Probable Vundo Infection

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Probable Vundo Infection, Repeated Removal Steps Attempted

Options

DSRML View Member Profile	Jul 4 2008, 10:55 AM Post #1
New Member Group: Members Posts: 5 Joined: 4-July 08 Member No.: 220,421	Hey guys, I've had a Vundo infection for a couple days? I'm not entirely certain, but I can probably trace it back to Wednesday night. I'm usually the kind of person who does this stuff himself, so I've tried some things. 1) Attempted HijackThis scan and analysis (Not attached) 2) Ran Spybot Search & Destroy, once in normal mode once in safe mode. Virtumonde.dll and Virtumonde detected. Repeatedly scan and remove, new files repeatedly appear. 3) Reattempt HijackThis scan, no new results (not attached). 4) Attempt a full system scan using avast!. No results. 5) Use VundoFix utility from this website. No results found. (No Logs produced) 6) Use FixVundo Utility from Computer Associates. (Log Attached) 7) Get desperate. Run DSS.exe as requested (Logs below) In addition to this, the malware appears to have changed my default browser from Firefox to IE. Its deleted my startup entry from avast!, though it appears only to have removed the icon from my system tray and not the resident scanners themselves. It has been triggering my Spybot Search and Destroy resident scanner as well, and I've attached the log file for that as well for what changes it has blocked and allowed. The relevant results start on 7/2/2008 (Resident.log). I've excerpted some entries since the file is very long (way bigger than 512k), but its been spamming my computer with registry change requests and browser helpers. From Resident.log is this entry, which repeats about a gagillion times: "7/2/2008 9:28:24 PM Denied (based on user blacklist) value "{CFE6433F-53DF-454A-ACE5-0311CD2F86E5}" (new data: "") added in Browser Helper Object! " The odd thing is the spam only starts after the computer has been running for a couple minutes. I don't know whats up with the delay. Thanks for the help! DSS.exe Logs: From Main.txt: Deckard's System Scanner v20071014.68 Run by Shakeel on 2008-07-04 10:28:04 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- -- Last 3 Restore Point(s) -- 3: 2008-07-04 15:23:53 UTC - RP3 - Deckard's System Scanner Restore Point 2: 2008-07-04 14:21:17 UTC - RP2 - ComboFix created restore point 1: 2008-07-04 14:20:54 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. System Drive C: has 4.38 GiB (less than 15%) free. -- HijackThis (run as Shakeel.exe) --------------------------------------------- Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-07-04 10:29:45 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\explorer.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Documents and Settings\Shakeel\Desktop\dss.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 5890 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- All drivers whitelisted. -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour> R2 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition> S3 Imapi Helper - "c:\program files\alex feinman\iso recorder\imapihelper.exe" <Not Verified; Alex Feinman; ISO Recorder> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: Description: Modem Device on High Definition Audio Bus Device ID: HDAUDIO\FUNC_02&VEN_1057&DEV_3055&SUBSYS_10573055&REV_1007\4&E8B2878&0&0101 Manufacturer: Name: Modem Device on High Definition Audio Bus PNP Device ID: HDAUDIO\FUNC_02&VEN_1057&DEV_3055&SUBSYS_10573055&REV_1007\4&E8B2878&0&0101 Service: Class GUID: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} Description: HP Quick Launch Buttons Device ID: ACPI\HPQ0006\4&2FFE84EA&0 Manufacturer: Hewlett-Packard Name: HP Quick Launch Buttons PNP Device ID: ACPI\HPQ0006\4&2FFE84EA&0 Service: -- Files created between 2008-06-04 and 2008-07-04 ----------------------------- 2008-07-04 10:26:04 0 dr-h----- C:\Documents and Settings\Shakeel\Recent 2008-07-04 09:20:48 68096 --a------ C:\WINDOWS\zip.exe 2008-07-04 09:20:48 49152 --a------ C:\WINDOWS\VFind.exe 2008-07-04 09:20:48 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller> 2008-07-04 09:20:48 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor> 2008-07-04 09:20:48 98816 --a------ C:\WINDOWS\sed.exe 2008-07-04 09:20:48 80412 --a------ C:\WINDOWS\grep.exe 2008-07-04 09:20:48 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-07-04 09:20:47 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists> 2008-07-02 21:59:54 0 d-------- C:\VundoFix Backups 2008-07-02 20:30:04 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll 2008-07-02 20:30:04 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll 2008-07-02 20:30:04 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll 2008-07-02 20:19:15 18149 --a------ C:\WINDOWS\DIIUnin.dat 2008-07-02 20:19:14 2829 --a------ C:\WINDOWS\DIIUnin.pif 2008-07-02 20:19:14 94208 --a------ C:\WINDOWS\DIIUnin.exe <Not Verified; Blizzard Entertainment; Diablo II Uninstaller> 2008-07-02 20:13:27 0 d-------- C:\Program Files\Diablo II 2008-06-25 20:24:17 0 d-------- C:\Program Files\iPod 2008-06-25 20:24:12 0 d-------- C:\Program Files\iTunes 2008-06-25 20:23:41 0 d-------- C:\Program Files\Bonjour 2008-06-25 20:23:03 0 d-------- C:\Program Files\QuickTime 2008-06-21 12:40:11 0 d-------- C:\Program Files\DivX 2008-06-08 22:11:23 0 d-------- C:\Documents and Settings\Shakeel\Contacts 2008-06-08 22:09:35 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller 2008-06-08 22:09:30 0 d-------- C:\Program Files\Windows Live 2008-06-08 22:09:26 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-06-08 18:14:39 0 d-------- C:\Documents and Settings\Shakeel\Application Data\Agency9 -- Find3M Report --------------------------------------------------------------- 2008-07-02 19:52:22 0 d-------- C:\Documents and Settings\Shakeel\Application Data\uTorrent 2008-07-01 23:41:36 0 d-------- C:\Program Files\Trillian 2008-06-17 18:44:16 0 d-------- C:\Documents and Settings\Shakeel\Application Data\Mozilla 2008-06-15 21:07:01 0 d-------- C:\Documents and Settings\Shakeel\Application Data\LimeWire 2008-06-08 22:21:30 0 d-------- C:\Program Files\Yahoo! 