Log After Braviax.exe And Final Cleanup With Combofix

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Important Announcement: We have two terrific contests running on the site that I wanted all our members and guests to know about.

The first contest is the HP Magic Giveaway, which is underway as of November 28th. More information can be found at this topic, which will be updated very soon with further information.

The second contests, is for the chance to win two Seagate FreeAgent external hard drives. More information about this contest can be found here.

These are both amazing contests and I suggest everyone submit an entry for them.

- BleepingComputer Management

BleepingComputer.com > Security > HijackThis Logs and Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Log After Braviax.exe And Final Cleanup With Combofix, braviax appears to be very nasty

Options

skipower View Member Profile	Mar 13 2008, 07:20 PM Post #1
New Member Group: Members Posts: 7 Joined: 13-March 08 Member No.: 196,218	What do you see left over? Problem was bad enough that HijackThis, Spybot, and AdAware would not even open to try for scanning. This log is after multiple scans. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:51:56 PM, on 3/13/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\PROGRA~1\Ixia\Endpoint\endpoint.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Protector Plus\PPAVMon.exe C:\Protector Plus\PPServ.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\stsystra.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\PROTEC~1\PPTbc.EXE C:\PROTEC~1\PPInupdt.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Documents and Settings\WWF\Desktop\DIManager6.exe C:\Program Files\StickIt\StickIt3.exe D:\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Weather Watcher\ww.exe C:\DOCUME~1\WWF\LOCALS~1\Temp\clclean.0001 C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Protector Plus\POPSCAN.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {9403AFB1-F4AC-4A46-8A74-E757AF9C50E7} - C:\WINDOWS\system32\mljgh.dll (file missing) O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Protector Plus Taskbar Control] C:\PROTEC~1\PPTbc.EXE O4 - HKLM\..\Run: [Protector Plus InstaUpdate] C:\PROTEC~1\PPInupdt.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [PDUiP6700DMon] C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [DIManager] "C:\Documents and Settings\WWF\Desktop\DIManager6.exe" /auto O4 - HKCU\..\Run: [StickIt] C:\Program Files\StickIt\StickIt3.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchange.com/Control/MultiSelectComboBox.cab O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchange.com/Control/MLXClientUtils.cab O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mreis.mlxchange.com/4.2.05.20/Control/IRCSharc.cab O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab O20 - Winlogon Notify: ddcbaxu - ddcbaxu.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE O23 - Service: Ixia Endpoint (IxiaEndpoint) - Ixia - C:\PROGRA~1\Ixia\Endpoint\endpoint.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - C:\Protector Plus\PPAVMon.exe O23 - Service: Protector Plus Service (ProtectorPlusService) - Unknown owner - C:\Protector Plus\PPServ.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 9768 bytes

ken545 View Member Profile	Mar 13 2008, 08:37 PM Post #2
HJT Team Group: HJT Team Posts: 903 Joined: 23-September 04 From: Darien, CT Member No.: 2,982	Hello Wayne Welcome to the Bleeping Computer Malware Removal Forum Before we proceed, you need to disable all your Anti Spyware software as it will interfere with the fix. Shut down Ad Aware and the TeaTimer in Spybot Search and Destroy. Do this first...Important Disable the TeaTimer, you can re enable it when were done if you wish Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select "Advanced Mode" On the left hand side, Click on Tools Then click on the Resident Icon in the List Uncheck "Resident TeaTimer" and OK any prompts. Restart your computer.<--You need to do this for it to take effect You need to Disable AdWatch in Ad-Aware Se Personal as it can stop our fix. To Disable AdWatch Open Ad-Aware SE Personal Go to the AdWatch User Interface. Go to Tools and Preferences. At the bottom of the screen you will see 2 options Active: This will turn Ad-Watch On\Off without closing it. Automatic: Suspicious activity will be blocked automatically Uncheck both options. You should enable these after resolving your problem. Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked. O2 - BHO: (no name) - {9403AFB1-F4AC-4A46-8A74-E757AF9C50E7} - C:\WINDOWS\system32\mljgh.dll (file missing) O20 - Winlogon Notify: ddcbaxu - ddcbaxu.dll (file missing) Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy and Paste the entire report in your next reply along with a Hijackthis log. Now drag your copy of Combofix to the trash and grab a fresh copy as its updated on a regular basis and run it this way. Download ComboFix from Here or Here to your Desktop. In the event you already have Combofix, this is a new version that I need you to download. It must be saved directly to your desktop. 1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. Remember to re enable the protection again afterwards before connecting to the net 2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix. IF you have not already done so Combofix will disconnect your machine from the Internet when it starts. If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections. 3. Now double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze. Run the programs in the order I posted them and then post the log for Malwarebytes , Combofix and a New HJT log. -------------------- Consumer Security 2008-2009 Visit My Website Please consider a donation to help me keep up my fight against malware.

