forums Computer Tutorials Computer Help and Spyware Removal File DatabaseUninstall Database Windows Startup Programs Database Computer Resources Computer Glossary Forums Computer Help and Spyware Removal
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
STOPzilla Anti-Spyware

> Forum Guidelines

Read this topic before posting a log.


DO NOT post a ComboFix log unless requested to.


Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

4 Pages V  < 1 2 3 4 >  
Closed TopicStart new topic
> Infected With Vundo Trojan, Tried to remove multiple times, but keeps reappearing
funnytim
post May 6 2008, 10:40 AM
Post #16


Forum Regular
***

Group: Members
Posts: 287
Joined: 27-April 06
From: Richmond, BC, Canada
Member No.: 65,800
Virus total said all was clean, except for this entry:

Webwasher-Gateway;6.6.2;2008.04.30;BlockReason.0

(If that's not enough I can take a screenshot of my results..but this is all it said )
Go to the top of the page
 
+Quote Post
Rahina
post May 6 2008, 01:11 PM
Post #17


Security Helper
*****

Group: HJT Team
Posts: 621
Joined: 6-September 06
From: Finland
Member No.: 83,926
Please provide a screenshot if that is not a problem for you. thumbup2.gif



--------------------
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ AVG Anti-Spyware 7.5 ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others.

Go to the top of the page
 
+Quote Post
funnytim
post May 7 2008, 07:11 PM
Post #18


Forum Regular
***

Group: Members
Posts: 287
Joined: 27-April 06
From: Richmond, BC, Canada
Member No.: 65,800
http://img180.imageshack.us/my.php?image=v...reenshotue0.png

I hope that's what you're looking for? thanks.
Go to the top of the page
 
+Quote Post
Rahina
post May 8 2008, 03:43 AM
Post #19


Security Helper
*****

Group: HJT Team
Posts: 621
Joined: 6-September 06
From: Finland
Member No.: 83,926
Ok, good.

Could you please post a fresh deckard's system scan report.

Thanks.


--------------------
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ AVG Anti-Spyware 7.5 ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others.

Go to the top of the page
 
+Quote Post
funnytim
post May 8 2008, 07:11 PM
Post #20


Forum Regular
***

Group: Members
Posts: 287
Joined: 27-April 06
From: Richmond, BC, Canada
Member No.: 65,800
Deckard's System Scanner v20071014.68
Run by Timothy Leung on 2008-05-08 17:10:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Timothy Leung.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-08 17:10:07
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\RTHDCPL.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Monitor Control\MonitorControl.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\vbuzzer\VBuzzer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\rapimgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Hewlett-Packard\Deskjet F335\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HDDlife\HDDlifePro.exe
C:\Documents and Settings\Timothy Leung\Start Menu\Programs\Startup\hicdeject.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Hewlett-Packard\Deskjet F335\Digital Imaging\bin\hpqste08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Documents and Settings\Timothy Leung\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 125.245.81.226:8080
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {3762B068-17B9-45A0-8A6D-BB7CA99A2032} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8037E5A4-DB3A-4A88-AC6B-F90C1D03AE2D} - C:\WINDOWS\system32\rqRLfgHY.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Microsoft Updates] svehost.exe
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Microsoft Updates] svehost.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Softany Monitor Control] C:\Program Files\Monitor Control\MonitorControl.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Vbuzzer Messenger] C:\Program Files\vbuzzer\VBuzzer.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'Default user')
O4 - Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O4 - Startup: HDDlife.lnk = C:\Program Files\HDDlife\HDDlifePro.exe
O4 - Startup: hicdeject.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Deskjet F335\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Vbuzzer RSS list - C:\Program Files\vbuzzer\addurl.htm
O8 - Extra context menu item: Blocking access to the document address by AliveProxy - C:\Program Files\AiS AliveProxy Server\aisBlockDocument.html
O8 - Extra context menu item: Blocking access to the image address by AliveProxy - C:\Program Files\AiS AliveProxy Server\aisBlockImage.html
O8 - Extra context menu item: Blocking access to the link address by AliveProxy - C:\Program Files\AiS AliveProxy Server\aisBlockLink.html
O8 - Extra context menu item: Cut proxy addresses from selected text by AliveProxy - C:\Program Files\AiS AliveProxy Server\aisCutProxyFromSelectedTåxt.html
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - https://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {3DA2AAF4-4289-4D6E-B9C0-D8360229607B} (IPAQSelfHelp Class) - https://h50203.www5.hp.com/HPISWeb/Customer...SPEIPAQTool.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab.ca/Upload/ImageUploader4.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://67.228.105.102/msrdp.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp3.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Traffic Shaper XP Server (bcserver) - Unknown owner - C:\Program Files\Traffic Shaper XP\Server\bcserver.service
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo5\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 2007\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 2007\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 2007\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 2007\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 2007\tmproxy.exe