2008-06-08 22:09:35 0 d-------- C:\Program Files\Common Files 2008-05-31 00:12:35 0 d-------- C:\Program Files\Microsoft ActiveSync 2008-05-22 22:43:46 0 d-------- C:\Program Files\Guitar Pro 5 2008-05-17 15:18:43 0 d-------- C:\Program Files\CCleaner 2008-05-17 14:58:10 0 d-------- C:\Program Files\Alcohol Soft 2008-05-09 21:59:42 72876 --ah----- C:\WINDOWS\system32\mlfcache.dat 2008-05-04 20:58:18 0 d-------- C:\Program Files\LimeWire 2008-04-04 06:20:08 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nwiz"="nwiz.exe" [08/01/2007 22:44 C:\WINDOWS\system32\nwiz.exe] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [01/12/2007 14:36] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [02/16/2006 14:42] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [08/01/2007 22:44] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 22:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 10:43] "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [02/28/2008 16:07] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoRecentDocsMenu"=01000000 "ClearRecentDocsOnExit"=01000000 "NoRecentDocsHistory"=01000000 "NoSMMyDocs"=01000000 "NoSMMyPictures"=01000000 "NoNetworkConnections"=01000000 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] RTHDCPL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet -- End of Deckard's System Scanner: finished at 2008-07-04 10:31:12 ------------ From Extra.txt: Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel® Core™2 Duo CPU T7250 @ 2.00GHz CPU 1: Intel® Core™2 Duo CPU T7250 @ 2.00GHz Percentage of Memory in Use: 22% Physical Memory (total/avail): 2046.36 MiB / 1577.53 MiB Pagefile Memory (total/avail): 5984.08 MiB / 5617.36 MiB Virtual Memory (total/avail): 2047.88 MiB / 1927.2 MiB C: is Fixed (NTFS) - 74.53 GiB total, 4.38 GiB free. D: is CDROM (No Media) E: is CDROM (No Media) F: is CDROM (No Media) \\.\PHYSICALDRIVE0 - WDC WD800BEVS-60RST0 - 74.53 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 74.53 GiB - C: -- Security Center ------------------------------------------------------------- AUOptions is set to notify before download. Windows Internal Firewall is disabled. FirstRunDisabled is set. FW: ZoneAlarm Firewall v7.0.470.000 (Check Point, LTD.) AV: avast! antivirus 4.8.1201 [VPS 080704-1] v4.8.1201 (ALWIL Software) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager" "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager" "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe::Enabled:Trillian" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe::Enabled:µTorrent" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe::Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe::Enabled:Yahoo! FT Server" "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager" "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager" "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe::Enabled:Bonjour" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe::Enabled:iTunes" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Shakeel\Application Data CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=REASON ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Shakeel LOGONSERVER=\\REASON NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\PROGRA~1\SecureFX;C:\Program Files\QuickTime\QTSystem; PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0f0d ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Shakeel\LOCALS~1\Temp TMP=C:\DOCUME~1\Shakeel\LOCALS~1\Temp tvdumpflags=8 USERDOMAIN=REASON USERNAME=Shakeel USERPROFILE=C:\Documents and Settings\Shakeel windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Shakeel (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E47302B-8081-46D3-9FEA-BEB2E5F5C3EC}\setup.exe" -l0x9 anything --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173} 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C} 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1} 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419} 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85} 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85} 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543} Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4} Audiosurf Demo --> "C:\Program Files\Steam\steam.exe" steam://uninstall/12910 avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3} CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe" Citrix Presentation Server Client --> MsiExec.exe /I{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8} ClearType Tuning Control Panel Applet --> MsiExec.exe /I{C9E4932C-8417-4E4C-A0E3-EE534810AB4D} Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN Foxit Reader --> C:\Program Files\Foxit Reader\Uninstall.exe GaussView --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{97FBEF34-0FBF-11D4-B04A-0050040F4EB5}\setup.exe" GIMP 2.4.2 --> "C:\Program Files\GIMP-2.0\setup\unins000.exe" Guitar Pro 5.2 --> "C:\Program Files\Guitar Pro 5\unins000.exe" HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" HP Quick Launch Buttons 6.00 D1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\setup.exe" -l0x9 -removeonly uninst Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29} Intel® Matrix Storage Manager --> C:\WINDOWS\System32\Imsmudlg.exe ISO Recorder --> MsiExec.exe /I{DFC6573E-124D-4026-BFA4-B433C9D3FF21} iTunes --> MsiExec.exe /I{9F70BF98-003C-491D-81FC-FF9792206AF0} iTunes Library Updater --> MsiExec.exe /I{38EE230F-F631-451F-8800-E29F5E5C9E7D} Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020} LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe" Logitech Gaming Software 5.02 --> MsiExec.exe /X{64B20B36-AEE7-4DD4-897C-C5DA5C218F60} Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE} Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe" Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE} Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE} Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE} Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE} Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE} Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE} Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE} Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE} Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE} Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE} Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE} Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE} Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE} Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE} Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE} Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE} Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE} Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE} Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7} mIRC --> c:\shakeel\mirc\uninstall.exe _?