BleepingComputer.com: Help..Trojan blocking other virus scanners and virus help websites

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Help..Trojan blocking other virus scanners and virus help websites

#1 User is offline   232xanax232 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 24
  • Joined: 15-November 08
  • Gender:Male

Posted 15 November 2008 - 08:07 AM

Hello and thanks in advanced for any help,

I'm at my ends wit, I have run well over a dozen different Virus scanners and rootkit killers, This thing just hasn't been deleted yet.
It blocks certain scanners from running, or even showing up, had brastk.exe and karna.dat, download.zlob, trojan.dropper.delf.fd, js/tenia.d, trojan.packed.618, trojan.agent, generic.dx, adware.commonname, and many many more on system from visiting a normal forum site on graphics, it was hiddin in an iframe when dumped into my temp files from there it spread like wild fire.
at present I cannot even conect to this site from my comp as it gets blocked, (so I disconnected comp from internet) for a while spybot search and destroy kept saying IT7baroutlay( i believe this is what it said), when I would go to a search or page I would get that showing and it would try to change startpage and search pages and then I would be presented with go.microsoft.com/fwlink/?linkid= with numbers and such.
Here is the log files that I have that will give some insight into whats going on, I hope what I send is enough info.
Some of the scanners that I try to install show up in the processes but do not install, very tricky this one is.

Heres the logs and thanks again.
++++++++++++++++++++++++++++++

Logfile of random's system information tool 1.04 (written by random/random)
Run by Administrator at 2008-11-14 04:46:34
Microsoft Windows XP Professional Service Pack 3
System drive C: has 2 GB (2%) free of 104 GB
Total RAM: 1023 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:46 AM, on 11/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\System32\imapi.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Administrator\Desktop\error 1058 cure\New Virus Software Nov 08\random's system information tool (RSIT)\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: TheyreAliveIE Class - {D99D8C80-287F-4E53-AB64-B2225DB42F83} - C:\Program Files\They're Alive!\TheyreAlive.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NortonAntiBot] "C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Instant Source - {8BD5271D-69C9-4467-882D-5139952D7754} - C:\Program Files\Instant Source\isrc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} -
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} -
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.196.24/DGTx.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymantecAntiBotAgent - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe
O23 - Service: SymantecAntiBotWatcher - Symantec - C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 14770 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{D221CB62-48C5-47C9-87F5-7E91DE622B84}.job
C:\WINDOWS\tasks\XoftSpy.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-11-11 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
SpywareGuardDLBLOCK.CBrowserHelper - C:\Program Files\SpywareGuard\dlprotect.dll [2003-08-02 192512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-11-09 58688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D99D8C80-287F-4E53-AB64-B2225DB42F83}]
TheyreAliveIE Class - C:\Program Files\They're Alive!\TheyreAlive.dll [2006-05-24 237568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe [2004-11-10 111816]
"nwiz"=nwiz.exe /install []
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2003-07-28 4841472]
"CARPService"=C:\WINDOWS\System32\carpserv.exe [2001-12-23 4608]
"Acrobat Assistant 7.0"=C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2006-01-12 483328]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2007-11-01 582992]
"NvMediaCenter"=C:\WINDOWS\System32\NvMCTray.dll [2003-07-28 49152]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
""= []
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-11-11 1234712]
"NortonAntiBot"=C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe [2007-11-12 1378840]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-07-19 78008]
"BDMCon"=C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe [2007-04-02 290816]
"BDAgent"=C:\Program Files\Softwin\BitDefender10\bdagent.exe [2007-03-26 69632]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
""= []
"EasyLinkAdvisor"=C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [2007-03-15 454784]
"NvMediaCenter"=C:\WINDOWS\system32\NVMCTRAY.DLL [2003-07-28 49152]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
TabUserW.lnk - C:\Program Files\Wacom\TabUserW.exe

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="sockspy.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\System32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=C:\Program Files\SpywareGuard\spywareguard.dll [2003-08-02 126976]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WRConsumerService]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=255
"_NoDriveTypeAutoRun"=145
"NoRun"=0
"NoFind"=0
"NoLogOff"=0
"NoSetFolders"=0
"DisallowRun"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\NovaLogic\Delta Force Black Hawk Down\DFBHD.EXE"="C:\Program Files\NovaLogic\Delta Force Black Hawk Down\DFBHD.EXE:*:Disabled:DFBHD"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Disabled:Yahoo! Messenger"
"C:\Program Files\NovaLogic\Delta Force Xtreme Demo\DFXDemo.exe"="C:\Program Files\NovaLogic\Delta Force Xtreme Demo\DFXDemo.exe:*:Enabled:DFXDemo"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\Program Files\NovaLogic\Delta Force Black Hawk Down\UPDATE.EXE"="C:\Program Files\NovaLogic\Delta Force Black Hawk Down\UPDATE.EXE:*:Enabled:UPDATE"
"C:\Program Files\Real\RealOne Player\realplay.exe"="C:\Program Files\Real\RealOne Player\realplay.exe:*:Enabled:RealPlayer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe:*:Enabled:Veoh Client"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe:*:Enabled:McAfee Data Backup"
"C:\Program Files\Macromedia\Flash 5\Flash.exe"="C:\Program Files\Macromedia\Flash 5\Flash.exe:*:Enabled:Flash 5.0 r6"
"C:\Program Files\Common Files\AOL\1155072924\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1155072924\ee\aim6.exe:*:Disabled:AIM"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Disabled:AOL Loader"
"C:\Program Files\Common Files\AOL\1155072924\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1155072924\ee\aolsoftware.exe:*:Disabled:AOL Services"
"C:\Program Files\SwiftSwitch\SwiftSwitch.exe"="C:\Program Files\SwiftSwitch\SwiftSwitch.exe:*:Disabled:SwiftSwitch"
"C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe"="C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe:*:Enabled:Dreamweaver MX 2004"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\HTC\Aces High II\aceshigh.exe"="C:\Program Files\HTC\Aces High II\aceshigh.exe:*:Disabled:aceshigh"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Disabled:Azureus"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Disabled:Windows Live Messenger (Phone)"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1330b9cb-6ed6-11dd-a179-004063c1dc25}]
shell\AutoRun\command - H:\LaunchU3.exe -a