--
End of file - 16014 bytes

-- Files created between 2008-04-08 and 2008-05-08 -----------------------------

2008-04-30 18:30:15 0 d-------- C:\WINDOWS\LastGood.Tmp
2008-04-26 14:53:42 0 d--hs---- C:\Locked.nsi
2008-04-25 23:03:57 0 d-------- C:\Program Files\UltraISO
2008-04-25 23:03:57 0 d-------- C:\Program Files\Common Files\EZB Systems
2008-04-24 21:11:17 0 d-------- C:\VundoFix Backups
2008-04-23 21:29:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\HP
2008-04-23 21:28:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-04-23 21:28:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Realtime Soft
2008-04-23 21:28:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-23 21:28:26 0 dr------- C:\Documents and Settings\Administrator\Favorites <FAVORI~1>
2008-04-23 21:28:26 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-23 21:28:26 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-04-23 21:28:26 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-23 21:28:26 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-23 21:28:25 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-23 21:28:25 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-23 21:28:25 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-23 21:28:25 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-23 21:28:25 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-23 21:28:25 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-23 21:28:25 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-23 21:28:25 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-23 21:28:25 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-23 18:51:39 0 d-------- C:\Documents and Settings\Timothy Leung\Application Data\Malwarebytes
2008-04-23 18:51:31 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-23 18:51:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-23 18:49:06 0 d--hs---- C:\WINDOWS\CSC
2008-04-23 00:08:22 0 d-------- C:\HJT
2008-04-22 21:00:37 0 d-------- C:\Documents and Settings\Timothy Leung\Application Data\Symantec
2008-04-22 18:42:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-04-22 18:42:14 0 d-------- C:\Documents and Settings\Timothy Leung\Application Data\Uniblue
2008-04-22 18:41:48 0 d-------- C:\Program Files\Uniblue
2008-04-21 23:59:46 200307 --ahs---- C:\WINDOWS\system32\KUENonmp.ini2
2008-04-21 23:59:16 0 d-------- C:\Program Files\Norton Ghost
2008-04-18 01:18:59 0 d-------- C:\Documents and Settings\All Users\Application Data\IM
2008-04-17 22:14:29 0 d-------- C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-04-15 23:29:59 0 d-------- C:\Program Files\Common Files\Pure Networks Shared
2008-04-15 23:29:56 0 d-------- C:\Program Files\Pure Networks


