Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Kavo.exe And Rootkit.vanti.nbp Trojan


  • Please log in to reply
7 replies to this topic

#1 chillwind

chillwind

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 11 April 2008 - 08:15 AM

I inserted a USB drive I got from my friend and random viruses has been detected by my anti-virus (NOD32), from which of these, I've only been able to identify is Kavo.exe. The other viruses have random file names, usually mixed up letters and numbers that appear to reside in the /Temp Folder. I've done numerous scans with the latest update of NOD32, S & D Spybot, and Ad-Aware to no avail. I've also done disk clean-up and deleted my restore points, but still nothing! I even have Windows Defender and it seems to be the program that halts its modification in the registry. Another one is the Vanti that keeps pestering me whenever I double-click a drive, whether it be external or internal.

I've read the guide and this is my HijackThis log:

Deckard's System Scanner v20071014.68
Run by Drake on 2008-04-11 21:00:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x00000001


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 1.96 GiB (less than 15%) free.


-- HijackThis (run as Drake.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:00 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\Program Files\Eset\nod32krn.exe
G:\My Documents\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Drake.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinDLL (mysnlive.exe)] rundll32.exe C:\WINDOWS\System32\mysnlive.exe,start
O4 - HKLM\..\Run: [WinDLL (wingatey32.exe)] rundll32.exe C:\WINDOWS\System32\wingatey32.exe,start
O4 - HKLM\..\Run: [WinDLL (dlfksdld.exe)] rundll32.exe C:\WINDOWS\System32\dlfksdld.exe,start
O4 - HKLM\..\Run: [Windows USB Monitor] servupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Microsoft Security Monitor Process] ofice.exe
O4 - HKLM\..\Run: [pronto] mosp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunServices: [Windows USB Monitor] servupdate.exe
O4 - HKLM\..\RunServices: [Microsoft Security Monitor Process] ofice.exe
O4 - HKLM\..\RunServices: [pronto] mosp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [kava] C:\WINDOWS\System32\kavo.exe
O4 - HKUS\S-1-5-21-1390067357-1563985344-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1390067357-1563985344-839522115-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-1390067357-1563985344-839522115-1003\..\Run: [kava] C:\WINDOWS\System32\kavo.exe (User '?')
O4 - Global Startup: LG SyncManager.lnk = C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...031/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.ph/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1207157127733
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207159298046
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15034/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\Ctsvccda.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\System32\PnkBstrB.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)

--
End of file - 9030 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-11 20:33:17 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-04-10 22:32:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-11 and 2008-04-11 -----------------------------

2008-04-11 20:51:07 0 d-------- C:\Program Files\Trend Micro
2008-04-11 17:24:50 126976 -r-hs---- C:\WINDOWS\system32\kavo0.dll
2008-04-11 17:24:50 118116 -r-hs---- C:\WINDOWS\system32\kavo.exe
2008-04-11 10:07:48 0 d-------- C:\Documents and Settings\Drake\Application Data\Apple Computer
2008-04-11 08:55:16 38780 --a------ C:\WINDOWS\system32\drivers\lgusbmodem.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Modem Driver>
2008-04-11 08:55:16 37920 --a------ C:\WINDOWS\system32\drivers\lgusbdiag.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Diagnostics Driver>
2008-04-11 08:55:16 21280 --a------ C:\WINDOWS\system32\drivers\lgusbbus.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Multi function Driver>
2008-04-11 08:55:16 0 d-------- C:\Program Files\LG Electronics
2008-04-11 08:54:24 0 d-------- C:\Program Files\LG PC Suite
2008-04-11 03:03:19 0 d-------- C:\Documents and Settings\Drake\Application Data\InstallShield Installation Information
2008-04-11 01:25:11 0 d-------- C:\Warhammer.40000.Dawn.of.War.Soulstorm-RELOADED
2008-04-10 22:32:30 0 d-------- C:\Program Files\QuickTime
2008-04-10 22:32:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-10 22:32:01 0 d-------- C:\Program Files\Apple Software Update
2008-04-10 22:32:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-09 19:34:26 0 d-------- C:\Program Files\SpeedFan
2008-04-09 18:36:46 0 d-------- C:\Program Files\Common Files\Nero
2008-04-09 18:11:04 106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2008-04-09 18:11:00 38912 -----n--- C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS>
2008-04-09 18:10:01 544768 -----n--- C:\WINDOWS\system32\imagx5.dll <Not Verified; Pegasus Software, LLC; ImagXpress>
2008-04-09 18:10:00 569344 -----n--- C:\WINDOWS\system32\imagr5.dll <Not Verified; Pegasus Software,LLC; ImagXpress>
2008-04-09 18:09:42 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2008-04-09 18:09:42 0 d-------- C:\Program Files\Common Files\Ahead
2008-04-09 18:09:36 0 d-------- C:\Program Files\Ahead
2008-04-08 19:57:05 0 d-------- C:\Documents and Settings\Drake\Application Data\Yahoo!
2008-04-08 19:57:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-08 15:57:12 5 --a------ C:\WINDOWS\youtubex.dll
2008-04-08 15:57:12 0 d-------- C:\tmpDownload
2008-04-08 15:55:28 0 d-------- C:\Program Files\YoutubeGet
2008-04-08 14:04:24 0 d-------- C:\Program Files\SystemRequirementsLab
2008-04-08 14:00:54 0 d-------- C:\Documents and Settings\Drake\Application Data\SystemRequirementsLab
2008-04-08 13:36:20 0 d-------- C:\Documents and Settings\Drake\Application Data\LG Electronics
2008-04-08 12:43:50 266240 --a------ C:\WINDOWS\system32\MyRossoPlugin.dll <Not Verified; Gonzo Rosso (M) Sdn Bhd; MyRossoPlugin Module>
2008-04-08 12:43:46 0 d-------- C:\Program Files\MyRosso
2008-04-08 12:43:33 0 d-------- C:\Documents and Settings\Drake\Application Data\InstallShield
2008-04-07 23:07:17 0 d-------- C:\Documents and Settings\Drake\Application Data\DivX
2008-04-07 23:04:47 0 d-------- C:\Program Files\DivX
2008-04-07 20:37:56 0 d-------- C:\Documents and Settings\Drake\Application Data\vlc
2008-04-07 20:35:26 0 --a------ C:\adware.exe
2008-04-07 20:29:32 0 d-------- C:\Program Files\VideoLAN
2008-04-07 14:27:24 0 d-------- C:\scan
2008-04-06 19:18:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-06 19:15:41 0 d-------- C:\Program Files\Yahoo!
2008-04-05 16:56:18 0 d-------- C:\Program Files\e-Games
2008-04-05 00:25:26 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-05 00:01:43 0 d-------- C:\Documents and Settings\Drake\Application Data\Activision
2008-04-04 22:28:33 0 d--hs---- C:\WINDOWS\ftpcache
2008-04-04 16:54:49 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-04-04 16:54:01 0 d-------- C:\WINDOWS\system32\Futuremark
2008-04-04 16:54:01 3972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2008-04-04 16:52:59 0 d-------- C:\Program Files\Futuremark
2008-04-04 11:39:59 0 d-------- C:\Program Files\Windows Defender
2008-04-04 11:30:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-04 11:28:14 0 d--h----- C:\WINDOWS\$hf_mig$
2008-04-04 11:14:45 0 d-------- C:\Documents and Settings\Drake\Application Data\Opera
2008-04-04 11:14:26 0 d-------- C:\Program Files\Opera
2008-04-04 07:56:10 4682 --a------ C:\WINDOWS\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2008-04-04 07:56:03 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-04-04 07:19:35 0 d-------- C:\Program Files\DIFX
2008-04-04 07:11:52 0 d-------- C:\WINDOWS\system32\xlive
2008-04-04 04:47:20 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-04-04 04:45:43 0 d-------- C:\WINDOWS\Prefetch
2008-04-04 04:38:54 0 d-------- C:\WINDOWS\peernet
2008-04-04 04:38:53 0 d-------- C:\WINDOWS\provisioning
2008-04-04 04:36:51 0 d-------- C:\WINDOWS\ServicePackFiles
2008-04-04 04:27:59 0 d-------- C:\WINDOWS\EHome
2008-04-04 04:21:38 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-04 00:35:17 0 d-------- C:\65a698536d25b15c99639eb7997c
2008-04-04 00:29:52 24576 --a------ C:\WINDOWS\system32\xpsp1hfm.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-04 00:29:52 0 d--h---c- C:\WINDOWS\$xpsp1hfm$
2008-04-04 00:23:09 669184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-04-04 00:23:08 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-03 23:33:00 0 d-------- C:\WINDOWS\system32\bits
2008-04-03 23:31:56 0 --a------ C:\WINDOWS\system32\Tilecomfree.com
2008-04-03 13:58:06 61440 -ra------ C:\WINDOWS\system32\TFTP1676
2008-04-03 13:49:51 0 -ra------ C:\WINDOWS\system32\TFTP3208
2008-04-03 13:08:24 0 -ra------ C:\WINDOWS\system32\TFTP2824
2008-04-03 13:06:22 0 d-------- C:\WINDOWS\Sun
2008-04-03 13:06:21 0 d-------- C:\Documents and Settings\Drake\Application Data\Sun
2008-04-03 12:50:59 83968 -ra------ C:\WINDOWS\system32\TFTP2716
2008-04-03 12:36:20 0 -ra------ C:\WINDOWS\system32\TFTP1964
2008-04-03 11:49:23 91648 -ra------ C:\WINDOWS\system32\TFTP2776
2008-04-03 11:32:52 26112 -ra------ C:\WINDOWS\system32\TFTP2128
2008-04-03 11:14:53 0 -ra------ C:\WINDOWS\system32\TFTP2708
2008-04-03 02:51:04 0 -ra------ C:\WINDOWS\system32\TFTP2020
2008-04-03 02:28:40 602356 --a------ C:\WINDOWS\system32\igfsfdfsd32.exe
2008-04-03 01:36:27 0 -ra------ C:\WINDOWS\system32\TFTP1368
2008-04-03 01:25:41 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-03 01:25:17 0 d---s---- C:\Documents and Settings\Drake\UserData
2008-04-03 00:26:06 0 d-------- C:\Program Files\PowerISO
2008-04-02 21:45:52 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-02 21:45:40 0 d-------- C:\WINDOWS\system32\AGEIA
2008-04-02 21:45:39 0 d-------- C:\Program Files\AGEIA Technologies
2008-04-02 21:44:58 18048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-04-02 21:44:58 271360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-04-02 21:35:10 0 d-------- C:\Program Files\Playlogic
2008-04-02 21:17:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-04-02 20:24:09 0 d-------- C:\Program Files\SEGA
2008-04-02 20:02:46 0 d-------- C:\WINDOWS\NV1056336.TMP
2008-04-02 19:54:18 0 d-------- C:\WINDOWS\nview
2008-04-02 19:45:20 0 d-------- C:\NVIDIA
2008-04-02 18:08:13 48692 --ah----- C:\WINDOWS\system32\iocjb.exe
2008-04-02 17:56:06 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-02 17:54:39 0 d-------- C:\Program Files\Lavasoft
2008-04-02 17:54:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-02 17:46:51 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-02 16:54:05 49152 --a------ C:\WINDOWS\system32\vxdter.exe
2008-04-02 16:51:21 49152 --a------ C:\WINDOWS\system32\ipemzs.exe
2008-04-02 16:51:21 36864 --a------ C:\WINDOWS\system32\ftanj.exe
2008-04-02 15:29:20 0 -ra------ C:\WINDOWS\system32\TFTP3480
2008-04-02 14:34:44 57344 --ah----- C:\WINDOWS\system32\ykeyi.exe
2008-04-02 14:33:04 1138688 ---hs---- C:\WINDOWS\system32\wingatey32.exe
2008-04-02 14:29:58 40960 --a------ C:\WINDOWS\system32\dxktn.exe
2008-04-02 14:29:57 36864 --a------ C:\WINDOWS\system32\uivzyev.exe
2008-04-02 08:57:00 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-02 08:56:57 0 dr------- C:\Program Files
2008-04-02 08:56:57 0 d-------- C:\Program Files\Common Files
2008-04-02 08:56:57 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-02 08:56:31 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-04-02 08:56:31 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-04-02 08:56:31 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-04-02 08:56:31 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-04-02 08:56:31 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-04-02 08:56:31 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-04-02 08:56:31 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-04-02 08:56:31 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-04-02 08:56:31 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-04-02 08:56:31 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-04-02 08:56:31 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-04-02 08:56:31 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-04-02 08:56:31 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-04-02 08:56:31 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-04-02 08:56:31 0 dr------- C:\Documents and Settings\All Users\Documents
2008-04-02 08:56:31 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-04-02 08:56:20 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-02 08:56:20 0 d-------- C:\WINDOWS\system32\CatRoot
2008-04-02 08:56:14 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-04-02 08:56:14 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-04-02 08:56:14 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-04-02 08:56:14 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-04-02 08:56:01 0 d-------- C:\Documents and Settings
2008-04-02 08:50:25 0 d-------- C:\WINDOWS
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\WinSxS
2008-04-02 08:50:25 0 dr------- C:\WINDOWS\Web
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\twain_32
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\wins
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\wbem
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\usmt
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\spool
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\ShellExt
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\Setup
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\ras
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\oobe
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\npp
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\mui
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\inetsrv
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\IME
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\icsxml
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\ias
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\export
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\drivers
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-04-02 08:50:25 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\dhcp
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\config
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\3076
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\2052
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\1054
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\1042
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\1041
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\1037
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\1033
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\1031
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\1028
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system32\1025
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\system
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\security
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\Resources
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\repair
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\mui
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\msapps
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\msagent
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\Media
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\java
2008-04-02 08:50:25 0 d--h----- C:\WINDOWS\inf
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\ime
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\Help
2008-04-02 08:50:25 0 dr--s---- C:\WINDOWS\Fonts
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\Driver Cache
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\Debug
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\Cursors
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\Connection Wizard
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\Config
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\AppPatch
2008-04-02 08:50:25 0 d-------- C:\WINDOWS\addins
2008-04-02 03:52:26 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-02 03:52:26 2550 --a------ C:\WINDOWS\unins000.dat
2008-04-02 03:49:21 33952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2008-04-02 03:44:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 03:01:43 0 d-------- C:\Documents and Settings\Drake\Application Data\Macromedia
2008-04-02 02:50:38 0 d-------- C:\Program Files\Java
2008-04-02 02:50:35 0 d-------- C:\Program Files\Common Files\Java
2008-04-02 02:41:12 0 d-------- C:\Documents and Settings\Drake\Application Data\Media Player Classic
2008-04-02 02:35:17 0 d-------- C:\Documents and Settings\Drake\Application Data\Talkback
2008-04-02 02:34:51 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-02 02:34:49 0 d-------- C:\Documents and Settings\Drake\Application Data\Mozilla
2008-04-02 02:32:13 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-02 02:32:02 0 d-------- C:\Program Files\Common Files\Real
2008-04-02 02:32:00 0 d-------- C:\Program Files\Real
2008-04-02 02:29:46 0 d-------- C:\Documents and Settings\Drake\Application Data\WinRAR
2008-04-02 02:25:40 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-04-02 02:20:18 0 d-------- C:\Program Files\Gabest
2008-04-02 02:17:52 0 d-------- C:\Documents and Settings\Drake\Application Data\uTorrent
2008-04-02 02:15:35 0 d-------- C:\Program Files\Combined Community Codec Pack
2008-04-02 02:11:54 0 d-------- C:\Program Files\Real Alternative
2008-04-02 02:11:54 0 d-------- C:\Documents and Settings\Drake\Application Data\Real
2008-04-02 02:11:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Real
2008-04-02 02:08:07 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-02 02:07:30 0 d-------- C:\WINDOWS\ShellNew
2008-04-02 02:03:58 0 d-------- C:\Program Files\Winamp
2008-04-02 02:03:58 0 d-------- C:\Documents and Settings\Drake\Application Data\Winamp
2008-04-02 01:52:10 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-00000006-00001102-00000004-00531102}.dat
2008-04-02 01:52:10 24 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-00000006-00001102-00000004-00531102}.dat
2008-04-02 01:51:57 299392 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2008-04-02 01:50:56 118116 -r-hs---- C:\lhwdcgcb.bat
2008-04-02 01:48:38 0 d-------- C:\Documents and Settings\Drake\Application Data\Creative
2008-04-02 01:46:16 0 d-------- C:\WINDOWS\Profiles
2008-04-02 01:46:15 0 d-------- C:\WINDOWS\system32\Adobe
2008-04-02 01:46:15 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-02 01:46:15 0 d-------- C:\Documents and Settings\Drake\Application Data\InterTrust
2008-04-02 01:46:15 0 d-------- C:\Documents and Settings\Drake\Application Data\Adobe
2008-04-02 01:45:05 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-04-02 01:45:01 26768 -----n--- C:\WINDOWS\system32\CTL3D.DLL <Not Verified; Microsoft Corporation; 3D Windows Control>
2008-04-02 01:45:01 53552 -----n--- C:\WINDOWS\CTCCW.DLL <Not Verified; Creative® Technology Ltd.; Custom Control for Windows>
2008-04-02 01:45:00 1048576 -----n--- C:\WINDOWS\system32\SFMAN.DAT
2008-04-02 01:44:59 0 d-------- C:\WINDOWS\system32\Defaults
2008-04-02 01:44:17 0 d-------- C:\WINDOWS\system32\Data
2008-04-02 01:44:08 156604 --a------ C:\WINDOWS\system32\drivers\EMUPIA2K.SYS <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>
2008-04-02 01:44:07 211724 --a------ C:\WINDOWS\system32\drivers\CTSFM2K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-04-02 01:44:07 11068 --a------ C:\WINDOWS\system32\drivers\CTPRXY2K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-04-02 01:44:06 114944 --a------ C:\WINDOWS\system32\drivers\CTAC32K.SYS <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-04-02 01:43:56 36864 --a------ C:\WINDOWS\CTDCRES.DLL <Not Verified; Creative Technology Ltd; Creative Technology Ltd CTDCRES>
2008-04-02 01:43:55 258048 --a------ C:\WINDOWS\system32\SFMS32.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-04-02 01:43:55 36864 --a------ C:\WINDOWS\system32\REGPLIB.EXE
2008-04-02 01:43:55 98304 --a------ C:\WINDOWS\system32\PIAPROXY.DLL <Not Verified; Creative Technology Ltd; E-mu PIA>
2008-04-02 01:43:55 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2008-04-02 01:43:55 49152 --a------ C:\WINDOWS\system32\KILLAPPS.EXE
2008-04-02 01:43:55 77824 --a------ C:\WINDOWS\system32\EAXAC3.DLL <Not Verified; Creative Labs; EAX-AC3 DLL>
2008-04-02 01:43:55 122880 --a------ C:\WINDOWS\system32\ct_oal.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-04-02 01:43:55 176128 --a------ C:\WINDOWS\PSCONV.EXE
2008-04-02 01:43:55 61440 --a------ C:\WINDOWS\MIDIDEF.EXE <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-04-02 01:43:55 77824 --a------ C:\WINDOWS\DEVREG.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-04-02 01:43:53 643072 --a------ C:\WINDOWS\system32\CTSBLFX.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-04-02 01:43:53 143360 --a------ C:\WINDOWS\system32\CTOSUSER.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-04-02 01:43:53 36864 --a------ C:\WINDOWS\system32\CTEMUPIA.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-04-02 01:43:48 94208 --a------ C:\WINDOWS\system32\CTDPROXY.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-04-02 01:43:48 307200 --a------ C:\WINDOWS\system32\CTDEVCON.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-04-02 01:43:48 98304 --a------ C:\WINDOWS\system32\CTASIO.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-04-02 01:43:48 57344 --a------ C:\WINDOWS\system32\CTAGENT.DLL <Not Verified; Creative Technology Ltd; ctagent>
2008-04-02 01:43:47 110592 --a------ C:\WINDOWS\system32\COMMONFX.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-04-02 01:43:47 40960 --a------ C:\WINDOWS\system32\AC3API.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-04-02 01:43:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Creative
2008-04-02 01:42:54 54784 -----n--- C:\WINDOWS\system32\Inetwh32.dll <Not Verified; Blue Sky Software Corporation.; Blue Sky Software - INETWH32>
2008-04-02 01:38:15 41984 -----n--- C:\WINDOWS\CTRegRun.exe <Not Verified; Creative Technology Ltd; Creative On-line Registration System>
2008-04-02 01:38:09 0 d-------- C:\Program Files\Creative
2008-04-02 01:33:55 0 d-------- C:\WINDOWS\RegisteredPackages
2008-04-02 01:26:55 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-04-02 01:24:29 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-02 01:23:54 0 d-------- C:\Program Files\VIA
2008-04-02 01:23:45 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-02 01:21:41 0 d--hs---- C:\WINDOWS\Installer
2008-04-02 01:21:39 0 d-------- C:\Documents and Settings\Drake\Application Data\Identities
2008-04-02 01:21:30 0 d--h----- C:\Documents and Settings\Drake\Templates
2008-04-02 01:21:30 0 dr------- C:\Documents and Settings\Drake\Start Menu
2008-04-02 01:21:30 0 dr-h----- C:\Documents and Settings\Drake\SendTo
2008-04-02 01:21:30 0 dr-h----- C:\Documents and Settings\Drake\Recent
2008-04-02 01:21:30 0 d--h----- C:\Documents and Settings\Drake\PrintHood
2008-04-02 01:21:30 4718592 --ah----- C:\Documents and Settings\Drake\NTUSER.DAT
2008-04-02 01:21:30 0 d--h----- C:\Documents and Settings\Drake\NetHood
2008-04-02 01:21:30 0 d--h----- C:\Documents and Settings\Drake\Local Settings
2008-04-02 01:21:30 0 dr------- C:\Documents and Settings\Drake\Favorites
2008-04-02 01:21:30 0 d-------- C:\Documents and Settings\Drake\Desktop
2008-04-02 01:21:30 0 d--hs---- C:\Documents and Settings\Drake\Cookies
2008-04-02 01:21:30 0 dr-h----- C:\Documents and Settings\Drake\Application Data
2008-04-02 01:17:52 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-02 01:17:52 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-02 01:17:52 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-02 01:17:52 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-04-02 01:17:52 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-02 01:17:52 1835008 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-02 01:17:52 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-02 01:17:52 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-04-02 01:17:52 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-02 01:17:52 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-04-02 01:17:52 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-02 01:17:52 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-04-02 01:17:52 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-02 01:17:52 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-02 01:12:34 0 d--hs---- C:\System Volume Information
2008-04-02 01:12:25 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-04-02 01:12:25 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-04-02 01:12:25 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-04-02 01:12:25 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-04-02 01:12:24 1572864 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-04-02 01:12:24 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-04-02 01:12:24 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-04-02 01:12:24 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-04-02 01:12:24 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-04-02 01:12:24 1572864 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-02 01:09:20 0 d-------- C:\WINDOWS\system32\xircom
2008-04-02 01:09:20 0 d-------- C:\Program Files\microsoft frontpage
2008-04-02 01:09:07 233472 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-04-02 01:09:02 0 -rahs---- C:\MSDOS.SYS
2008-04-02 01:09:02 0 -rahs---- C:\IO.SYS
2008-04-02 01:09:02 0 --a------ C:\CONFIG.SYS
2008-04-02 01:09:02 0 --a------ C:\AUTOEXEC.BAT
2008-04-02 01:08:14 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-02 01:08:06 0 dr------- C:\WINDOWS\Offline Web Pages
2008-04-02 01:08:06 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-04-02 01:07:42 0 d-------- C:\WINDOWS\srchasst
2008-04-02 01:07:32 0 d-------- C:\WINDOWS\system32\Macromed
2008-04-02 01:07:32 0 d-------- C:\WINDOWS\system32\DirectX
2008-04-02 01:07:15 0 d-------- C:\Program Files\Movie Maker
2008-04-02 01:06:42 0 d-------- C:\WINDOWS\system32\Restore
2008-04-02 01:06:35 0 d-------- C:\WINDOWS\PCHEALTH
2008-04-02 01:06:27 0 d---s---- C:\WINDOWS\Tasks
2008-04-02 01:06:23 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-02 01:05:52 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-02 01:05:39 0 d-------- C:\WINDOWS\Registration
2008-04-02 01:05:33 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-02 01:05:33 0 d-------- C:\Program Files\Online Services
2008-04-02 01:05:28 0 d-------- C:\Program Files\Messenger
2008-04-02 01:05:16 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-02 01:05:03 0 d-------- C:\Program Files\Windows NT
2008-04-02 01:04:47 0 d-------- C:\WINDOWS\system32\MsDtc
2008-04-02 01:04:44 0 d-------- C:\WINDOWS\system32\Com


-- Find3M Report ---------------------------------------------------------------

2008-04-02 08:56:31 62 --ahs---- C:\Documents and Settings\Drake\Application Data\desktop.ini
2008-02-21 10:05:44 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-02-21 10:04:16 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-02-21 10:04:16 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-02-21 10:04:04 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-02-21 10:04:04 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 10:04:04 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 10:04:04 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 10:03:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 01:31 PM]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 01:32 PM]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 01:32 PM]
"WINDVDPatch"="CTHELPER.EXE" []
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 01:00 AM]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [10/04/2001 01:00 AM]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [12/20/2001 01:00 AM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [04/02/2008 01:51 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/02/2008 02:32 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"WinDLL (mysnlive.exe)"="C:\WINDOWS\System32\mysnlive.exe" []
"WinDLL (wingatey32.exe)"="C:\WINDOWS\System32\wingatey32.exe" [04/02/2008 02:33 PM]
"WinDLL (dlfksdld.exe)"="C:\WINDOWS\System32\dlfksdld.exe" []
"Windows USB Monitor"="servupdate.exe" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [01/03/2008 10:26 PM]
"nwiz"="nwiz.exe" [01/03/2008 10:26 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [01/03/2008 10:26 PM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [08/07/2007 08:05 AM]
"Microsoft Security Monitor Process"="ofice.exe" []
"pronto"="mosp.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"kava"="C:\WINDOWS\System32\kavo.exe" [03/28/2008 01:58 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Windows USB Monitor"=servupdate.exe
"Microsoft Security Monitor Process"=ofice.exe
"pronto"=mosp.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
LG SyncManager.lnk - C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe [4/11/2008 8:54:28 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22c15dc4-004d-11dd-9016-806d6172696f}]
AutoRun\command- E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22c15dc6-004d-11dd-9016-806d6172696f}]
AutoRun\command- D:\lhwdcgcb.bat
explore\Command- D:\lhwdcgcb.bat
open\Command- D:\lhwdcgcb.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22c15dc8-004d-11dd-9016-806d6172696f}]
AutoRun\command- C:\lhwdcgcb.bat
explore\Command- C:\lhwdcgcb.bat
open\Command- C:\lhwdcgcb.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6fe19932-06fd-11dd-83dd-00e04d123516}]
AutoRun\command- F:\lhwdcgcb.bat
explore\Command- F:\lhwdcgcb.bat
open\Command- F:\lhwdcgcb.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a73c0659-022a-11dd-b822-00e04d123516}]
AutoRun\command- F:\lhwdcgcb.bat
explore\Command- F:\lhwdcgcb.bat
open\Command- F:\lhwdcgcb.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba2a103b-03c4-4e70-9810-56c2f4a8c07d}]
AutoRun\command- G:\lhwdcgcb.bat
explore\Command- G:\lhwdcgcb.bat
open\Command- G:\lhwdcgcb.bat




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8138 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-11 21:04:34 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Architecture: X86; Language: English

Percentage of Memory in Use: 26%
Physical Memory (total/avail): 2047.48 MiB / 1497.04 MiB
Pagefile Memory (total/avail): 3943.82 MiB / 3587.38 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1911.6 MiB

C: is Fixed (NTFS) - 18.64 GiB total, 1.97 GiB free.
D: is Fixed (NTFS) - 18.63 GiB total, 2.22 GiB free.
E: is CDROM (CDFS)
G: is Fixed (NTFS) - 38.34 GiB total, 2.77 GiB free.



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\servupdate.exe"="C:\\WINDOWS\\System32\\servupdate.exe:*:Enabled:Windows USB Monitor"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Disabled:Run a DLL as an App"
"C:\\WINDOWS\\system32\\ofice.exe"="C:\\WINDOWS\\system32\\ofice.exe:*:Disabled:ofice"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\Eset\\nod32.exe"="C:\\Program Files\\Eset\\nod32.exe:*:Enabled:NOD32"
"G:\\My Documents\\Internet Stuff\\My Downloads\\utorrent.exe"="G:\\My Documents\\Internet Stuff\\My Downloads\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"D:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"="D:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe:*:Disabled:Soulstorm"
"D:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"="D:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe:*:Enabled:Unreal Tournament 3"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Drake\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LORECHIL-GV7BVX
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Drake
LOGONSERVER=\\LORECHIL-GV7BVX
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Drake\LOCALS~1\Temp
TMP=C:\DOCUME~1\Drake\LOCALS~1\Temp
USERDOMAIN=LORECHIL-GV7BVX
USERNAME=Drake
USERPROFILE=C:\Documents and Settings\Drake
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Drake (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBAudigy\Program\Ctzapxx.EXE" /U /S /R
--> C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
AGEIA PhysX v7.09.13 --> MsiExec.exe /X{45235788-142C-44BE-8A4D-DDE9A84492E5}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Combined Community Codec Pack 2008-01-24 --> "C:\Program Files\Combined Community Codec Pack\unins000.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
ffdshow (remove only) --> "C:\Program Files\Combined Community Codec Pack\Filters\FFDShow\uninstall.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LG PhoneManger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5EE65592-88FD-48AA-98CA-EE9BDB1FF518}\setup.exe" -l0x9 -removeonly
LG SyncManager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{92636B62-9423-4246-82FE-69E2F4158350}\setup.exe" -l0x9 -removeonly
LG USB Modem driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\setup.exe" -l0x9 -removeonly
Microsoft Games for Windows - LIVE Redistributable --> MsiExec.exe /X{D1B01DC9-CBAF-45F9-A387-7D00C11B630E}
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\System32\nvuninst.exe UninstallGUI
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
PunkBuster Services --> C:\WINDOWS\System32\pbsvc.exe -u
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Ran Online 3.0.2.1 --> "C:\Program Files\e-Games\Ran Online\uninstall.exe"
RAN_Online(en) --> C:\Program Files\InstallShield Installation Information\{86F49DE3-96CD-44BA-A2AF-1D20F61E85B5}\setup.exe -runfromtemp -l0x0009 -removeonly
Real Alternative 1.51 Lite --> "C:\Program Files\Real Alternative\unins000.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Sound Blaster Audigy --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9115E7DB-3B29-445A-802D-11E0AA945B7F}\SETUP.EXE" -l0x9
SpeedFan (remove only) --> "C:\Program Files\SpeedFan\uninstall.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Unreal Tournament 3 --> "C:\Documents and Settings\Drake\Application Data\InstallShield Installation Information\{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}\SetupUT3.exe" -runfromtemp -l0x0409 -removeonly
Unreal Tournament 3 --> MsiExec.exe /X{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}
VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VideoLAN VLC media player 0.8.5 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
VobSub v2.23 (Remove Only) --> "C:\Program Files\Gabest\VobSub\uninstall.exe"
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_C074F64CC74B03BC354BB5DC973CCF768D5A7194\amdk8.inf
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! ¤u¨ă¦C --> C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
YoutubeGet 4 --> "C:\Program Files\YoutubeGet\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type277 / Error
Event Submitted/Written: 04/11/2008 09:02:27 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type274 / Warning
Event Submitted/Written: 04/11/2008 08:28:53 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type273 / Error
Event Submitted/Written: 04/11/2008 08:27:16 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application nero.exe, version 6.3.1.18, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type252 / Warning
Event Submitted/Written: 04/10/2008 11:41:27 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type246 / Warning
Event Submitted/Written: 04/10/2008 08:05:11 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2723 / Warning
Event Submitted/Written: 04/11/2008 09:02:11 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%LORECHIL-GV7BVX27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %LORECHIL-GV7BVX27 can't undo changes that you allow.

For more information please see the following:
%LORECHIL-GV7BVX275

Scan ID: {A1B0509F-3C9A-4C89-BE14-5AAEED67D7C0}

User: LORECHIL-GV7BVX\Drake

Name: %LORECHIL-GV7BVX271

ID: %LORECHIL-GV7BVX272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %LORECHIL-GV7BVX276

Alert Type: %LORECHIL-GV7BVX278

Detection Type: 1.1.1593.02

Event Record #/Type2722 / Warning
Event Submitted/Written: 04/11/2008 09:02:11 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%LORECHIL-GV7BVX27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %LORECHIL-GV7BVX27 can't undo changes that you allow.

For more information please see the following:
%LORECHIL-GV7BVX275

Scan ID: {BE95018D-2D93-4B18-AAFC-1D3227FFBC28}

User: LORECHIL-GV7BVX\Drake

Name: %LORECHIL-GV7BVX271

ID: %LORECHIL-GV7BVX272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %LORECHIL-GV7BVX276

Alert Type: %LORECHIL-GV7BVX278

Detection Type: 1.1.1593.02

Event Record #/Type2721 / Warning
Event Submitted/Written: 04/11/2008 09:02:11 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%LORECHIL-GV7BVX27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %LORECHIL-GV7BVX27 can't undo changes that you allow.

For more information please see the following:
%LORECHIL-GV7BVX275

Scan ID: {D67520E0-BF75-43CD-A12D-F64EF7BCF4C2}

User: LORECHIL-GV7BVX\Drake

Name: %LORECHIL-GV7BVX271

ID: %LORECHIL-GV7BVX272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %LORECHIL-GV7BVX276

Alert Type: %LORECHIL-GV7BVX278

Detection Type: 1.1.1593.02

Event Record #/Type2720 / Warning
Event Submitted/Written: 04/11/2008 09:02:08 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%LORECHIL-GV7BVX27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %LORECHIL-GV7BVX27 can't undo changes that you allow.

For more information please see the following:
%LORECHIL-GV7BVX275

Scan ID: {63D26C65-B64A-4174-AC89-F3FE6BC64C34}

User: LORECHIL-GV7BVX\Drake

Name: %LORECHIL-GV7BVX271

ID: %LORECHIL-GV7BVX272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %LORECHIL-GV7BVX276

Alert Type: %LORECHIL-GV7BVX278

Detection Type: 1.1.1593.02

Event Record #/Type2719 / Warning
Event Submitted/Written: 04/11/2008 09:02:08 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%LORECHIL-GV7BVX27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %LORECHIL-GV7BVX27 can't undo changes that you allow.

For more information please see the following:
%LORECHIL-GV7BVX275

Scan ID: {AF363CDF-0D4F-4AA7-9067-CC121E046968}

User: LORECHIL-GV7BVX\Drake

Name: %LORECHIL-GV7BVX271

ID: %LORECHIL-GV7BVX272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %LORECHIL-GV7BVX276

Alert Type: %LORECHIL-GV7BVX278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-04-11 21:04:34 ------------
Why does it have to be this way?!

BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 17 April 2008 - 10:45 AM

chillwind

You may want to print out these instructiosn for reference

1. We Need to temporarily disable SpyBotS&D Tea timer so it doesn't interfere with our fix1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
1. Please download the Killbox.1)Save it to the desktop
2) Rt Click->>Extract all->.Extract it to your Desktop
3) Double Click Killbox.exe to run it
4)Select "Delete on Reboot", and then select "All files".
5) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
.C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo.exe
C:\adware.exe
C:\WINDOWS\system32\iocjb.exe
C:\WINDOWS\system32\vxdter.exe
C:\WINDOWS\system32\ipemzs.exe
C:\WINDOWS\system32\ftanj.exe
C:\WINDOWS\system32\ykeyi.exe
C:\WINDOWS\system32\wingatey32.exe
C:\WINDOWS\system32\dxktn.exe
C:\WINDOWS\system32\uivzyev.exe
C:\lhwdcgcb.bat

.
6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
7) Click the red-and-white "Delete File" button.  Click "Yes" at the Delete on Reboot prompt.
[/list]3. Open Notepad (Not Wordpad)
Select Edit and uncheck Wordwrap
Copy and paste the following into Notepad
(Making sure there is no space between the top of the window and the first line)

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba2a103b-03c4-4e70-9810-56c2f4a8c07d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a73c0659-022a-11dd-b822-00e04d123516}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6fe19932-06fd-11dd-83dd-00e04d123516}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22c15dc8-004d-11dd-9016-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22c15dc6-004d-11dd-9016-806d6172696f}]
After you copy and paste it your cursor should be at the end of the first line
Hit Enter so your cursor is under the last lineClick File->>Save as->>type in fix.reg->>
Under "Save as type" Select "All Files"->> save it to your Desktop
Close Notepad
The fix.reg file should now appear on your Desktop (If it saved properly it will look like a stack of small blue blocks)

Rt Click and Select merge->>If prompted to Merge this Select Yes (it will appear that nothing has happened but that's o.k.)

4.Rerun Hijackthis (scan only) and place checks beside the following entriesO4 - HKLM\..\Run: [WinDLL (mysnlive.exe)] rundll32.exe C:\WINDOWS\System32\mysnlive.exe,start
O4 - HKLM\..\Run: [WinDLL (wingatey32.exe)] rundll32.exe C:\WINDOWS\System32\wingatey32.exe,start
O4 - HKLM\..\Run: [WinDLL (dlfksdld.exe)] rundll32.exe C:\WINDOWS\System32\dlfksdld.exe,start
O4 - HKLM\..\Run: [Microsoft Security Monitor Process] ofice.exe
O4 - HKLM\..\Run: [pronto] mosp.exe
O4 - HKLM\..\RunServices: [Microsoft Security Monitor Process] ofice.exe
O4 - HKLM\..\RunServices: [pronto] mosp.exe
O4 - HKCU\..\Run: [kava] C:\WINDOWS\System32\kavo.exe
O4 - HKUS\S-1-5-21-1390067357-1563985344-839522115-1003\..\Run: [kava] C:\WINDOWS\System32\kavo.exe (User '?')

Close all other open windows except Hijackthis and Select "Fix checked"

Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log
Posted Image
Microsoft MVP - Windows Security

#3 chillwind

chillwind
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 18 April 2008 - 02:23 AM

Hi bamajim! Thank you for your help!

Sorry for the delay...
I did as you've instructed..

This is my new log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:26 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows USB Monitor] servupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunServices: [Windows USB Monitor] servupdate.exe
O4 - Global Startup: LG SyncManager.lnk = C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...031/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.ph/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1207157127733
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207159298046
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15034/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BNUGADUSVGE - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Drake\LOCALS~1\Temp\BNUGADUSVGE.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\Ctsvccda.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\System32\PnkBstrB.exe (file missing)
O23 - Service: THDSYKQ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Drake\LOCALS~1\Temp\THDSYKQ.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: VGF - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Drake\LOCALS~1\Temp\VGF.exe
O23 - Service: W - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Drake\LOCALS~1\Temp\W.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)
O23 - Service: WZDC - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Drake\LOCALS~1\Temp\WZDC.exe

--
End of file - 8112 bytes

Edited by chillwind, 18 April 2008 - 02:25 AM.

Why does it have to be this way?!

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 18 April 2008 - 07:15 AM

chillwind

Good work.

1. Rerun KillboxAt the main window Select Tools ->> Delete Temp Files
At the next window uncheck XP Prefetch
Leave the other boxes checked
Select "Delete Selected Temp Files"
Allow the tool to run. When it is finished (You will know that it is finished because the checks will disappear from the location boxes)
Select "Exit"
Then Select "Exit" again to close Killbox
2. Please perform an Ewido Online Malware Scan
  • When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download.
  • Click on Start Scan.
  • after the scan completes it will produce a log for you, copy and paste the results of that scan as a reply to this thread
  • If any infections are found, (After you save the logfile), Click on Remove Infections.

Posted Image
Microsoft MVP - Windows Security

#5 chillwind

chillwind
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 18 April 2008 - 10:45 AM

Ok. Sorry again for the late reply:




__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: TrackingCookie.Netflame
Path: C:\Documents and Settings\Drake\Cookies\drake@ssl-hints.netflame[1].txt
Risk: Medium

Name: TrackingCookie.Netflame
Path: :mozilla.7:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Netflame
Path: :mozilla.8:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Adbrite
Path: :mozilla.31:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Adbrite
Path: :mozilla.32:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Adbrite
Path: :mozilla.33:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Tribalfusion
Path: :mozilla.45:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Revsci
Path: :mozilla.84:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Revsci
Path: :mozilla.88:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Revsci
Path: :mozilla.89:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Revsci
Path: :mozilla.91:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Yadro
Path: :mozilla.162:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Imrworldwide
Path: :mozilla.201:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Imrworldwide
Path: :mozilla.202:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Information
Path: :mozilla.219:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Yieldmanager
Path: :mozilla.236:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Yieldmanager
Path: :mozilla.237:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Yieldmanager
Path: :mozilla.238:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.2o7
Path: :mozilla.248:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Liveperson
Path: :mozilla.259:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Questionmarket
Path: :mozilla.263:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Questionmarket
Path: :mozilla.264:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: :mozilla.267:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: :mozilla.268:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: :mozilla.269:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: :mozilla.270:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: :mozilla.271:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: :mozilla.272:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: :mozilla.273:C:\Documents and Settings\Drake\Application Data\Mozilla\Firefox\Profiles\aup3qmhs.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Netflame
Path: C:\Documents and Settings\Drake\Cookies\drake@ssl-hints.netflame[2].txt
Risk: Medium

Name: Trojan.Small
Path: G:\My Documents\Internet Stuff\My Downloads\Neverwinter Nights 2 serial\Tools\tools-nwn2.rar/YASU.exe
Risk: High

Name: Trojan.Small
Path: G:\My Documents\Internet Stuff\My Downloads\Neverwinter Nights 2 serial\Tools\YASU.exe
Risk: High

Name: Not-A-Virus.HackTool.Win32.Delf.bw
Path: G:\My Documents\Misc\DS mods\lotrwitchtrn3.zip/El Resurgir del Rey Brujo™ Trainer.exe
Risk: Low
Why does it have to be this way?!

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 18 April 2008 - 10:52 AM

chillwind

No problem about any delay.

Could I see one more fresh Hiajckthis log?

And in your reply give me an update on how your pc is running now
Posted Image
Microsoft MVP - Windows Security

#7 chillwind

chillwind
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 PM

Posted 18 April 2008 - 08:57 PM

Hey bamajim~ Thank you!

I've stopped receiving error messages and virus alerts and my pc is currently running normally (quite faster actually), and I don't get crashes anymore! There's an unusual amount of free space in C suddenly but I'm glad it does! Thank you soooo much for your help!



This is the log as you've requested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:55 AM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows USB Monitor] servupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunServices: [Windows USB Monitor] servupdate.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1390067357-1563985344-839522115-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - Global Startup: LG SyncManager.lnk = C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...031/CTSUEng.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.ph/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1207157127733
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207159298046
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15034/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BNUGADUSVGE - Unknown owner - C:\DOCUME~1\Drake\LOCALS~1\Temp\BNUGADUSVGE.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\Ctsvccda.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\System32\PnkBstrB.exe (file missing)
O23 - Service: THDSYKQ - Unknown owner - C:\DOCUME~1\Drake\LOCALS~1\Temp\THDSYKQ.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
O23 - Service: VGF - Unknown owner - C:\DOCUME~1\Drake\LOCALS~1\Temp\VGF.exe (file missing)
O23 - Service: W - