013025c0ed7}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0634618-7762-11dc-ba2e-0013025c0ed7}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - TRUECRYPT
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{F8AC36D7-F602-4B69-99B5-2A812E05779F} - (no file)
Notify-WgaLogon - (no file)
MSConfigStartUp-38f594ae - C:\WINDOWS\system32\dkwmgndg.dll
MSConfigStartUp-ccApp - c:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-DIGStream - C:\Program Files\DIGStream\digstream.exe
MSConfigStartUp-Steam - F:\Games\Half Life\\Steam.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 20:30:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-20 20:32:18
ComboFix-quarantined-files.txt  2008-07-21 02:31:55
ComboFix2.txt  2008-07-15 03:06:49

Pre-Run: 16,555,999,232 bytes free
Post-Run: 16,829,599,744 bytes free

349	--- E O F ---	2008-07-19 21:53:26

Dr. Web Scanner:

404Fix.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Deleted.;
IEDFix.C.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Deleted.;
IEDFix.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:59 PM, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
H:\Applications\FirefoxPortable\FirefoxPortable.exe
H:\Applications\FirefoxPortable\App\firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\MyName\Desktop\drweb-cureit.exe
C:\DOCUME~1\MyNameE~1\LOCALS~1\Temp\RarSFX0\_start.exe
C:\DOCUME~1\MyNameE~1\LOCALS~1\Temp\RarSFX0\setup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CPrintEnhancer Object - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Microsoft Office Groove.lnk = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7230 bytes

Edited by teh.wyman, 22 July 2008 - 09:06 PM.

[loophole]

That looks good, how are things running?

[teh.wyman]

They have been a lot better since the first Kaspersky scan. The first ComboFix run ironed out anything else that was visibly wrong. I think that most, if not all, of the problems have been solved. I appreciate your help very much. Thank you.

[loophole]

All looks good on my end, if your happy Im happy