-- Find3M Report ---------------------------------------------------------------

2008-04-24 21:19:02 0 d-------- C:\Program Files\PowerISO
2008-04-22 22:36:26 0 d-------- C:\Documents and Settings\Timothy Leung\Application Data\Skype
2008-04-22 22:19:26 0 d-------- C:\Documents and Settings\Timothy Leung\Application Data\skypePM
2008-04-22 00:20:08 0 d-------- C:\Program Files\PeerGuardian2
2008-04-22 00:20:08 0 d-------- C:\Documents and Settings\Timothy Leung\Application Data\uTorrent
2008-04-21 23:59:31 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-21 23:52:42 0 d-------- C:\Program Files\MagicISO
2008-04-20 18:58:52 56664 --a------ C:\Documents and Settings\Timothy Leung\Application Data\GDIPFONTCACHEV1.DAT
2008-04-19 23:17:28 0 d-------- C:\Program Files\IncrediMail
2008-04-19 17:49:47 0 d-------- C:\Program Files\Image for Windows
2008-04-15 23:30:19 0 d-------- C:\Program Files\DIFX
2008-04-15 23:29:59 0 d-------- C:\Program Files\Common Files
2008-04-13 20:31:03 0 d-------- C:\Program Files\eMule
2008-04-13 17:07:10 0 d-------- C:\Documents and Settings\Timothy Leung\Application Data\Gizmo5
2008-04-07 23:01:27 0 d-------- C:\Documents and Settings\Timothy Leung\Application Data\Vso
2008-04-06 16:05:16 0 d-------- C:\Program Files\Skype
2008-04-05 22:42:42 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-05 22:20:49 0 d-------- C:\Program Files\SJphone
2008-04-05 19:57:39 0 d-------- C:\Program Files\vbuzzer
2008-04-04 22:49:39 0 d-------- C:\Program Files\Gizmo5
2008-04-02 23:18:35 0 d-------- C:\Program Files\Cirond
2008-04-02 22:38:33 0 d-------- C:\Program Files\Spectec
2008-04-02 17:48:34 0 d-------- C:\Program Files\GOPC
2008-04-01 18:50:08 0 d-------- C:\Documents and Settings\Timothy Leung\Application Data\Rokario
2008-04-01 18:50:03 0 d-------- C:\Program Files\Bandwidth Monitor
2008-04-01 18:23:06 0 d-------- C:\Program Files\OpenVideoConverter
2008-03-31 21:53:35 0 d-------- C:\Program Files\MSN Messenger
2008-03-31 21:53:35 0 d-------- C:\Program Files\Messenger Plus! Live
2008-03-31 19:29:01 0 d-------- C:\Program Files\Aspecto Software
2008-03-31 19:16:00 0 d-------- C:\Program Files\PocketPC
2008-03-30 21:51:28 0 d-------- C:\Program Files\Astraware
2008-03-30 21:44:02 0 d-------- C:\Program Files\Handmark
2008-03-29 17:16:19 0 d-------- C:\Program Files\Home Ftp Server
2008-03-29 14:33:25 0 d-------- C:\Program Files\File Splitter Deluxe
2008-03-27 23:20:28 0 d-------- C:\Program Files\Card and Invitation maker
2008-03-23 16:30:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-19 18:30:57 0 d-------- C:\Program Files\CloneCD
2008-03-19 12:26:47 0 d-------- C:\Program Files\Microsoft Games
2008-03-13 16:50:13 0 d-------- C:\Program Files\Traffic Shaper XP
2008-03-12 21:14:17 0 d-------- C:\Program Files\NetPeeker
2008-03-12 21:07:59 0 d-------- C:\Documents and Settings\Timothy Leung\Application Data\Locktime
2008-03-09 15:59:06 0 d-------- C:\Program Files\DVD Decrypter
2008-03-09 14:45:37 0 d-------- C:\Documents and Settings\Timothy Leung\Application Data\Real


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3762B068-17B9-45A0-8A6D-BB7CA99A2032}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8037E5A4-DB3A-4A88-AC6B-F90C1D03AE2D}]
C:\WINDOWS\system32\rqRLfgHY.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 06:30 PM]
"UltraMon"="C:\Program Files\UltraMon\UltraMon.exe" [05/14/2005 06:23 PM]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [06/03/2004 01:51 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]
"RTHDCPL"="RTHDCPL.EXE" [03/20/2007 11:49 PM C:\WINDOWS\RTHDCPL.exe]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [01/23/2007 02:26 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 03:40 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [06/03/2004 01:50 AM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/03/2004 09:56 PM C:\WINDOWS\system32\bthprops.cpl]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [11/17/2006 04:49 PM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [07/16/2002 01:21 PM]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 03:43 AM C:\WINDOWS\Alcmtr.exe]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [03/14/2007 03:42 PM]
"Microsoft Updates"="svehost.exe" []
"Norton Ghost 14.0"="C:\Program Files\Norton Ghost\Agent\VProTray.exe" [01/19/2008 08:01 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 02:39 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 09:56 PM]
"Softany Monitor Control"="C:\Program Files\Monitor Control\MonitorControl.exe" [08/09/2005 08:13 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [08/21/2007 11:39 PM]
"Vbuzzer Messenger"="C:\Program Files\vbuzzer\VBuzzer.exe" [03/13/2008 08:36 AM]
"IncrediMail"="C:\PROGRA~1\INCRED~1\bin\IncMail.exe" [06/19/2006 05:26 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Updates"=svehost.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SSS2006"="C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot

C:\Documents and Settings\Timothy Leung\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [7/31/2007 11:37:39 PM]
HDDlife.lnk - C:\Program Files\HDDlife\HDDlifePro.exe [11/11/2006 7:07:10 PM]
hicdeject.exe [8/2/2004 10:31:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]
AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [7/28/2007 10:33:58 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Deskjet F335\Digital Imaging\bin\hpqtra08.exe [2/19/2006 4:21:22 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Beyond TV.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Beyond TV.lnk
backup=C:\WINDOWS\pss\Beyond TV.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Timothy Leung^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Timothy Leung\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\Deskjet F335\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iCall Internet Phone]
"C:\Program Files\iCall\iCall.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
C:\Program Files\Skype\TalkAndWrite\talkandwrite.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipBuster]
"C:\Program Files\VoipBuster\VoipBuster.exe" -nosplash -minimized

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-05-08 17:10:45 ------------


Thanks.
Go to the top of the page
 
+Quote Post
Rahina
post May 12 2008, 12:02 PM
Post #21


Security Helper
*****

Group: HJT Team
Posts: 621
Joined: 6-September 06
From: Finland
Member No.: 83,926
Hello!

Sorry for the delay getting to you, but i was out of town for a while.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


--------------------
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ AVG Anti-Spyware 7.5 ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others.

Go to the top of the page
 
+Quote Post
funnytim
post May 14 2008, 01:22 AM
Post #22


Forum Regular
***

Group: Members
Posts: 287
Joined: 27-April 06
From: Richmond, BC, Canada
Member No.: 65,800
My apologies, but I have a school project, and then i will be away from my computer for a few days, so i'll be unable to do the above outlined steps for the next few days.

Again, my apologies, and I will do it as soon as i get back.

Thanks for understanding
Go to the top of the page
 
+Quote Post
Rahina
post May 15 2008, 03:26 AM
Post #23


Security Helper
*****

Group: HJT Team
Posts: 621
Joined: 6-September 06
From: Finland
Member No.: 83,926
No problem, i'm busy too so take your time


--------------------
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ AVG Anti-Spyware 7.5 ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others.

Go to the top of the page
 
+Quote Post
funnytim
post May 18 2008, 06:52 PM
Post #24


Forum Regular
***

Group: Members
Posts: 287
Joined: 27-April 06
From: Richmond, BC, Canada
Member No.: 65,800
I'm back!
-------------------
ComboFix:

ComboFix 08-05-15.3 - Timothy Leung 2008-05-18 16:31:42.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1359 [GMT -7:00]
Running from: C:\Documents and Settings\Timothy Leung\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\KUENonmp.ini
C:\WINDOWS\system32\KUENonmp.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\sdhnnrma.ini
C:\WINDOWS\system32\wpcap.dll

----- BITS: Possible infected sites -----

hxxp://downloads.networkmagic.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-18 16:34 . 2008-05-18 16:34 244 --ah----- C:\sqmnoopt14.sqm
2008-05-18 16:34 . 2008-05-18 16:34 232 --ah----- C:\sqmdata14.sqm
2008-05-10 23:43 . 2008-05-10 23:43 244 --ah----- C:\sqmnoopt13.sqm
2008-05-10 23:43 . 2008-05-10 23:43 232 --ah----- C:\sqmdata13.sqm
2008-05-10 23:39 . 2008-05-10 23:39 <DIR> d-------- C:\Documents and Settings\Timothy Leung\Application Data\Thinstall
2008-05-08 17:28 . 2008-05-08 17:28 244 --ah----- C:\sqmnoopt12.sqm
2008-05-08 17:28 . 2008-05-08 17:28 232 --ah----- C:\sqmdata12.sqm
2008-05-07 17:11 . 2008-05-07 17:11 244 --ah----- C:\sqmnoopt11.sqm
2008-05-07 17:11 . 2008-05-07 17:11 232 --ah----- C:\sqmdata11.sqm
2008-05-03 16:13 . 2008-05-03 16:13 244 --ah----- C:\sqmnoopt10.sqm
2008-05-03 16:13 . 2008-05-03 16:13 232 --ah----- C:\sqmdata10.sqm
2008-04-30 21:33 . 2008-04-30 21:33 244 --ah----- C:\sqmnoopt09.sqm
2008-04-30 21:33 . 2008-04-30 21:33 232 --ah----- C:\sqmdata09.sqm
2008-04-30 18:30 . 2008-04-30 18:30 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-04-27 18:55 . 2008-04-27 18:55 244 --ah----- C:\sqmnoopt08.sqm
2008-04-27 18:55 . 2008-04-27 18:55 232 --ah----- C:\sqmdata08.sqm
2008-04-27 18:14 . 2008-04-27 18:14 244 --ah----- C:\sqmnoopt07.sqm
2008-04-27 18:14 . 2008-04-27 18:14 232 --ah----- C:\sqmdata07.sqm
2008-04-26 22:57 . 2008-04-26 22:57 244 --ah----- C:\sqmnoopt06.sqm
2008-04-26 22:57 . 2008-04-26 22:57 232 --ah----- C:\sqmdata06.sqm
2008-04-26 22:51 . 2008-04-26 22:51 244 --ah----- C:\sqmnoopt05.sqm
2008-04-26 22:51 . 2008-04-26 22:51 232 --ah----- C:\sqmdata05.sqm
2008-04-26 15:13 . 2008-04-26 15:13 244 --ah----- C:\sqmnoopt04.sqm
2008-04-26 15:13 . 2008-04-26 15:13 232 --ah----- C:\sqmdata04.sqm
2008-04-26 14:53 . 2008-04-26 22:47 <DIR> d--hs---- C:\Locked.nsi
2008-04-26 00:20 . 2008-04-26 00:20 1,024 --a------ C:\.rnd
2008-04-26 00:06 . 2008-04-26 00:06 244 --ah----- C:\sqmnoopt03.sqm
2008-04-26 00:06 . 2008-04-26 00:06 232 --ah----- C:\sqmdata03.sqm
2008-04-25 23:03 . 2008-04-25 23:03 <DIR> d-------- C:\Program Files\UltraISO
2008-04-25 23:03 . 2008-04-25 23:03 <DIR> d-------- C:\Program Files\Common Files\EZB Systems
2008-04-25 00:06 . 2008-04-25 00:06 244 --ah----- C:\sqmnoopt02.sqm
2008-04-25 00:06 . 2008-04-25 00:06 232 --ah----- C:\sqmdata02.sqm
2008-04-24 23:29 . 2008-04-24 23:29 <DIR> d-------- C:\Deckard
2008-04-24 21:48 . 2008-04-24 21:48 244 --ah----- C:\sqmnoopt01.sqm
2008-04-24 21:48 . 2008-04-24 21:48 232 --ah----- C:\sqmdata01.sqm
2008-04-24 21:26 . 2008-04-24 21:26 244 --ah----- C:\sqmnoopt00.sqm
2008-04-24 21:26 . 2008-04-24 21:26 232 --ah----- C:\sqmdata00.sqm
2008-04-24 21:11 . 2008-04-24 21:18 <DIR> d-------- C:\VundoFix Backups
2008-04-24 00:20 . 2008-04-24 00:20 153 --a------ C:\WINDOWS\wininit.ini
2008-04-23 21:29 . 2008-04-23 21:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HP
2008-04-23 21:28 . 2008-04-23 21:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Realtime Soft
2008-04-23 21:28 . 2008-04-23 21:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-04-23 21:28 . 2008-04-23 21:28 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-23 21:28 . 2004-08-03 21:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-23 21:28 . 2008-05-18 16:37 1,024 --ah----- C:\Documents and Settings\Administrator\NtUser.dat.LOG
2008-04-23 18:56 . 2008-04-23 18:56 109,734 --a------ C:\WINDOWS\BMbf9820a3.xml