=c:\shakeel\mirc Motorola Driver Installation --> MsiExec.exe /I{9579E862-5FC7-4337-B1CC-5E37451524C5} Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E} Nero 8 --> MsiExec.exe /X{BE282C23-5484-47FF-B2C1-EBEA5C891033} neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B} NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI Phun beta 3.12 --> "C:\Program Files\Phun\unins000.exe" PrimoPDF --> "C:\WINDOWS\PrimoPDF\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstall.xml" PrimoPDF Redistribution Package --> MsiExec.exe /I{885744A4-1A01-44B0-858A-0AE6738CBCF7} QuickTime --> MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175} Real Alternative 1.7.5 --> "C:\Program Files\Real Alternative\unins000.exe" REALTEK GbE & FE Ethernet PCI-E NIC Driver --> C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\setup.exe -runfromtemp -l0x0009 -removeonly Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E} Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85} Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00} Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9} Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E} SKTools Lite --> C:\Program Files\Microsoft ActiveSync\SKTools Lite\Uninstall.exe SKTools Lite Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe" Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe" Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat Stardock Central --> C:\PROGRA~1\Stardock\SDCENT~1\UNWISE.EXE C:\PROGRA~1\Stardock\SDCENT~1\INSTALL.LOG Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3} Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta" Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278} Update for Outlook 2007 Junk Email Filter (kb943597) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A751F0DB-8476-4207-956E-20AEBBA4B1DA} VanDyke Software SecureFX 4.5 --> C:\PROGRA~1\SecureFX\UNINSTAL.EXE C:\PROGRA~1\SecureFX\INSTALL.LOG VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027} VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat Winamp --> "C:\Program Files\Winamp\UninstWA.exe" WinDirStat 1.1.2 --> "C:\Program Files\WinDirStat\Uninstall.exe" Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe" Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320} Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840} WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe XML Paper Specification Shared Components Pack 1.0 --> Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe -- Application Event Log ------------------------------------------------------- Event Record #/Type76930 / Error Event Submitted/Written: 07/03/2008 10:33:14 PM Event ID/Source: 1000 / Application Error Event Description: Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000. Processing media-specific event for [!ws!] Event Record #/Type76929 / Error Event Submitted/Written: 07/03/2008 10:33:05 PM Event ID/Source: 1002 / Application Hang Event Description: Hanging application SDUpdate.exe, version 1.0.8.8, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Event Record #/Type76923 / Error Event Submitted/Written: 07/03/2008 09:20:53 PM Event ID/Source: 1015 / Winlogon Event Description: A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 00000000. The machine must now be restarted. Event Record #/Type76885 / Error Event Submitted/Written: 06/29/2008 06:38:46 PM Event ID/Source: 4609 / EventSystem Event Description: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error. Event Record #/Type76884 / Error Event Submitted/Written: 06/29/2008 06:38:46 PM Event ID/Source: 4609 / EventSystem Event Description: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BE from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error. -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type12346 / Error Event Submitted/Written: 07/04/2008 10:30:44 AM Event ID/Source: 8032 / BROWSER Event Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{103C7885-3B8E-4BAF-B578-D745DA17D4D2}. The backup browser is stopping. Event Record #/Type12345 / Warning Event Submitted/Written: 07/04/2008 10:29:46 AM Event ID/Source: 8004 / MRxSmb Event Description: A request has been submitted to promote the computer to backup when it is already a master browser. Event Record #/Type12344 / Warning Event Submitted/Written: 07/04/2008 10:27:35 AM Event ID/Source: 8021 / BROWSER Event Description: The browser was unable to retrieve a list of servers from the browser master \\DESKTOP on the network \Device\NetBT_Tcpip_{103C7885-3B8E-4BAF-B578-D745DA17D4D2}. The data is the error code. Event Record #/Type12318 / Warning Event Submitted/Written: 07/04/2008 10:27:03 AM Event ID/Source: 1003 / Dhcp Event Description: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 001CBF3B8AC0. The following error occurred: %%1223. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server. Event Record #/Type12314 / Error Event Submitted/Written: 07/04/2008 10:26:04 AM Event ID/Source: 10005 / DCOM Event Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} -- End of Deckard's System Scanner: finished at 2008-07-04 10:31:12 ------------ Attached File(s) FixVundo.log ( 140bytes ) Number of downloads: 2 Resident.log ( 3.92k ) Number of downloads: 3