======File associations======

.js - edit - C:\WINDOWS\System32\Notepad.exe %1
.js - open - "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"
.scr - open - C:\WINDOWS\NOTEPAD.EXE "%1"
.scr - install -
.scr - config -
.vbs - edit - C:\WINDOWS\System32\Notepad.exe %1
.vbs - open - C:\WINDOWS\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2008-11-14 04:29:01 ----D---- C:\Program Files\Glary Registry Repair
2008-11-14 04:26:24 ----D---- C:\Program Files\NortonInstaller
2008-11-14 03:25:25 ----D---- C:\Program Files\roguescanfix
2008-11-14 01:30:20 ----N---- C:\WINDOWS\system32\4.tmp
2008-11-13 10:43:56 ----D---- C:\Documents and Settings\Administrator\Application Data\Bitdefender
2008-11-13 10:39:55 ----D---- C:\Program Files\Softwin
2008-11-13 10:39:55 ----D---- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-11-13 10:39:11 ----D---- C:\Program Files\Common Files\Softwin
2008-11-12 14:54:17 ----A---- C:\WINDOWS\system32\aswBoot.exe
2008-11-12 14:54:14 ----D---- C:\Program Files\Alwil Software
2008-11-12 11:55:26 ----N---- C:\WINDOWS\system32\3.tmp
2008-11-12 11:55:17 ----D---- C:\Program Files\Sophos
2008-11-12 11:45:38 ----D---- C:\Program Files\PrevxCSI
2008-11-12 11:45:32 ----D---- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-11-12 01:23:57 ----D---- C:\Program Files\RogueRemover FREE
2008-11-12 00:02:41 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 00:02:15 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 00:01:44 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-11 12:12:40 ----HD---- C:\$AVG8.VAULT$
2008-11-11 09:43:40 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-11-11 09:43:12 ----D---- C:\Program Files\AVG
2008-11-11 09:43:12 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-11-11 05:23:21 ----D---- C:\rsit
2008-11-11 05:12:36 ----D---- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-11 01:30:30 ----D---- C:\Program Files\AxBx
2008-11-11 00:31:06 ----D---- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-11-11 00:30:13 ----D---- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-11-10 22:39:34 ----A---- C:\WINDOWS\system32\ztvunrar36.dll
2008-11-10 22:39:34 ----A---- C:\WINDOWS\system32\ztvunace26.dll
2008-11-10 22:39:34 ----A---- C:\WINDOWS\system32\ztvcabinet.dll
2008-11-10 22:39:34 ----A---- C:\WINDOWS\system32\unrar3.dll
2008-11-10 22:39:34 ----A---- C:\WINDOWS\system32\unacev2.dll
2008-11-10 22:39:32 ----D---- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-11-10 22:39:32 ----D---- C:\Documents and Settings\Administrator\Application Data\Simply Super Software
2008-11-10 22:02:15 ----D---- C:\Binaries
2008-11-10 21:56:32 ----D---- C:\Program Files\Webroot
2008-11-10 21:56:32 ----D---- C:\Documents and Settings\All Users\Application Data\Webroot
2008-11-10 21:56:32 ----D---- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-11-10 21:56:32 ----A---- C:\WINDOWS\WRSetup.dll
2008-11-10 20:43:39 ----D---- C:\Program Files\Panda Security
2008-11-10 17:44:49 ----D---- C:\!KillBox
2008-11-10 17:21:49 ----D---- C:\Program Files\Trend Micro
2008-11-10 08:48:05 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-11-10 08:47:58 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-07 11:47:23 ----D---- C:\Program Files\SourceTec
2008-11-07 11:15:12 ----D---- C:\Program Files\Common Files\SourceTec
2008-11-07 11:15:12 ----A---- C:\WINDOWS\unins001.exe
2008-10-31 06:20:40 ----SHD---- C:\Documents and Settings\Administrator\Application Data\.#
2008-10-31 06:20:24 ----A---- C:\WINDOWS\system32\Codejock.CommandBars.v12.0.2.ocx
2008-10-31 06:20:20 ----D---- C:\Program Files\Smart CD Catalog PRO
2008-10-31 00:37:25 ----D---- C:\Program Files\WinUtilities
2008-10-24 23:01:31 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-20 07:50:04 ----D---- C:\Program Files\Adobe Media Player
2008-10-20 07:50:00 ----D---- C:\Program Files\Common Files\Adobe AIR
2008-10-19 19:49:06 ----D---- C:\Program Files\Lantern 3D Screensaver
2008-10-19 19:49:06 ----A---- C:\WINDOWS\system32\Lantern 3D Screensaver.exe
2008-10-19 19:48:16 ----D---- C:\Program Files\The One Ring 3D Screensaver
2008-10-19 19:48:16 ----A---- C:\WINDOWS\system32\The One Ring 3D Screensaver.exe
2008-10-19 19:42:40 ----D---- C:\Program Files\Coral Reef 3D Screensaver
2008-10-19 19:42:40 ----A---- C:\WINDOWS\system32\Coral Reef 3D Screensaver.exe
2008-10-15 23:40:02 ----D---- C:\Program Files\MultiFind
2008-10-15 23:03:07 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-15 23:02:57 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-15 23:02:47 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-15 23:01:46 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-15 23:01:22 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$

======List of files/folders modified in the last 1 months======

2008-11-14 04:29:21 ----D---- C:\WINDOWS\Temp
2008-11-14 04:29:01 ----D---- C:\Program Files
2008-11-14 04:23:03 ----SD---- C:\WINDOWS\Tasks
2008-11-14 04:22:31 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-14 04:20:23 ----D---- C:\WINDOWS\system32
2008-11-14 04:19:19 ----D---- C:\WINDOWS
2008-11-14 03:24:31 ----D---- C:\WINDOWS\system32\drivers
2008-11-14 03:24:09 ----A---- C:\WINDOWS\win.ini
2008-11-14 03:14:34 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-14 02:09:46 ----D---- C:\WINDOWS\Prefetch
2008-11-14 02:00:15 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-13 20:23:34 ----HD---- C:\WINDOWS\inf
2008-11-13 11:14:55 ----D---- C:\WINDOWS\system32\config
2008-11-13 11:14:34 ----D---- C:\Config.Msi
2008-11-13 10:46:51 ----SHD---- C:\WINDOWS\Installer
2008-11-13 10:39:11 ----D---- C:\Program Files\Common Files
2008-11-13 06:08:57 ----D---- C:\Program Files\Ghost Hunter
2008-11-12 01:36:06 ----D---- C:\Program Files\Symantec
2008-11-12 01:36:06 ----D---- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-11-12 00:02:46 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-12 00:02:39 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-12 00:02:34 ----A---- C:\WINDOWS\imsins.BAK
2008-11-12 00:00:59 ----D---- C:\WINDOWS\WinSxS
2008-11-11 23:15:22 ----D---- C:\Program Files\Mozilla Firefox
2008-11-11 09:43:11 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-11-11 09:40:21 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-11-10 20:43:16 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-10 19:01:53 ----D---- C:\Program Files\ICQ
2008-11-10 18:57:50 ----D---- C:\Program Files\Google
2008-11-10 18:57:49 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2008-11-10 13:56:41 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-09 19:33:31 ----D---- C:\Downloads
2008-11-09 11:06:55 ----D---- C:\deletable temps
2008-11-08 15:49:23 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-11-07 09:29:53 ----A---- C:\cdrlog.txt
2008-11-06 21:34:37 ----D---- C:\WINDOWS\Help
2008-11-06 21:28:27 ----RSD---- C:\WINDOWS\Fonts
2008-11-05 20:10:00 ----D---- C:\Documents and Settings\Administrator\Application Data\Azureus
2008-11-05 10:56:01 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-03 02:14:41 ----D---- C:\Program Files\SwiftKit
2008-11-01 13:05:24 ----D---- C:\Program Files\Driver Magician
2008-11-01 11:25:41 ----D---- C:\WINDOWS\nview
2008-10-30 20:06:41 ----D---- C:\Program Files\Winamp
2008-10-29 18:24:49 ----HD---- C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-10-29 10:07:02 ----D---- C:\WINDOWS\system32\CatRoot
2008-10-28 12:22:52 ----A---- C:\YServer.txt
2008-10-24 23:09:39 ----D---- C:\WINDOWS\system32\Macromed
2008-10-20 07:50:31 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-10-20 07:50:31 ----D---- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-10-19 22:21:27 ----D---- C:\Program Files\Instant Source
2008-10-18 11:53:01 ----D---- C:\WINDOWS\security
2008-10-18 11:47:10 ----D---- C:\WINDOWS\Registration
2008-10-18 11:42:38 ----D---- C:\WINDOWS\system32\NtmsData
2008-10-16 14:20:38 ----D---- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-10-15 23:08:05 ----D---- C:\Program Files\Internet Explorer
2008-10-15 11:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-07-19 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-07-19 42912]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-11-11 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-11-11 26824]
R1 bbcap;bbcap; C:\WINDOWS\system32\DRIVERS\bbcap.sys [2007-02-20 2944]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-18 12032]
R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [1997-12-22 23936]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-07-19 94416]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-11-11 76040]
R2 elagopro;GoProto Protocol Driver for LELA; C:\WINDOWS\system32\DRIVERS\elagopro.sys [2007-03-22 28672]
R2 elaunidr;UniDriver for LELA; C:\WINDOWS\system32\DRIVERS\elaunidr.sys [2007-03-22 5376]
R2 Fallback;Fallback; C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys [2001-08-17 289887]
R2 Fsks;Fsks; C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys [2001-08-17 115807]
R2 K56;K56; C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys [2001-08-17 391199]
R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2007-08-24 8413]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 Sentinel;Sentinel; C:\WINDOWS\System32\Drivers\SENTINEL.SYS [2001-05-28 73216]
R2 SoftFax;SoftFax; C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys [2001-08-17 199711]
R2 Stltrk2k;Stltrk2k; C:\WINDOWS\system32\drivers\Stltrk2k.sys [2001-10-03 13325]
R2 StreamDispatcher;StreamDispatcher; C:\WINDOWS\System32\DRIVERS\strmdisp.sys [2001-12-23 33548]
R2 Tones;Tones; C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys [2001-08-17 50751]
R2 V124;V124; C:\WINDOWS\System32\DRIVERS\HSF_V124.sys [2001-08-17 488383]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-07-19 23152]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-06-25 43520]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2007-04-26 988032]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys [2007-04-26 267520]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-18 12160]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-07-28 1341339]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2004-04-01 10368]
R3 SymantecAntiBotDriver;SymantecAntiBotDriver; \??\C:\Program Files\Symantec\Norton AntiBot\agent\driver\AntiBotDriver.sys []
R3 SymantecAntiBotFilter;SymantecAntiBotFilter; \??\C:\Program Files\Symantec\Norton AntiBot\agent\driver\AntiBotFilter.sys []
R3 SymantecAntiBotShim;SymantecAntiBotShim; \??\C:\Program Files\Symantec\Norton AntiBot\agent\driver\AntiBotShim.sys []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 VIAudio;Vinyl AC'97 Audio Controller (WDM); C:\WINDOWS\system32\drivers\vinyl97.sys [2006-10-09 203648]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2007-04-26 731136]
S3 A4S2600;A4S2600; C:\WINDOWS\System32\drivers\A4S2600.sys [1998-07-01 70336]
S3 basic2;basic2; C:\WINDOWS\System32\DRIVERS\HSF_BSC2.sys [2001-08-17 67167]
S3 bdfdll;bdfdll; \??\C:\Program Files\Softwin\BitDefender10\bdfdll.sys []
S3 BDFsDrv;BDFsDrv; \??\C:\Program Files\Softwin\BitDefender10\bdfsdrv.sys []
S3 BDRsDrv;BDRsDrv; \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2002-03-06 389135]
S3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-06-25 43520]
S3 FETNDIS;VIA Rhine Family Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [2002-03-22 36352]
S3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [2002-03-22 36352]
S3 Freedom;FREEDOM Miniport; C:\WINDOWS\system32\DRIVERS\FREEDOM.SYS []
S3 hidgame;Microsoft Hid to Joystick Port Enabler; C:\WINDOWS\System32\DRIVERS\hidgame.sys [2001-08-17 8576]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2007-01-19 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2007-01-19 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-07-15 21744]
S3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2004-09-29 1036928]
S3 hsf_msft;hsf_msft; C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [2001-08-17 542879]
S3 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\10.tmp []
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832]
S3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488]
S3 msgame;Sidewinder HID to Joystick Port Enabler; C:\WINDOWS\System32\DRIVERS\msgame.sys [2001-08-17 35200]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nuvaud2;NUVision II Audio Service; C:\WINDOWS\system32\DRIVERS\nuvaud2.sys [2001-07-11 25024]
S3 NUVision;NUVision II Video Service; C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-10-28 153760]
S3 Profos;Profos; \??\C:\PROGRA~1\Softwin\BITDEF~1\profos.sys []
S3 Ptserlp;PCTEL Serial Device Driver for PCI; C:\WINDOWS\System32\DRIVERS\ptserlp.sys [2001-08-17 112574]
S3 Rksample;Rksample; C:\WINDOWS\System32\DRIVERS\HSF_SAMP.sys [2001-08-17 57471]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20040813.178\symidsco.sys []
S3 Trufos;Trufos; \??\C:\PROGRA~1\Softwin\BITDEF~1\trufos.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 VNUSB;VN Series Device; C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2006-04-07 38496]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-02 611664]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-07-19 16056]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-07-19 147640]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-11-11 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-11-11 231704]
R2 bdss;BitDefender Scan Server; C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe [2007-01-19 81920]
R2 CSIScanner;CSIScanner; C:\Program Files\PrevxCSI\prevxcsi.exe [2008-11-12 880696]
R2 LIVESRV;BitDefender Desktop Update Service; C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe [2007-10-22 237568]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-01-25 2458128]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248]
R2 McShield;McAfee Real-time Scanner; C:\Program Files\McAfee\VirusScan\McShield.exe [2007-07-24 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\system32\nvsvc32.exe [2003-07-28 77824]
R2 Pctspk;PCTEL Speaker Phone; C:\WINDOWS\system32\pctspk.exe [2001-08-17 86016]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
R2 SymantecAntiBotWatcher;SymantecAntiBotWatcher; C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe [2007-11-12 539160]
R2 TabletService;TabletService; C:\WINDOWS\System32\Tablet.exe [2003-03-26 614400]
R2 VSSERV;BitDefender Virus Shield; C:\Program Files\Softwin\BitDefender10\vsserv.exe [2007-10-24 462848]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R2 WRConsumerService;Webroot Client Service; C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe [2008-10-12 1066360]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 XCOMM;BitDefender Communicator; C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe [2006-11-09 86016]
S2 SymantecAntiBotAgent;SymantecAntiBotAgent; C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe [2007-11-12 4909592]
S2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2005-05-04 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-07-19 250040]
S3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-23 348344]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-04-27 500800]
S3 Macromedia Licensing Service;Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [2005-03-17 69632]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624]