skipower View Member Profile	Mar 13 2008, 09:57 PM Post #3
New Member Group: Members Posts: 7 Joined: 13-March 08 Member No.: 196,218	Here are the results....Excellent directions, by the way! Malwarebytes' Anti-Malware 1.08 Database version: 489 Scan type: Quick Scan Objects scanned: 31182 Time elapsed: 3 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 6 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Casino (Adware.Casino) -> Quarantined and deleted successfully. Files Infected: C:\cysdos.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\ffdcahl.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\fsavfpk.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\onhtp.exe (Trojan.DownLoader) -> Quarantined and deleted successfully. C:\rsvlqer.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\WWF\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully. --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ComboFix 08-03-13.4 - WWF 2008-03-13 22:45:08.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1517 [GMT -4:00] Running from: C:\Documents and Settings\WWF\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 ))))))))))))))))))))))))))))))) . 2008-03-13 22:34 . 2008-03-13 22:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-03-13 22:34 . 2008-03-13 22:34 <DIR> d-------- C:\Documents and Settings\WWF\Application Data\Malwarebytes 2008-03-13 22:34 . 2008-03-13 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-03-13 15:54 . 2008-03-13 15:54 <DIR> d-------- C:\VundoFix Backups 2008-03-13 15:04 . 2008-03-13 15:04 <DIR> d-------- C:\Program Files\CCleaner 2008-03-13 12:56 . 2007-01-18 08:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2008-03-13 11:51 . 2008-03-13 11:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-03-13 11:06 . 2008-03-13 11:06 19,757 --a------ C:\Documents and Settings\All Users\Application Data\ifijoqipim.dat 2008-03-13 11:06 . 2008-03-13 11:06 18,700 --a------ C:\WINDOWS\system32\ufadycuzav.bat 2008-03-13 11:06 . 2008-03-13 11:06 15,592 --a------ C:\Documents and Settings\WWF\Application Data\byrorex.vbs 2008-03-13 11:06 . 2008-03-13 11:06 12,101 --a------ C:\Documents and Settings\All Users\Application Data\ahav.sys 2008-03-13 08:24 . 2008-03-13 08:24 17,869 --a------ C:\Documents and Settings\All Users\Application Data\anuq.bat 2008-03-13 08:24 . 2008-03-13 08:24 16,606 --a------ C:\Documents and Settings\All Users\Application Data\olirelam.bat 2008-03-13 08:24 . 2008-03-13 08:24 14,684 --a------ C:\Documents and Settings\All Users\Application Data\exokyz.vbs 2008-03-10 13:55 . 2008-03-10 13:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-10 13:55 . 2008-03-10 13:55 1,409 --a------ C:\WINDOWS\QTFont.for 2008-02-29 19:12 . 2008-02-29 19:12 <DIR> d-------- C:\Program Files\Lavasoft 2008-02-29 19:12 . 2008-02-29 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-02-19 12:02 . 2008-02-19 09:59 691,545 --a------ C:\WINDOWS\unins000.exe 2008-02-19 12:02 . 2008-02-19 12:02 3,440 --a------ C:\WINDOWS\unins000.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-13 20:30 --------- d-----w C:\Program Files\StickIt 2008-03-13 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-03-13 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-03-13 12:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-03-09 19:19 --------- d-----w C:\Program Files\Weather Watcher 2008-03-03 12:29 --------- d-----w C:\Documents and Settings\WWF\Application Data\WeatherWatcher 2008-03-02 23:10 --------- d-----w C:\Program Files\WinTV 2008-02-29 23:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-02-29 23:00 --------- d-----w C:\Documents and Settings\WWF\Application Data\Lavasoft 2008-02-18 13:51 --------- d-----w C:\Program Files\R-RAM 2008-02-16 20:51 --------- d-----w C:\Program Files\Google 2008-02-12 17:05 --------- d-----w C:\Program Files\Windows Media Components 2008-02-12 16:22 55,949 ----a-w C:\WINDOWS\system32\x264-uninstall.exe 2008-02-12 16:20 --------- d-----w C:\Program Files\MediaCoder 2008-02-12 15:58 --------- d-----w C:\Program Files\AVIcodec 2008-02-12 14:35 --------- d-----w C:\Program Files\WMV9_VCM 2008-02-12 13:17 --------- d-----w C:\Program Files\NewzToolz 2008-01-31 23:21 --------- d-----w C:\Documents and Settings\WWF\Application Data\StickIt 2008-01-30 17:04 4,444 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys 2008-01-16 05:08 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2008-01-16 05:08 249,856 ------w C:\WINDOWS\Setup1.exe 2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2006-12-30 16:08 8 --sha-r C:\WINDOWS\system32\35B06C7836.sys 2006-10-10 12:59 88 --sha-r C:\WINDOWS\system32\DD697E2326.sys . ((((((((((((((((((((((((((((( snapshot@2008-03-13_16.22.52.87 ))))))))))))))))))))))))))))))))))))))))) . - 2008-03-13 20:11:51 63,016 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-03-14 02:36:18 63,418 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-03-13 20:11:51 402,406 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-03-14 02:36:18 402,974 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 05:40 24576 C:\WINDOWS\MIDIDEF.EXE] "Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23 102400] "DIManager"="C:\Documents and Settings\WWF\Desktop\DIManager6.exe" [2006-09-05 14:19 1588736] "StickIt"="C:\Program Files\StickIt\StickIt3.exe" [2007-08-02 00:02 319488] "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ] "WeatherWatcher"="C:\Program Files\Weather Watcher\ww.exe" [2008-01-22 23:18 1028096] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947] "CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 11:51 57344] "MBMon"="CTMBHA.DLL" [2006-03-03 04:18 1355938 C:\WINDOWS\system32\CTMBHA.DLL] "VoiceCenter"="C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" [2006-01-02 10:13 1126400] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 10:51 49152] "FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-10-27 16:48 507904] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 19:04 802816] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 18:58 696320] "Protector Plus Taskbar Control"="C:\PROTEC~1\PPTbc.EXE" [2007-04-23 10:34 1160104] "Protector Plus InstaUpdate"="C:\PROTEC~1\PPInupdt.exe" [2007-04-23 10:34 1151912] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-06-29 12:13 1032192] "PDUiP6700DMon"="C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe" [2006-03-16 14:47 61440] "CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 01:50 1603152] "StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 14:20 190008] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 11:44 249856] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="logonui.exe" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter] --a------ 2006-02-22 13:00 49152 c:\dell\E-Center\gtb.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] --a----t- 2008-03-03 10:33 51184 C:\Documents and Settings\WWF\Local Settings\Application Data\Google\Update\1.1.17.0\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTAReg] --------- 2005-10-21 17:39 512094 C:\Program Files\Creative\Sound Blaster Audigy ADVANCED MB\Product Registration\English\HTAReg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] --a------ 2005-06-10 11:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] --a------ 2005-06-10 11:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe] --a------ 2005-07-12 20:05 1117184 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0] C:\Program Files\Norton Ghost\Agent\GhostTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser] C:\WINDOWS\system32\drivers\svchost.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ReleaseRAM] C:\Program Files\R-RAM\RRAM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1] C:\WINDOWS\mrofinu1535.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] --------- 2000-05-11 02:00 90112 C:\WINDOWS\UpdReg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\system32\\mmc.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"= "C:\\Program Files\\StickIt\\StickIt3.exe"= R2 ProtectorPlusAVMonitor;Protector Plus Anti-virus Monitor Service;"C:\Protector Plus\PPAVMon.exe" [2007-04-23 10:34] R2 ProtectorPlusService;Protector Plus Service;"C:\Protector Plus\PPServ.exe" [2007-04-23 10:34] R3 hcwAVD2;Hauppauge PVR USB2 AVS Video Capture;C:\WINDOWS\system32\drivers\HCWUSB2AV.sys [2007-02-27 16:40] R3 PPDrv;Protector Plus Driver;C:\Protector Plus\PPDrv.sys [2007-04-23 10:34] R3 PPEMSCAN;Protector Plus Email Scan Driver;C:\Protector Plus\PPEMSCAN.sys [2007-04-23 10:34] S1 guntest;guntest;C:\WINDOWS\Help\guntest.chm [] S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys [2002-04-02 16:30] S3 HauppaugeTVServer;HauppaugeTVServer;C:\PROGRA~1\WinTV\HCWTVS~1.EXE [2007-02-20 15:11] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9cae688-b498-11dc-8087-0015c51ec285}] \Shell\AutoRun\command - "K:\Install FreeAgent Tools.exe" /run . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-13 22:46:37 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\guntest] "ImagePath"="\??\C:\WINDOWS\Help\guntest.chm" . Completion time: 2008-03-13 22:46:58 ComboFix-quarantined-files.txt 2008-03-14 02:46:56 ComboFix2.txt 2008-03-13 20:41:23 ComboFix3.txt 2008-03-13 20:23:17 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:49:46 PM, on 3/13/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\PROGRA~1\Ixia\Endpoint\endpoint.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Protector Plus\PPAVMon.exe C:\Protector Plus\PPServ.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\stsystra.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\PROTEC~1\PPTbc.EXE C:\PROTEC~1\PPInupdt.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Documents and Settings\WWF\Desktop\DIManager6.exe C:\Program Files\StickIt\StickIt3.exe C:\Program Files\Weather Watcher\ww.exe C:\DOCUME~1\WWF\LOCALS~1\Temp\clclean.0001 C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Protector Plus\POPSCAN.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Protector Plus Taskbar Control] C:\PROTEC~1\PPTbc.EXE O4 - HKLM\..\Run: [Protector Plus InstaUpdate] C:\PROTEC~1\PPInupdt.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [PDUiP6700DMon] C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [DIManager] "C:\Documents and Settings\WWF\Desktop\DIManager6.exe" /auto O4 - HKCU\..\Run: [StickIt] C:\Program Files\StickIt\StickIt3.exe O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchange.com/Control/MultiSelectComboBox.cab O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchange.com/Control/MLXClientUtils.cab O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mreis.mlxchange.com/4.2.05.20/Control/IRCSharc.cab O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE O23 - Service: Ixia Endpoint (IxiaEndpoint) - Ixia - C:\PROGRA~1\Ixia\Endpoint\endpoint.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - C:\Protector Plus\PPAVMon.exe O23 - Service: Protector Plus Service (ProtectorPlusService) - Unknown owner - C:\Protector Plus\PPServ.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 9016 bytes

ken545 View Member Profile	Mar 14 2008, 05:50 AM Post #4
HJT Team Group: HJT Team Posts: 903 Joined: 23-September 04 From: Darien, CT Member No.: 2,982	Good Morning Wayne, It looks like Vundo is gone but you have another issue we need to fix. C:\WINDOWS\System32\svchost.exe <-- This is legit , your computer won't run without it but svchost.exe running anyplace else is a virus. Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File:: CODE File:: C:\WINDOWS\system32\drivers\svchost.exe C:\WINDOWS\mrofinu1535.exe Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1] Save this as CFScript to your desktop. Then drag the CFScript into ComboFix.exe as you see in the screenshot below. This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. This post has been edited by ken545: Mar 14 2008, 05:50 AM -------------------- Consumer Security 2008-2009 Visit My Website Please consider a donation to help me keep up my fight against malware.

skipower View Member Profile	Mar 14 2008, 07:42 AM Post #5
New Member Group: Members Posts: 7 Joined: 13-March 08 Member No.: 196,218	Hi Ken, FYI.....after Defrag last night and restart, the following showed up again: O2 - BHO: (no name) - {9403AFB1-F4AC-4A46-8A74-E757AF9C50E7} - (no file) After following your directions about script and ComboFix, here are the results: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ComboFix 08-03-13.4 - WWF 2008-03-14 8:31:53.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1520 [GMT -4:00] Running from: C:\Documents and Settings\WWF\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\WWF\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\mrofinu1535.exe C:\WINDOWS\system32\drivers\svchost.exe . ((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 ))))))))))))))))))))))))))))))) . 2008-03-13 22:34 . 2008-03-13 22:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-03-13 22:34 . 2008-03-13 22:34 <DIR> d-------- C:\Documents and Settings\WWF\Application Data\Malwarebytes 2008-03-13 22:34 . 2008-03-13 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-03-13 15:54 . 2008-03-13 15:54 <DIR> d-------- C:\VundoFix Backups 2008-03-13 15:04 . 2008-03-13 15:04 <DIR> d-------- C:\Program Files\CCleaner 2008-03-13 12:56 . 2007-01-18 08:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2008-03-13 11:51 . 2008-03-13 11:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-03-13 11:06 . 2008-03-13 11:06 19,757 --a------ C:\Documents and Settings\All Users\Application Data\ifijoqipim.dat 2008-03-13 11:06 . 2008-03-13 11:06 18,700 --a------ C:\WINDOWS\system32\ufadycuzav.bat 2008-03-13 11:06 . 2008-03-13 11:06 15,592 --a------ C:\Documents and Settings\WWF\Application Data\byrorex.vbs 2008-03-13 11:06 . 2008-03-13 11:06 12,101 --a------ C:\Documents and Settings\All Users\Application Data\ahav.sys 2008-03-13 08:24 . 2008-03-13 08:24 17,869 --a------ C:\Documents and Settings\All Users\Application Data\anuq.bat 2008-03-13 08:24 . 2008-03-13 08:24 16,606 --a------ C:\Documents and Settings\All Users\Application Data\olirelam.bat 2008-03-13 08:24 . 2008-03-13 08:24 14,684 --a------ C:\Documents and Settings\All Users\Application Data\exokyz.vbs 2008-03-10 13:55 . 2008-03-10 13:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-10 13:55 . 2008-03-10 13:55 1,409 --a------ C:\WINDOWS\QTFont.for 2008-02-29 19:12 . 2008-02-29 19:12 <DIR> d-------- C:\Program Files\Lavasoft 2008-02-29 19:12 . 2008-02-29 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-02-19 12:02 . 2008-02-19 09:59 691,545 --a------ C:\WINDOWS\unins000.exe 2008-02-19 12:02 . 2008-02-19 12:02 3,440 --a------ C:\WINDOWS\unins000.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-13 20:30 --------- d-----w C:\Program Files\StickIt 2008-03-13 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-03-13 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-03-13 12:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-03-09 19:19 --------- d-----w C:\Program Files\Weather Watcher 2008-03-03 12:29 --------- d-----w C:\Documents and Settings\WWF\Application Data\WeatherWatcher 2008-03-02 23:10 --------- d-----w C:\Program Files\WinTV 2008-02-29 23:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-02-29 23:00 --------- d-----w C:\Documents and Settings\WWF\Application Data\Lavasoft 2008-02-18 13:51 --------- d-----w C:\Program Files\R-RAM 2008-02-16 20:51 --------- d-----w C:\Program Files\Google 2008-02-12 17:05 --------- d-----w C:\Program Files\Windows Media Components 2008-02-12 16:22 55,949 ----a-w C:\WINDOWS\system32\x264-uninstall.exe 2008-02-12 16:20 --------- d-----w C:\Program Files\MediaCoder 2008-02-12 15:58 --------- d-----w C:\Program Files\AVIcodec 2008-02-12 14:35 --------- d-----w C:\Program Files\WMV9_VCM 2008-02-12 13:17 --------- d-----w C:\Program Files\NewzToolz 2008-01-31 23:21 --------- d-----w C:\Documents and Settings\WWF\Application Data\StickIt 2008-01-30 17:04 4,444 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys 2008-01-16 05:08 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2008-01-16 05:08 249,856 ------w C:\WINDOWS\Setup1.exe 2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2006-12-30 16:08 8 --sha-r C:\WINDOWS\system32\35B06C7836.sys 2006-10-10 12:59 88 --sha-r C:\WINDOWS\system32\DD697E2326.sys . ((((((((((((((((((((((((((((( snapshot@2008-03-13_16.22.52.87 ))))))))))))))))))))))))))))))))))))))))) . - 2008-03-13 20:11:51 63,016 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-03-14 12:11:13 63,418 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-03-13 20:11:51 402,406 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-03-14 12:11:13 402,974 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9403AFB1-F4AC-4A46-8A74-E757AF9C50E7}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 05:40 24576 C:\WINDOWS\MIDIDEF.EXE] "Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23 102400] "DIManager"="C:\Documents and Settings\WWF\Desktop\DIManager6.exe" [2006-09-05 14:19 1588736] "StickIt"="C:\Program Files\StickIt\StickIt3.exe" [2007-08-02 00:02 319488] "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ] "WeatherWatcher"="C:\Program Files\Weather Watcher\ww.exe" [2008-01-22 23:18 1028096] "SpybotSD TeaTimer"="D:\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947] "CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 11:51 57344] "MBMon"="CTMBHA.DLL" [2006-03-03 04:18 1355938 C:\WINDOWS\system32\CTMBHA.DLL] "VoiceCenter"="C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" [2006-01-02 10:13 1126400] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 10:51 49152] "FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-10-27 16:48 507904] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 19:04 802816] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 18:58 696320] "Protector Plus Taskbar Control"="C:\PROTEC~1\PPTbc.EXE" [2007-04-23 10:34 1160104] "Protector Plus InstaUpdate"="C:\PROTEC~1\PPInupdt.exe" [2007-04-23 10:34 1151912] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-06-29 12:13 1032192] "PDUiP6700DMon"="C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe" [2006-03-16 14:47 61440] "CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 01:50 1603152] "StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 14:20 190008] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 11:44 249856] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 21:17 443968] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="logonui.exe" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter] --a------ 2006-02-22 13:00 49152 c:\dell\E-Center\gtb.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] --a----t- 2008-03-03 10:33 51184 C:\Documents and Settings\WWF\Local Settings\Application Data\Google\Update\1.1.17.0\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTAReg] --------- 2005-10-21 17:39 512094 C:\Program Files\Creative\Sound Blaster Audigy ADVANCED MB\Product Registration\English\HTAReg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] --a------ 2005-06-10 11:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] --a------ 2005-06-10 11:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe] --a------ 2005-07-12 20:05 1117184 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0] C:\Program Files\Norton Ghost\Agent\GhostTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ReleaseRAM] C:\Program Files\R-RAM\RRAM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] --------- 2000-05-11 02:00 90112 C:\WINDOWS\UpdReg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\system32\\mmc.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"= "C:\\Program Files\\StickIt\\StickIt3.exe"= R2 ProtectorPlusAVMonitor;Protector Plus Anti-virus Monitor Service;"C:\Protector Plus\PPAVMon.exe" [2007-04-23 10:34] R2 ProtectorPlusService;Protector Plus Service;"C:\Protector Plus\PPServ.exe" [2007-04-23 10:34] R3 hcwAVD2;Hauppauge PVR USB2 AVS Video Capture;C:\WINDOWS\system32\drivers\HCWUSB2AV.sys [2007-02-27 16:40] R3 PPDrv;Protector Plus Driver;C:\Protector Plus\PPDrv.sys [2007-04-23 10:34] R3 PPEMSCAN;Protector Plus Email Scan Driver;C:\Protector Plus\PPEMSCAN.sys [2007-04-23 10:34] S1 guntest;guntest;C:\WINDOWS\Help\guntest.chm [] S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys [2002-04-02 16:30] S3 HauppaugeTVServer;HauppaugeTVServer;C:\PROGRA~1\WinTV\HCWTVS~1.EXE [2007-02-20 15:11] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9cae688-b498-11dc-8087-0015c51ec285}] \Shell\AutoRun\command - "K:\Install FreeAgent Tools.exe" /run . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-14 08:33:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\guntest] "ImagePath"="\??\C:\WINDOWS\Help\guntest.chm" . Completion time: 2008-03-14 8:33:32 ComboFix-quarantined-files.txt 2008-03-14 12:33:31 ComboFix2.txt 2008-03-14 02:46:58 ComboFix3.txt 2008-03-13 20:41:23 ComboFix4.txt 2008-03-13 20:23:17 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:42:35 AM, on 3/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\PROGRA~1\Ixia\Endpoint\endpoint.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Protector Plus\PPAVMon.exe C:\Protector Plus\PPServ.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\stsystra.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\PROTEC~1\PPTbc.EXE C:\PROTEC~1\PPInupdt.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Documents and Settings\WWF\Desktop\DIManager6.exe C:\Program Files\StickIt\StickIt3.exe C:\Program Files\Weather Watcher\ww.exe C:\DOCUME~1\WWF\LOCALS~1\Temp\clclean.0001 C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Protector Plus\POPSCAN.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe D:\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {9403AFB1-F4AC-4A46-8A74-E757AF9C50E7} - (no file) O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Protector Plus Taskbar Control] C:\PROTEC~1\PPTbc.EXE O4 - HKLM\..\Run: [Protector Plus InstaUpdate] C:\PROTEC~1\PPInupdt.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [PDUiP6700DMon] C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [DIManager] "C:\Documents and Settings\WWF\Desktop\DIManager6.exe" /auto O4 - HKCU\..\Run: [StickIt] C:\Program Files\StickIt\StickIt3.exe O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchange.com/Control/MultiSelectComboBox.cab O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchange.com/Control/MLXClientUtils.cab O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mreis.mlxchange.com/4.2.05.20/Control/IRCSharc.cab O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE O23 - Service: Ixia Endpoint (IxiaEndpoint) - Ixia - C:\PROGRA~1\Ixia\Endpoint\endpoint.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: Protector Plus Anti-virus Monitor Service (ProtectorPlusAVMonitor) - Unknown owner - C:\Protector Plus\PPAVMon.exe O23 - Service: Protector Plus Service (ProtectorPlusService) - Unknown owner - C:\Protector Plus\PPServ.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 9599 bytes