teacup61 View Member Profile	Jul 4 2008, 05:59 PM Post #2
Bleepin' Texan! Group: HJT Team Posts: 6,550 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846	Hello DSRML, Welcome to Bleeping Computer Please download Malwarebytes' Anti-Malware from one of these places: http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html http://www.besttechie.net/tools/mbam-setup.exe Double Click mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform Quick Scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy&Paste the entire report in your next reply along with a fresh HijackThis log. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. Thanks, tea -------------------- Error reading poptart in Drive A: Delete kids y/n? If I've saved you time & money, please make a donation so I can keep helping people just like you! You can even use your credit card! Thank you!

DSRML View Member Profile	Jul 5 2008, 10:01 AM Post #3
New Member Group: Members Posts: 5 Joined: 4-July 08 Member No.: 220,421	Hey, I ran MBAM. I ran the quick scan and it returned no results, so I ran the full scan as well which returned one result. HijackThis rescanned. Quick Scan: Malwarebytes' Anti-Malware 1.19 Database version: 899 Windows 5.1.2600 Service Pack 2 9:14:26 AM 7/5/2008 mbam-log-7-5-2008 (09-14-26).txt Scan type: Quick Scan Objects scanned: 38465 Time elapsed: 5 minute(s), 48 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Full Scan: Malwarebytes' Anti-Malware 1.19 Database version: 899 Windows 5.1.2600 Service Pack 2 9:46:51 AM 7/5/2008 mbam-log-7-5-2008 (09-46-51).txt Scan type: Full Scan (C:\\|) Objects scanned: 87896 Time elapsed: 29 minute(s), 28 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Shakeel\Torrents\Keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:00:20 AM, on 7/5/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HijackThis\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 5607 bytes

teacup61 View Member Profile	Jul 5 2008, 10:17 AM Post #4
Bleepin' Texan! Group: HJT Team Posts: 6,550 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846	Hello, Well, I see how you got infected. Those logs look good. Do you still have reason to believe you're still infected? Let me know, please. Thanks, tea -------------------- Error reading poptart in Drive A: Delete kids y/n? If I've saved you time & money, please make a donation so I can keep helping people just like you! You can even use your credit card! Thank you!

DSRML View Member Profile	Jul 5 2008, 11:49 AM Post #5
New Member Group: Members Posts: 5 Joined: 4-July 08 Member No.: 220,421	As it turns out, the one file that it did delete was unaffiliated with the download that I thought had infected me - I've had that file for years. The Spybot notices have stopped for a little while, so I suppose that I don't really have a reason to think I'm infected anymore. I'm still trying to figure out why my avast resident scanner was deleted, but otherwise things look like they're running clean.

teacup61 View Member Profile	Jul 5 2008, 11:57 AM Post #6
Bleepin' Texan! Group: HJT Team Posts: 6,550 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846	Let it run for a bit and make sure it's stopped and let me know. I'm not keen on closing out a thread until you feel good about how things are running. Regards, tea -------------------- Error reading poptart in Drive A: Delete kids y/n? If I've saved you time & money, please make a donation so I can keep helping people just like you! You can even use your credit card! Thank you!

DSRML View Member Profile	Jul 5 2008, 05:23 PM Post #7
New Member Group: Members Posts: 5 Joined: 4-July 08 Member No.: 220,421	Well, the only nuisence left is that now every time I download a file in Firefox, I still for some reason get the Internet Explorer "This file is an executable blah blah blah are you sure you want to run this file?" At least, the only one I've noticed. I reactivated the avast resident by reinstalling avast. I've tried reinstalling Firefox as well, but no go. Is this a setting I need to change? I can't seem to find much of anything on it. I'm running Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0, and just for shiggles, I've attached another HJT log. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:22:58 PM, on 7/5/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avast4\aswUpdSv.exe C:\Program Files\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\Avast4\ashMaiSv.exe C:\Program Files\Avast4\ashWebSv.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\Avast4\ashDisp.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HijackThis\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 5517 bytes

teacup61

Jul 5 2008, 07:04 PM

Post #8

Bleepin' Texan!

Group: HJT Team
Posts: 6,550
Joined: 5-April 06
From: Planet Texas!
Member No.: 62,846

QUOTE

Is this a setting I need to change?

When it asks you that, is there a little check box that says "Don't ask me this again" or something similar? If so, check it, and it should stop. There may be a setting in Firefox that's set to prompt every time. I haven't seen it right off hand, but it might be there. That log still looks good.

Regards,
tea

--------------------

Error reading poptart in Drive A: Delete kids y/n?

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can even use your credit card! Thank you!