-----------------EOF-----------------


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


I also have logs from McAfee® Rootkit Detective 1.0 scan report (included as attachment) and Glary Utilities, and a network connect log from AVAST Server when I tried to connect and it would not let me to update the product if they are needed let me know.
Thanks in advance for your help

p.s. finally was able to re-install malwarebytes scanner(the one recommended on this site) by changing name of install and changing name of run file, it found trojan.agent at hkey-local-machine\software\tdss and at winlogin\userinit file was: system32\ which will be deleated on restartup of windows.
will be running it again once I restart system but I have found that these files reinstal each time I restart system.

Attached File(s)


This post has been edited by 232xanax232: 15 November 2008 - 12:45 PM

“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell

#2 User is offline   232xanax232 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 24
  • Joined: 15-November 08
  • Gender:Male

  Posted 16 November 2008 - 11:43 AM

Update on this one.

I ran SDFix, it picked up that I was infected with the dreaded TDSS*** Rootkit, it deleted some files but when it went into the Windows mode McAfee stopped it from proforming a task, after SDFix was completed, I rebooted, AVG8 picked up some eroneous temp files so I will be re-running FDFix one more time.
I Ran a few scans after the first use of SDFix using Malware Bytes, Bit Defender and am in process of running AVG, once AVG is complete I will rerun FDFix, then McAfee Stinger and then will post updated RSIT log from random's system information tool to this post.
Hoping for some help later today on this, it will be very appreciated. If there is some other scan I can run before posting an updated log please advise. TY.

+++++++++++++++++++++++++++++++++++++++++++++

:thumbsup: **4:20am. Nov-17th update:

I'm finally able to update all of my scanner products and connect to internet, I will run scans with all updated products.
Here is my HiJackThis Log and my RIST Log, I am also including as an attachment 2 SDFix Logs... the first is where TDSS*** Rootkit was found the second was a followup scan with the product.

Please, if you see something that needs to be done, let me know what steps I should take to further secure this computer and clean any bits that I may have missed on my own.
Thanks again in advance.

++++++++++++++++++++++++++++++++++++++++++++++

HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:02 AM, on 11/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mea\mea.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: TheyreAliveIE Class - {D99D8C80-287F-4E53-AB64-B2225DB42F83} - C:\Program Files\They're Alive!\TheyreAlive.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Mea\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [aswAhAScr.dll] C:\PROGRA~1\ALWILS~1\Avast4\ASWREG~1.EXE "C:\Program Files\Alwil Software\Avast4\AhAScr.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Instant Source - {8BD5271D-69C9-4467-882D-5139952D7754} - C:\Program Files\Instant Source\isrc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} -
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} -
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.196.24/DGTx.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 14631 bytes


+++++++++++++++++++++++++++++++++++++++++++

RIST LOG

Logfile of random's system information tool 1.04 (written by random/random)
Run by Administrator at 2008-11-17 03:27:04
Microsoft Windows XP Professional Service Pack 3
System drive C: has 2 GB (2%) free of 104 GB
Total RAM: 1023 MB (41% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:39 AM, on 11/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Administrator\Desktop\error 1058 cure\New Virus Software Nov 08\random's system information tool (RSIT)\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: TheyreAliveIE Class - {D99D8C80-287F-4E53-AB64-B2225DB42F83} - C:\Program Files\They're Alive!\TheyreAlive.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Mea\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Instant Source - {8BD5271D-69C9-4467-882D-5139952D7754} - C:\Program Files\Instant Source\isrc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} -
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} -
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.196.24/DGTx.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 14536 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{D221CB62-48C5-47C9-87F5-7E91DE622B84}.job
C:\WINDOWS\tasks\XoftSpy.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-11-11 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
SpywareGuardDLBLOCK.CBrowserHelper - C:\Program Files\SpywareGuard\dlprotect.dll [2003-08-02 192512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-11-09 58688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D99D8C80-287F-4E53-AB64-B2225DB42F83}]
TheyreAliveIE Class - C:\Program Files\They're Alive!\TheyreAlive.dll [2006-05-24 237568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"nwiz"=nwiz.exe /install []
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2003-07-28 4841472]
"CARPService"=C:\WINDOWS\System32\carpserv.exe [2001-12-23 4608]
"Acrobat Assistant 7.0"=C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2006-01-12 483328]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2007-11-01 582992]
"NvMediaCenter"=C:\WINDOWS\System32\NvMCTray.dll [2003-07-28 49152]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-11-11 1234712]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-07-19 78008]
"BDMCon"=C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe [2007-04-02 290816]
"BDAgent"=C:\Program Files\Softwin\BitDefender10\bdagent.exe [2007-03-26 69632]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Mea\mbam.exe /runcleanupscript []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"EasyLinkAdvisor"=C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [2007-03-15 454784]
"NvMediaCenter"=C:\WINDOWS\system32\NVMCTRAY.DLL [2003-07-28 49152]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
TabUserW.lnk - C:\Program Files\Wacom\TabUserW.exe