2008-04-23 18:51 . 2008-04-23 18:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-23 18:51 . 2008-04-23 18:51 <DIR> d-------- C:\Documents and Settings\Timothy Leung\Application Data\Malwarebytes
2008-04-23 18:51 . 2008-04-23 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-23 00:08 . 2008-05-08 17:10 <DIR> d-------- C:\HJT
2008-04-22 21:53 . 2008-04-22 21:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-22 21:00 . 2008-04-22 21:00 <DIR> d-------- C:\Documents and Settings\Timothy Leung\Application Data\Symantec
2008-04-22 18:42 . 2008-04-22 18:42 <DIR> d-------- C:\Documents and Settings\Timothy Leung\Application Data\Uniblue
2008-04-22 18:42 . 2008-04-22 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-04-22 18:41 . 2008-04-22 18:41 <DIR> d-------- C:\Program Files\Uniblue
2008-04-22 00:02 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
2008-04-22 00:02 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DL1
2008-04-22 00:01 . 2007-12-20 17:13 136,416 --a------ C:\WINDOWS\system32\drivers\symsnap.sys
2008-04-22 00:01 . 2008-01-19 20:12 128,104 --a------ C:\WINDOWS\system32\drivers\WimFltr.sys
2008-04-22 00:01 . 2008-01-19 19:31 109,360 --a------ C:\WINDOWS\system32\GEARAspi.dll
2008-04-22 00:01 . 2008-01-19 19:45 38,112 --a------ C:\WINDOWS\system32\drivers\v2imount.sys
2008-04-22 00:01 . 2008-01-19 19:31 15,664 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-04-22 00:01 . 2008-01-19 19:40 15,088 --a------ C:\WINDOWS\system32\drivers\vproeventmonitor.sys
2008-04-21 23:59 . 2008-04-21 23:59 <DIR> d-------- C:\Program Files\Norton Ghost
2008-04-18 01:18 . 2008-04-18 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\IM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 04:19 --------- d-----w C:\Program Files\PowerISO
2008-04-24 01:32 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-23 05:36 --------- d-----w C:\Documents and Settings\Timothy Leung\Application Data\Skype
2008-04-23 05:19 --------- d-----w C:\Documents and Settings\Timothy Leung\Application Data\skypePM
2008-04-23 05:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-23 00:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-22 07:20 --------- d-----w C:\Program Files\PeerGuardian2
2008-04-22 07:20 --------- d-----w C:\Documents and Settings\Timothy Leung\Application Data\uTorrent
2008-04-22 06:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-22 06:52 --------- d-----w C:\Program Files\MagicISO
2008-04-21 01:58 56,664 ----a-w C:\Documents and Settings\Timothy Leung\Application Data\GDIPFONTCACHEV1.DAT
2008-04-20 06:17 --------- d-----w C:\Program Files\IncrediMail
2008-04-20 00:49 --------- d-----w C:\Program Files\Image for Windows
2008-04-18 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail
2008-04-16 06:30 --------- d-----w C:\Program Files\DIFX
2008-04-16 06:29 --------- d-----w C:\Program Files\Pure Networks
2008-04-16 06:29 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-04-14 03:31 --------- d-----w C:\Program Files\eMule
2008-04-14 00:07 --------- d-----w C:\Documents and Settings\Timothy Leung\Application Data\Gizmo5
2008-04-08 06:01 --------- d-----w C:\Documents and Settings\Timothy Leung\Application Data\Vso
2008-04-06 23:05 --------- d-----w C:\Program Files\Skype
2008-04-06 06:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pure Networks
2008-04-06 05:42 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-06 05:20 --------- d-----w C:\Program Files\SJphone
2008-04-06 02:57 --------- d-----w C:\Program Files\vbuzzer
2008-04-05 05:49 --------- d-----w C:\Program Files\Gizmo5
2008-04-03 06:18 --------- d-----w C:\Program Files\Cirond
2008-04-03 05:38 --------- d-----w C:\Program Files\Spectec
2008-04-03 00:48 --------- d-----w C:\Program Files\GOPC
2008-04-02 01:50 --------- d-----w C:\Program Files\Bandwidth Monitor
2008-04-02 01:50 --------- d-----w C:\Documents and Settings\Timothy Leung\Application Data\Rokario
2008-04-02 01:23 --------- d-----w C:\Program Files\OpenVideoConverter
2008-04-01 04:53 --------- d-----w C:\Program Files\MSN Messenger
2008-04-01 04:53 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-04-01 02:29 --------- d-----w C:\Program Files\Aspecto Software
2008-04-01 02:16 --------- d-----w C:\Program Files\PocketPC
2008-03-31 04:51 --------- d-----w C:\Program Files\Astraware
2008-03-31 04:44 --------- d-----w C:\Program Files\Handmark
2008-03-30 00:16 --------- d-----w C:\Program Files\Home Ftp Server
2008-03-29 21:33 --------- d-----w C:\Program Files\File Splitter Deluxe
2008-03-28 06:20 --------- d-----w C:\Program Files\Card and Invitation maker
2008-03-28 04:40 1,409 ----a-w C:\WINDOWS\Fonts\YUCATAN.FOT
2008-03-28 04:40 1,409 ----a-w C:\WINDOWS\Fonts\WEIRDOW.FOT
2008-03-28 04:40 1,409 ----a-w C:\WINDOWS\Fonts\VAGBND.FOT
2008-03-28 04:40 1,409 ----a-w C:\WINDOWS\Fonts\SKETCHH.FOT
2008-03-28 04:40 1,409 ----a-w C:\WINDOWS\Fonts\SECNDG.FOT
2008-03-28 04:40 1,409 ----a-w C:\WINDOWS\Fonts\MONOTON.FOT
2008-03-28 04:40 1,409 ----a-w C:\WINDOWS\Fonts\MARAC.FOT
2008-03-28 04:40 1,409 ----a-w C:\WINDOWS\Fonts\FIRSTGR.FOT
2008-03-23 23:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 01:30 --------- d-----w C:\Program Files\CloneCD
2008-03-19 19:26 --------- d-----w C:\Program Files\Microsoft Games
2008-02-14 02:29 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-10-03 04:46 81,920 ----a-w C:\Documents and Settings\Timothy Leung\Application Data\ezpinst.exe
2007-10-03 04:46 47,360 ----a-w C:\Documents and Settings\Timothy Leung\Application Data\pcouffin.sys
2007-07-27 04:07 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007072620070727\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]
"Softany Monitor Control"="C:\Program Files\Monitor Control\MonitorControl.exe" [2005-08-09 08:13 1277440]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-08-21 23:39 5674352]
"Vbuzzer Messenger"="C:\Program Files\vbuzzer\VBuzzer.exe" [2008-03-13 08:36 5332992]
"IncrediMail"="C:\PROGRA~1\INCRED~1\bin\IncMail.exe" [2006-06-19 17:26 200747]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"UltraMon"="C:\Program Files\UltraMon\UltraMon.exe" [2005-05-14 18:23 187904]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 01:51 172032]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-20 23:49 16126464 C:\WINDOWS\RTHDCPL.exe]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 14:26 3429904]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50 204800]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 21:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49 77824]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 13:21 28672]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 15:42 321088]
"Norton Ghost 14.0"="C:\Program Files\Norton Ghost\Agent\VProTray.exe" [2008-01-19 20:01 2245984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Updates"="svehost.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SSS2006"="C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" [ ]

C:\Documents and Settings\Timothy Leung\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2007-07-31 23:37:39