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="sockspy.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\System32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=C:\Program Files\SpywareGuard\spywareguard.dll [2003-08-02 126976]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WRConsumerService]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=255
"_NoDriveTypeAutoRun"=145
"NoLogOff"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\NovaLogic\Delta Force Black Hawk Down\DFBHD.EXE"="C:\Program Files\NovaLogic\Delta Force Black Hawk Down\DFBHD.EXE:*:Disabled:DFBHD"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Disabled:Yahoo! Messenger"
"C:\Program Files\NovaLogic\Delta Force Xtreme Demo\DFXDemo.exe"="C:\Program Files\NovaLogic\Delta Force Xtreme Demo\DFXDemo.exe:*:Enabled:DFXDemo"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\Program Files\NovaLogic\Delta Force Black Hawk Down\UPDATE.EXE"="C:\Program Files\NovaLogic\Delta Force Black Hawk Down\UPDATE.EXE:*:Enabled:UPDATE"
"C:\Program Files\Real\RealOne Player\realplay.exe"="C:\Program Files\Real\RealOne Player\realplay.exe:*:Enabled:RealPlayer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe:*:Enabled:Veoh Client"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe:*:Enabled:McAfee Data Backup"
"C:\Program Files\Macromedia\Flash 5\Flash.exe"="C:\Program Files\Macromedia\Flash 5\Flash.exe:*:Enabled:Flash 5.0 r6"
"C:\Program Files\Common Files\AOL\1155072924\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1155072924\ee\aim6.exe:*:Disabled:AIM"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Disabled:AOL Loader"
"C:\Program Files\Common Files\AOL\1155072924\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1155072924\ee\aolsoftware.exe:*:Disabled:AOL Services"
"C:\Program Files\SwiftSwitch\SwiftSwitch.exe"="C:\Program Files\SwiftSwitch\SwiftSwitch.exe:*:Disabled:SwiftSwitch"
"C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe"="C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe:*:Enabled:Dreamweaver MX 2004"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\HTC\Aces High II\aceshigh.exe"="C:\Program Files\HTC\Aces High II\aceshigh.exe:*:Disabled:aceshigh"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Disabled:Azureus"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Disabled:Windows Live Messenger (Phone)"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1330b9cb-6ed6-11dd-a179-004063c1dc25}]
shell\AutoRun\command - H:\LaunchU3.exe -a


======File associations======

.js - edit - C:\WINDOWS\System32\Notepad.exe %1
.js - open - "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"
.scr - open - C:\WINDOWS\NOTEPAD.EXE "%1"
.scr - install -
.scr - config -
.vbs - edit - C:\WINDOWS\System32\Notepad.exe %1
.vbs - open - C:\WINDOWS\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2008-11-15 15:51:53 ----D---- C:\Documents and Settings\Administrator\Application Data\WinRAR
2008-11-15 15:09:45 ----D---- C:\WINDOWS\ERUNT
2008-11-15 14:41:44 ----D---- C:\SDFix
2008-11-15 11:44:09 ----D---- C:\Avenger
2008-11-15 11:44:09 ----A---- C:\avenger.txt
2008-11-15 08:43:48 ----D---- C:\Program Files\Mea
2008-11-14 04:29:01 ----D---- C:\Program Files\Glary Registry Repair
2008-11-14 03:25:25 ----D---- C:\Program Files\roguescanfix
2008-11-13 10:43:56 ----D---- C:\Documents and Settings\Administrator\Application Data\Bitdefender
2008-11-13 10:39:55 ----D---- C:\Program Files\Softwin
2008-11-13 10:39:55 ----D---- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-11-13 10:39:11 ----D---- C:\Program Files\Common Files\Softwin
2008-11-12 14:54:17 ----A---- C:\WINDOWS\system32\aswBoot.exe
2008-11-12 14:54:14 ----D---- C:\Program Files\Alwil Software
2008-11-12 11:55:17 ----D---- C:\Program Files\Sophos
2008-11-12 11:45:38 ----D---- C:\Program Files\PrevxCSI
2008-11-12 11:45:32 ----D---- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-11-12 01:23:57 ----D---- C:\Program Files\RogueRemover FREE
2008-11-12 00:02:41 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 00:02:15 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 00:01:44 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-11 12:12:40 ----HD---- C:\$AVG8.VAULT$
2008-11-11 09:43:40 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-11-11 09:43:12 ----D---- C:\Program Files\AVG
2008-11-11 09:43:12 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-11-11 05:23:21 ----D---- C:\rsit
2008-11-11 05:12:36 ----D---- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-11 01:30:30 ----D---- C:\Program Files\AxBx
2008-11-11 00:31:06 ----D---- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-11-11 00:30:13 ----D---- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-11-10 22:39:34 ----A---- C:\WINDOWS\system32\ztvunrar36.dll
2008-11-10 22:39:34 ----A---- C:\WINDOWS\system32\ztvunace26.dll
2008-11-10 22:39:34 ----A---- C:\WINDOWS\system32\ztvcabinet.dll
2008-11-10 22:39:34 ----A---- C:\WINDOWS\system32\unrar3.dll
2008-11-10 22:39:34 ----A---- C:\WINDOWS\system32\unacev2.dll
2008-11-10 22:39:32 ----D---- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-11-10 22:39:32 ----D---- C:\Documents and Settings\Administrator\Application Data\Simply Super Software
2008-11-10 22:02:15 ----D---- C:\Binaries
2008-11-10 21:56:32 ----D---- C:\Program Files\Webroot
2008-11-10 21:56:32 ----D---- C:\Documents and Settings\All Users\Application Data\Webroot
2008-11-10 21:56:32 ----D---- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-11-10 21:56:32 ----A---- C:\WINDOWS\WRSetup.dll
2008-11-10 20:43:39 ----D---- C:\Program Files\Panda Security
2008-11-10 17:44:49 ----D---- C:\!KillBox
2008-11-10 17:21:49 ----D---- C:\Program Files\Trend Micro
2008-11-10 08:48:05 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-11-10 08:47:58 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-07 11:47:23 ----D---- C:\Program Files\SourceTec
2008-11-07 11:15:12 ----D---- C:\Program Files\Common Files\SourceTec
2008-11-07 11:15:12 ----A---- C:\WINDOWS\unins001.exe
2008-10-31 06:20:40 ----SHD---- C:\Documents and Settings\Administrator\Application Data\.#
2008-10-31 06:20:24 ----A---- C:\WINDOWS\system32\Codejock.CommandBars.v12.0.2.ocx
2008-10-31 06:20:20 ----D---- C:\Program Files\Smart CD Catalog PRO
2008-10-31 00:37:25 ----D---- C:\Program Files\WinUtilities
2008-10-24 23:01:31 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-20 07:50:04 ----D---- C:\Program Files\Adobe Media Player
2008-10-20 07:50:00 ----D---- C:\Program Files\Common Files\Adobe AIR
2008-10-19 19:49:06 ----D---- C:\Program Files\Lantern 3D Screensaver
2008-10-19 19:49:06 ----A---- C:\WINDOWS\system32\Lantern 3D Screensaver.exe
2008-10-19 19:48:16 ----D---- C:\Program Files\The One Ring 3D Screensaver
2008-10-19 19:42:40 ----D---- C:\Program Files\Coral Reef 3D Screensaver
2008-10-19 19:42:40 ----A---- C:\WINDOWS\system32\Coral Reef 3D Screensaver.exe

======List of files/folders modified in the last 1 months======

2008-11-17 03:27:39 ----D---- C:\WINDOWS\Temp
2008-11-17 03:27:24 ----D---- C:\WINDOWS\Prefetch
2008-11-17 03:10:48 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-16 22:33:59 ----SD---- C:\WINDOWS\Tasks
2008-11-16 22:31:10 ----D---- C:\WINDOWS\system32
2008-11-16 21:07:24 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-16 20:53:05 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-16 17:15:42 ----HD---- C:\WINDOWS\inf
2008-11-16 17:15:28 ----D---- C:\WINDOWS\twain_32
2008-11-16 17:15:01 ----SHD---- C:\WINDOWS\Installer
2008-11-16 17:15:01 ----D---- C:\Config.Msi
2008-11-16 17:14:58 ----D---- C:\Program Files
2008-11-16 17:11:27 ----D---- C:\Program Files\HP
2008-11-16 17:11:27 ----D---- C:\Program Files\Common Files
2008-11-16 17:09:52 ----D---- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-11-16 17:09:37 ----D---- C:\Program Files\Symantec
2008-11-16 17:06:31 ----D---- C:\Program Files\Viewpoint
2008-11-16 17:06:24 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-11-16 11:48:00 ----SHD---- C:\System Volume Information
2008-11-16 11:48:00 ----D---- C:\WINDOWS\system32\Restore
2008-11-15 15:36:19 ----D---- C:\WINDOWS\system32\drivers
2008-11-15 15:19:08 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-15 15:09:45 ----D---- C:\WINDOWS
2008-11-14 03:24:09 ----A---- C:\WINDOWS\win.ini
2008-11-13 11:14:55 ----D---- C:\WINDOWS\system32\config
2008-11-13 06:08:57 ----D---- C:\Program Files\Ghost Hunter
2008-11-12 00:02:39 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-12 00:02:34 ----A---- C:\WINDOWS\imsins.BAK
2008-11-12 00:00:59 ----D---- C:\WINDOWS\WinSxS
2008-11-11 23:15:22 ----D---- C:\Program Files\Mozilla Firefox
2008-11-11 09:43:11 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-11-11 09:40:21 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-11-10 20:43:16 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-10 19:01:53 ----D---- C:\Program Files\ICQ
2008-11-10 18:57:50 ----D---- C:\Program Files\Google
2008-11-10 18:57:49 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2008-11-10 13:56:41 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-09 19:33:31 ----D---- C:\Downloads
2008-11-09 11:06:55 ----D---- C:\deletable temps
2008-11-08 15:49:23 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-11-07 09:29:53 ----A---- C:\cdrlog.txt
2008-11-06 21:34:37 ----D---- C:\WINDOWS\Help
2008-11-06 21:28:27 ----RSD---- C:\WINDOWS\Fonts
2008-11-05 20:10:00 ----D---- C:\Documents and Settings\Administrator\Application Data\Azureus
2008-11-05 10:56:01 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-03 02:14:41 ----D---- C:\Program Files\SwiftKit
2008-11-01 13:05:24 ----D---- C:\Program Files\Driver Magician
2008-11-01 11:25:41 ----D---- C:\WINDOWS\nview
2008-10-30 20:06:41 ----D---- C:\Program Files\Winamp
2008-10-29 18:24:49 ----HD---- C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-10-29 10:07:02 ----D---- C:\WINDOWS\system32\CatRoot
2008-10-28 12:22:52 ----A---- C:\YServer.txt
2008-10-24 23:09:39 ----D---- C:\WINDOWS\system32\Macromed
2008-10-20 07:50:31 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-10-20 07:50:31 ----D---- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-10-19 22:21:27 ----D---- C:\Program Files\Instant Source
2008-10-18 11:53:01 ----D---- C:\WINDOWS\security
2008-10-18 11:47:10 ----D---- C:\WINDOWS\Registration
2008-10-18 11:42:38 ----D---- C:\WINDOWS\system32\NtmsData

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-07-19 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-07-19 42912]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-11-11 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-11-11 26824]
R1 bbcap;bbcap; C:\WINDOWS\system32\DRIVERS\bbcap.sys [2007-02-20 2944]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-18 12032]
R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [1997-12-22 23936]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-07-19 94416]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-11-11 76040]
R2 elagopro;GoProto Protocol Driver for LELA; C:\WINDOWS\system32\DRIVERS\elagopro.sys [2007-03-22 28672]
R2 elaunidr;UniDriver for LELA; C:\WINDOWS\system32\DRIVERS\elaunidr.sys [2007-03-22 5376]
R2 Fallback;Fallback; C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys [2001-08-17 289887]
R2 Fsks;Fsks; C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys [2001-08-17 115807]
R2 K56;K56; C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys [2001-08-17 391199]
R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2007-08-24 8413]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 Sentinel;Sentinel; C:\WINDOWS\System32\Drivers\SENTINEL.SYS [2001-05-28 73216]
R2 SoftFax;SoftFax; C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys [2001-08-17 199711]
R2 Stltrk2k;Stltrk2k; C:\WINDOWS\system32\drivers\Stltrk2k.sys [2001-10-03 13325]
R2 StreamDispatcher;StreamDispatcher; C:\WINDOWS\System32\DRIVERS\strmdisp.sys [2001-12-23 33548]
R2 Tones;Tones; C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys [2001-08-17 50751]
R2 V124;V124; C:\WINDOWS\System32\DRIVERS\HSF_V124.sys [2001-08-17 488383]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-07-19 23152]
R3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-06-25 43520]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2007-04-26 988032]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys [2007-04-26 267520]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-18 12160]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-07-28 1341339]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2004-04-01 10368]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 VIAudio;Vinyl AC'97 Audio Controller (WDM); C:\WINDOWS\system32\drivers\vinyl97.sys [2006-10-09 203648]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2007-04-26 731136]
S3 A4S2600;A4S2600; C:\WINDOWS\System32\drivers\A4S2600.sys [1998-07-01 70336]
S3 basic2;basic2; C:\WINDOWS\System32\DRIVERS\HSF_BSC2.sys [2001-08-17 67167]
S3 bdfdll;bdfdll; \??\C:\Program Files\Softwin\BitDefender10\bdfdll.sys []
S3 BDFsDrv;BDFsDrv; \??\C:\Program Files\Softwin\BitDefender10\bdfsdrv.sys []
S3 BDRsDrv;BDRsDrv; \??\C:\Program Files\Softwin\BitDefender10\bdrsdrv.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2002-03-06 389135]
S3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-06-25 43520]
S3 FETNDIS;VIA Rhine Family Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [2002-03-22 36352]
S3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [2002-03-22 36352]
S3 Freedom;FREEDOM Miniport; C:\WINDOWS\system32\DRIVERS\FREEDOM.SYS []
S3 hidgame;Microsoft Hid to Joystick Port Enabler; C:\WINDOWS\System32\DRIVERS\hidgame.sys [2001-08-17 8576]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2007-01-19 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2007-01-19 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-07-15 21744]
S3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2004-09-29 1036928]
S3 hsf_msft;hsf_msft; C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [2001-08-17 542879]
S3 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\10.tmp []
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832]
S3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488]
S3 msgame;Sidewinder HID to Joystick Port Enabler; C:\WINDOWS\System32\DRIVERS\msgame.sys [2001-08-17 35200]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nuvaud2;NUVision II Audio Service; C:\WINDOWS\system32\DRIVERS\nuvaud2.sys [2001-07-11 25024]
S3 NUVision;NUVision II Video Service; C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-10-28 153760]
S3 Profos;Profos; \??\C:\PROGRA~1\Softwin\BITDEF~1\profos.sys []
S3 Ptserlp;PCTEL Serial Device Driver for PCI; C:\WINDOWS\System32\DRIVERS\ptserlp.sys [2001-08-17 112574]
S3 Rksample;Rksample; C:\WINDOWS\System32\DRIVERS\HSF_SAMP.sys [2001-08-17 57471]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20040813.178\symidsco.sys []
S3 Trufos;Trufos; \??\C:\PROGRA~1\Softwin\BITDEF~1\trufos.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 VNUSB;VN Series Device; C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2006-04-07 38496]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-02 611664]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-07-19 16056]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-07-19 147640]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-11-11 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-11-11 231704]
R2 bdss;BitDefender Scan Server; C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe [2007-01-19 81920]
R2 CSIScanner;CSIScanner; C:\Program Files\PrevxCSI\prevxcsi.exe [2008-11-12 880696]
R2 LIVESRV;BitDefender Desktop Update Service; C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe [2007-10-22 237568]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-01-25 2458128]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248]
R2 McShield;McAfee Real-time Scanner; C:\Program Files\McAfee\VirusScan\McShield.exe [2007-07-24 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\system32\nvsvc32.exe [2003-07-28 77824]
R2 Pctspk;PCTEL Speaker Phone; C:\WINDOWS\system32\pctspk.exe [2001-08-17 86016]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
R2 TabletService;TabletService; C:\WINDOWS\System32\Tablet.exe [2003-03-26 614400]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 VSSERV;BitDefender Virus Shield; C:\Program Files\Softwin\BitDefender10\vsserv.exe [2007-10-24 462848]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R2 WRConsumerService;Webroot Client Service; C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe [2008-10-12 1066360]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 XCOMM;BitDefender Communicator; C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe [2006-11-09 86016]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-07-19 250040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-23 348344]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2005-05-04 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-04-27 500800]
S3 Macromedia Licensing Service;Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [2005-03-17 69632]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624]

-----------------EOF-----------------


++++++++++++++++++++++++++++++++++++++++++++++

SDFix Logs attached

Attached File(s)


This post has been edited by 232xanax232: 17 November 2008 - 04:53 AM

“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell

#3 User is offline   PropagandaPanda 

  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 9,054
  • Joined: 10-March 08
  • Gender:Male

Posted 21 November 2008 - 05:43 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files before we run OTScanIt. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use any other browsers, select them appropriately from the top and empty all items.
Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Change the Drivers setting from "None" to Non-Microsoft.
  • Under the Additional Scans bar, check:
    *Reg - Disabled MS Config Items
    *Reg - File Associations
    *Reg - Uninstall List


  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log

  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
Important!:Please do not select the Show all checkbox during the scan..
In your next reply include:
-the OTScanIt log (attached)
-the GMER log (pasted directly into your reply)

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.
If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#4 User is offline   232xanax232 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 24
  • Joined: 15-November 08
  • Gender:Male

Posted 22 November 2008 - 03:47 PM

Hello PropagandaPanda,

I'm Glad to hear from you and thanks for responding to my troubles, I know that you all are very busy and I deeply appreciate your time and your help in this matter... no need to apologize for the delay.

I have gone through my machine quite thorough and believe that I have gotten most of what was there or at least crippled it and look forwards to your expert help in securing the rest.

In regards to the changes that I have made to my machine since my posts, I have deleted a few programs, some old Java Files (I installed the latest version of Java) and some of the Scanners that I had installed to my hard drive to free up some HD space.
I updated all the dat files for the Scanners and Security Software that I run and checked Windows Update to see if there were any critical downloads available.
I ran Glary Register Repair and removed a few problems that it found ( which are very numerous according to GRR software ) What I let it repair were nothing that was critical (only keys that were pointing to programs that were no longer on my computer and such, I left the rest untouched and unrepaired.)

I rebooted my computer and went to Start...Run...and typed %Temp% and deleted the temp files that XP allowed me to, I ran a few other various Virii Scans which all came up clean. I also ran cleanmgr.exe on C;\ Drive and deleted all files that it allowed me to and wiped out the restore points on my machine.

I did notice that I lost my context menu items in IE which sucks but I'm sure it's bad RegKeys somewhere.

I have ran the programs that you asked me to, here are the logs that you wanted. Thanks and I'm awaiting further instructions on how to proceed.

Here is the Log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-22 15:17:22
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 87365990 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF18D7604]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF18D74C0]
SSDT 87365EB8 ZwCreateProcess
SSDT 87365E40 ZwCreateProcessEx
SSDT 87365C60 ZwCreateThread
SSDT 873600A8 ZwDeleteKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF18D799E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF18D7098]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF18D759A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF18D6FD8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF18D703C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF18D76BA]
SSDT 87365A08 ZwQueueApcThread
SSDT 873658A0 ZwReadVirtualMemory
SSDT 873290A8 ZwRenameKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF18D767A]
SSDT 87365AF8 ZwSetContextThread
SSDT 87366470 ZwSetInformationKey
SSDT 87365D50 ZwSetInformationProcess
SSDT 87365B70 ZwSetInformationThread
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF18D77FA]
SSDT 87365CD8 ZwSuspendProcess
SSDT 87365A80 ZwSuspendThread
SSDT 87365DC8 ZwTerminateProcess
SSDT 87365BE8 ZwTerminateThread
SSDT 87365918 ZwWriteVirtualMemory

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF191D9B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF191D9F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF191D9C6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF191DA08]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF191D9DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP F191D9E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP F191D9B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP F191D9CA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP F191DA0C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP F191D9F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[576] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[576] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01190FEF
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0119002C
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01190F37
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01190011
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01190F54
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01190F83
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoW 7C801E54 1 Byte [ E9 ]
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoW + 2 7C801E56 3 Bytes [ E1, 98, 84 ]
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01190047
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01190095
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01190084
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 011900A6
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01190000
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01190FCA
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01190F1C
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01190F9E
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01190FAF
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01190073
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01180FDB
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0118007D
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0118002C
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0118001B
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0118006C
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01180000
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0118005B
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01180FCA
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0116000A
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0F9E
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0FB9
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0093
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0076
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0051
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC0F81
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC00C9
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC0110
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC00FF
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00EC0121
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00EC0FD4
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00EC001B
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00EC00B8
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00EC0FE5
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00EC0036
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00EC00E4
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00EB002C
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00EB006C
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00EB0FE5
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00EB001B
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00EB0FA5
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00EB000A
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00EB0047
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00EB0FC0
.text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B8006C
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80F77
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80051
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80040
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80FA8
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80093
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F4B
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80F26
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B800BF
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B800DA
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B80025
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B80FD4
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B80F5C
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B80FB9
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B8000A
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B800AE
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B70025
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B70F8D
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B70FE5
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B70F9E
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B70FAF
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ D7, 88 ]
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B70036
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D30F4E
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D30F73
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D30F84
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D30FAB
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D30043
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D30079
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D30F33
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D30F0C
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D300A5
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D30EFB
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D30FBC
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D30FDE
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D3005E
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D30FCD
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D3001E
.text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D3008A
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00BA0FBC
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00BA0F89
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00BA0FCD
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00BA0FDE
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00BA0F9A
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00BA003C
.text C:\WINDOWS\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00BA0FAB
.text C:\WINDOWS\system32\svchost.exe[1020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B80FE5
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05160000
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05160FAF
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05160FCA
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 051600A4
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0516007D
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 05160051
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 051600B5
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 05160F79
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05160F26
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05160F41
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 05160F15
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0516006C
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0516001B
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 05160F8A
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 05160040
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 05160FE5
.text C:\WINDOWS\System32\svchost.exe[1140] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 05160F52
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 05140025
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 05140F72
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 05140FD4
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0514000A
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 05140F8D
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 05140FE5
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 05140FA8
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 34, 8D ]
.text C:\WINDOWS\System32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 05140FC3
.text C:\WINDOWS\System32\svchost.exe[1140] WS2_32.dll!socket 71AB4211 5 Bytes JMP 05120FEF
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 05150FEF
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 05150014
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 05150025
.text C:\WINDOWS\System32\svchost.exe[1140] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 05150FD4
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650FE5
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650F79
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00650F8A
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00650064
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650F9B
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650022
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006500AB
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0065009A
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006500D7
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00650F3E
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00650F2D
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0065003D
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00650089
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00650011
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00650FC0
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 006500C6
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00640FD4
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0064006C
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00640FE5
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00640025
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00640051
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00640036
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00640FAF
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780000
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007800A4
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780FA5
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780073
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780FC0
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00780047
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00780F6D
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007800B5
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007800FC
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007800E1
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00780117
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00780058
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00780011
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00780F8A
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00780FDB
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0078002C
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 007800D0
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00770040
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00770FA5
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00770025
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0077000A
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0077006C
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00770FEF
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00770051
.text C:\WINDOWS\System32\svchost.exe[1344] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00770FCA
.text C:\WINDOWS\System32\svchost.exe[1344] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00750000
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C20091
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C20080
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C20FB2
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C20FC3
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C2004A
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C20F5C
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C20F77
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C20F41
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C200DA
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C200F5
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C20065
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C20FDE
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C200A2
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C2002F
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C20014
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C200BF
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 009B0FCA
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 009B0F8A
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 009B001B
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 009B0000
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 009B0047
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 009B0FE5
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 009B0036
.text C:\WINDOWS\System32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 009B0FB9
.text C:\WINDOWS\System32\svchost.exe[1376] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990FEF
.text C:\WINDOWS\System32\svchost.exe[1376] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\System32\svchost.exe[1376] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 009C0FDE
.text C:\WINDOWS\System32\svchost.exe[1376] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 009C0FCD
.text C:\WINDOWS\System32\svchost.exe[1376] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 009C001E
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10000
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10F70
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10F8B
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10065
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10FA8
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10FB9
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D10096
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D10F4E
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D100B1
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F18
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D10EFD
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D1004A
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D10011
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D10F5F
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D10FCA
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D10FDB
.text C:\WINDOWS\Explorer.EXE[1640] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D10F29
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CC002F
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CC0F72
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CC0FD4
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CC0FE5
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CC0F8D
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CC0000
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00CC0F9E
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ EC, 88 ]
.text C:\WINDOWS\Explorer.EXE[1640] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CC0FC3
.text C:\WINDOWS\Explorer.EXE[1640] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\Explorer.EXE[1640] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00CE0014
.text C:\WINDOWS\Explorer.EXE[1640] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00CE0FDE
.text C:\WINDOWS\Explorer.EXE[1640] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00CE002F
.text C:\WINDOWS\Explorer.EXE[1640] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C20000
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80071
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80F72
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B8004C
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80F83
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B8001E
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B800BA
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B800A9
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80F32
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B800CB
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B80F21
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B8002F
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B80FD4
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B80082
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B80FB2
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B80FC3
.text C:\WINDOWS\System32\svchost.exe[2344] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B80F4D
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B70FC0
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B70036
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B70FD1
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B70011
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B70F79
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B70000
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B70F94
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ D7, 88 ]
.text C:\WINDOWS\System32\svchost.exe[2344] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B70FA5
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01260FEF
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01260F52
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01260047
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01260F6D
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01260036
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01260025
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01260069
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01260F21
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0126008E
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01260EF5
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01260ED0
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01260F94
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01260014
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01260058
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01260FB9
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01260FDE
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01260F06
.text C:\WINDOWS\system32\svchost.exe[2804] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01250FC3
.text C:\WINDOWS\system32\svchost.exe[2804] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01250F97
.text C:\WINDOWS\system32\svchost.exe[2804] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01250FDE
.text C:\WINDOWS\system32\svchost.exe[2804] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01250FEF
.text C:\WINDOWS\system32\svchost.exe[2804] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01250054
.text C:\WINDOWS\system32\svchost.exe[2804] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01250000
.text C:\WINDOWS\system32\svchost.exe[2804] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 01250043
.text C:\WINDOWS\system32\svchost.exe[2804] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01250FB2
.text C:\WINDOWS\system32\svchost.exe[2804] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01230000

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 87365660
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 87365758
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 87365758
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 87365660
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 87365660
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 87365758
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 87365758
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 87365660
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 87365758
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 87365660
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 87365758
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] 87365660
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] 87365758
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 87365758
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 87365660

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[752] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[752] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Ip 8704D0F8
Device \Driver\Tcpip \Device\Ip 87275020
Device \Driver\Tcpip \Device\Ip 87376020
Device \Driver\Tcpip \Device\Ip 871FF020

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\MPFP \Device\MPFP avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Tcp 8704D0F8
Device \Driver\Tcpip \Device\Tcp 87275020
Device \Driver\Tcpip \Device\Tcp 87376020
Device \Driver\Tcpip \Device\Tcp 871FF020

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Udp 8704D0F8
Device \Driver\Tcpip \Device\Udp 87275020
Device \Driver\Tcpip \Device\Udp 87376020
Device \Driver\Tcpip \Device\Udp 871FF020

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\RawIp 8704D0F8
Device \Driver\Tcpip \Device\RawIp 87275020
Device \Driver\Tcpip \Device\RawIp 87376020
Device \Driver\Tcpip \Device\RawIp 871FF020

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\IPMULTICAST 8704D0F8
Device \Driver\Tcpip \Device\IPMULTICAST 87275020
Device \Driver\Tcpip \Device\IPMULTICAST 87376020
Device \Driver\Tcpip \Device\IPMULTICAST 871FF020

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{AFEA6DAD-010E-C492-C051-91503DDB1E24}\InProcServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AFEA6DAD-010E-C492-C051-91503DDB1E24}\InProcServer32@iadehhhnpfjlgcnlnd 0x61 0x61 0x00 0x00
Reg HKLM\SOFTWARE\Classes\CLSID\{AFEA6DAD-010E-C492-C051-91503DDB1E24}\InProcServer32@iadehhhnpfljampmnc 0x61 0x61 0x00 0x00
Reg HKLM\SOFTWARE\Classes\CLSID\{AFEA6DAD-010E-C492-C051-91503DDB1E24}\InProcServer32@jadellooelnlkhlkicfn 0x6A 0x61 0x66 0x6A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AFEA6DAD-010E-C492-C051-91503DDB1E24}\InProcServer32@iadenlbieohofblhlo 0x69 0x61 0x6B 0x6A ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AFEA6DAD-010E-C492-C051-91503DDB1E24}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AFEA6DAD-010E-C492-C051-91503DDB1E24}@hafflmmdbogapldn 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AFEA6DAD-010E-C492-C051-91503DDB1E24}@hafflmmdhaabhmag 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AFEA6DAD-010E-C492-C051-91503DDB1E24}@iajeeiiegkhligddao 0x6A 0x61 0x66 0x6A ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AFEA6DAD-010E-C492-C051-91503DDB1E24}@hapekdcalnkbchpd 0x6A 0x61 0x63 0x6A ...

---- Files - GMER 1.0.14 ----

File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\6\Pay-Per-Click Commando___Battle-Tested Secrets to EXPLODE Your W\header2.gif 18324 bytes
File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\6\Pay-Per-Click Commando___Battle-Tested Secrets to EXPLODE Your W\order.gif 1926 bytes
File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\6\Pay-Per-Click Commando___Battle-Tested Secrets to EXPLODE Your W\PayPerClick_2.gif 16659 bytes
File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\pdf marketing books\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\quick list\FreeToSell ebooks-The quick list_files\bgleft.jpg 540 bytes
File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\pdf marketing books\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\quick list\FreeToSell ebooks-The quick list_files\bgright.jpg 538 bytes
File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\pdf marketing books\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\quick list\FreeToSell ebooks-The quick list_files\bib80blank.gif 4216 bytes
File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\pdf marketing books\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\quick list\FreeToSell ebooks-The quick list_files\bottomleft.jpg 6760 bytes
File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\pdf marketing books\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\quick list\FreeToSell ebooks-The quick list_files\bottomright.jpg 6181 bytes
File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\pdf marketing books\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\quick list\FreeToSell ebooks-The quick list_files\cards2.gif 1824 bytes
File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\pdf marketing books\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\quick list\FreeToSell ebooks-The quick list_files\downloaditnow2.gif 2716 bytes
File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\pdf marketing books\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\quick list\FreeToSell ebooks-The quick list_files\icopgoldseal.gif 1557 bytes
File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\pdf marketing books\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\quick list\FreeToSell ebooks-The quick list_files\moneymasters.jpg 9492 bytes
File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\pdf marketing books\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\quick list\FreeToSell ebooks-The quick list_files\next.gif 842 bytes
File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\pdf marketing books\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\quick list\FreeToSell ebooks-The quick list_files\resource.jpg 7284 bytes
File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\pdf marketing books\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\quick list\FreeToSell ebooks-The quick list_files\spacer.gif 43 bytes
File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\pdf marketing books\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\quick list\FreeToSell ebooks-The quick list_files\x(1).js 10 bytes
File C:\Documents and Settings\Administrator\My Documents\Everything todo with eBooks\pdf marketing books\most awsome dude outhere\the ultimate book set\free to sell web site\what thewebsite will look like\nextpage\quick list\FreeToSell ebooks-The quick list_files\x.js 10 bytes

---- EOF - GMER 1.0.14 ----

Attached File(s)


“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell

#5 User is offline   PropagandaPanda 

  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 9,054
  • Joined: 10-March 08
  • Gender:Male

Posted 22 November 2008 - 05:07 PM

Hello.

I see that you are running more than one antivirus program, AVG8, McAfee SecurityCenter and Avast!. It is not recommended that you do so. In addition to wasting resources, the programs may detect virus signatures in the other and cause false positives. The different drivers used by the programs can cause crashes.

Please uninstall them until you are only running one antivirus using Add/Remove Programs.

Submit File to Online Scanner
There is an unidentified file that I would like you to check out for me using Jotti/VirusTotal.
  • Open Jotti Online Scanner, or VirusTotal Online Scanner. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
    • C:\Program Files\Instant Source\isrc.dll
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.

Please take a new HijackThis log from after the uninstall.

What symptoms of infection are still present at the moment? Can you access the websites now?

With Regards,
The Panda
If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#6 User is offline   232xanax232 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 24
  • Joined: 15-November 08
  • Gender:Male

Posted 22 November 2008 - 07:54 PM

Yes,there's still a few scanners running..... the virus program's are what's left of the barage of scanners I installed and ran to rid this virus/trojan I use McAfee and have deleated all the others that I normally dont use.

I submitted the file isrc.dll to Jotti:
File: isrc.dll
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)

And VirusTotal Online Scanner:
File isrc.dll received on 11.23.2008 00:21:00 (CET)
Current status: finished
Result: 0/36 (0%)

At present There are no effects anymore from what was a very trying and troubleing time, I am able to connect to the internet now after running SDFix, aside from having quite a few of my setting messed up such as the context menu in IE and such everything seems fine now.
I tried to install SpySweeperSNR while I was going through the worst of the infection, it installed halfway and then crashed, when I look at task manager, it shows that a part of it loads called WRConsumerService.exe and I am not sure how to uninstall the crashed portion of that scanner....any ideas on how I should proceed on an uninstall? Can I just track down the exe file and delete, is there anyreg files that Ishould clean up?

Here is the HiJacklog you requested. Thanks for helping and looking into this, hope all traces of the trojan/rootkit have been eradicated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:57 PM, on 11/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: TheyreAliveIE Class - {D99D8C80-287F-4E53-AB64-B2225DB42F83} - C:\Program Files\They're Alive!\TheyreAlive.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Mea\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Instant Source - {8BD5271D-69C9-4467-882D-5139952D7754} - C:\Program Files\Instant Source\isrc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} -
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} -
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.196.24/DGTx.CAB
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 12125 bytes
“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell

#7 User is offline   PropagandaPanda 

  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 9,054
  • Joined: 10-March 08
  • Gender:Male

Posted 22 November 2008 - 08:09 PM

Hello.

I would just install Webroot now fully, and then uninstall it. That will get rid of that component too.

If that doesn't work, we can apply some force to remove it.

View Point Program
Viewpoint Manager and Viewpoint Media Player are considered as foistware instead of malware since it is installed without users approval, but does not have malicious effects. This changed from what we know in 2006 read this article.

I suggest you remove the program(s) through Add and Remove Programs.

With Regards,
The Panda
If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#8 User is offline   232xanax232 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 24
  • Joined: 15-November 08
  • Gender:Male

Posted 22 November 2008 - 08:40 PM

I'll give the install, uninstall a try.
I removed viewpoint earlier using the Add Remove Program section, it is not showing up there anymore but I see it's still running process, any suggestions on how to get rid of the remnants?I found the RegKey,doyou think I can just deletethe Reg folder and then delete it from it's folder in Program Files Folder?

So how did things look? was I success in ridding the rootkit from my machine? Is all clear? Can I connect to my bank and such? When can I make a new restore point?
I Sure hope so.

Any suggestions on removing old regkeys, is Glary a good product to use and if so what can I let it clean up on it's own?
Thanks for the help.

This post has been edited by 232xanax232: 23 November 2008 - 07:40 AM

“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell

#9 User is offline   PropagandaPanda 

  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 9,054
  • Joined: 10-March 08
  • Gender:Male

Posted 23 November 2008 - 10:24 AM

Hello.

I didn't see evidence of a rootkit. We will make a restore point when we are finished completely.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.
Please also include a new HijackThis log. We'll rip out what's left of ViewPoint next round.

With Regards,
The Panda
If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#10 User is offline   232xanax232 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 24
  • Joined: 15-November 08
  • Gender:Male

Posted 23 November 2008 - 10:31 AM

Thanks for the reply, I will run the online scan and post the results immediately. thanks again for your help. :thumbsup:
“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell

#11 User is offline   PropagandaPanda 

  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 9,054
  • Joined: 10-March 08
  • Gender:Male

Posted 23 November 2008 - 10:48 AM

Okay :thumbsup: .

The Panda
If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#12 User is offline   232xanax232 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 24
  • Joined: 15-November 08
  • Gender:Male

Posted 24 November 2008 - 05:59 AM

Hello Panda,

Sorry for not posting sooner, I hit the wrong key and lost the first Kaspersky log so I had to run it again. :thumbsup:

Here are the logs (Karsersky & HijJack) that you requested.
I saw that Outlook has a few probs, I never click on attachments from people I dont know and I never open mail from people I didn't interact with first .... I delete such mail or send it (in the case of paypal and ebay to their spoofers addy)

+++++++++++++++++++++++++++++++++++++++++++++

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, November 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 23, 2008 13:37:23
Records in database: 1405545
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 251697
Threat name: 1
Infected objects: 0
Suspicious objects: 5
Duration of the scan: 04:04:28


File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6605FAC1-70D3-405E-B316-55EDA31BCA70}\Microsoft\Outlook Express\Spoofers.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{755A1DC4-0B26-4CBE-8AD1-6122A2CE49DB}\Microsoft\Outlook Express\cancel me.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{755A1DC4-0B26-4CBE-8AD1-6122A2CE49DB}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Administrator\My Documents\Outlook Express Exports\Mail Bkup\Spoofers.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1

The selected area was scanned.


++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:53 AM, on 11/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: TheyreAliveIE Class - {D99D8C80-287F-4E53-AB64-B2225DB42F83} - C:\Program Files\They're Alive!\TheyreAlive.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Mea\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Instant Source - {8BD5271D-69C9-4467-882D-5139952D7754} - C:\Program Files\Instant Source\isrc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} -
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} -
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} -
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...509/mcfscan.cab
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.196.24/DGTx.CAB
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 12333 bytes
“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell

#13 User is offline   PropagandaPanda 

  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 9,054
  • Joined: 10-March 08
  • Gender:Male

Posted 24 November 2008 - 08:12 AM

Hello.

Looks good :thumbsup: .

Fix HijackThis Entries
  • Double click the HijackThis icon on your desktop.
  • Close all other open windows.
  • Select Do a System Scan Only.
  • Wait a few moments for the list to be compiled.
  • To the left of each entry you will see a check box. Check the box next to the following entries:

    O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} -
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
    O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} -
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
    O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} -
    O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -
    O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} -
    O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} -


    If you no longer see some of the entries, skip them.

  • Close all open windows except HijackThis.
  • Click Posted Image and OK at the prompt.
  • The screen will clear itself.
  • Close out of HijackThis.


Set New System Restore Point
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked "Create a Restore Point" on the first screen then click Next. Give the R.P. a name then click Create. The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: 
    cleanmgr

  • Click OK.
  • Click the More Options Tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please also have a look at the following links, giving some advice and suggestions for preventing future infections: Visit the Windows Update Site regularly.
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
    Note that it will download them for you, but you still have to actually click install.
    If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates separately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

For general slowness problems, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.
Do you have any further questions or concerns?

With Regards,
The Panda
If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

#14 User is offline   232xanax232 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 24
  • Joined: 15-November 08
  • Gender:Male

Posted 24 November 2008 - 09:31 AM

Yes,
I have been reading up on how to get my context menu back up and running, I know where the reg keys are located but am unsure what info should be there for them to show up when I right click in ie, do you have any suggestions on how to proceed?
I hate to think of having to reinstall the add-ons and extensions just to have them listed on a right click, do you think if I disable them, reboot, then re-enable them that they will show up?
I have old Hijack logs that give the addies to the called out files( here is an example to what I'm talking about; O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html )
in reg the keys are there but they are blank, just wanted to know what ya thought on the matter.

PS any suggestions on how to finish deleting ViewpointManager?

Other then that, Thank You for taking the time out to help me on these matters Panda, Your a true blue techi guru who deserves a whole lotta gratitude. Thanks :thumbsup:

This post has been edited by 232xanax232: 24 November 2008 - 09:40 AM

“When one door closes another door opens; but we so often
look so long and so regretfully upon the closed door, that
we do not see the ones which open for us.”
--Alexander Graham Bell

#15 User is offline   PropagandaPanda 

  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 9,054
  • Joined: 10-March 08
  • Gender:Male

Posted 24 November 2008 - 11:48 AM

Hello.

Sorry, but I am not very fimiliar with the context menus. I'll give it a shot though.

First of all, which menus from what programs specifically?

Quote

PS any suggestions on how to finish deleting ViewpointManager?
Let's use OTMoveIt.

Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :services
Viewpoint Manager Service 

:files
C:\Program Files\Viewpoint\

  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.
Gone?

With Regards,
The Panda
If I have been helping you (including trainees) and do not reply within 48 hours, please send me a message.

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users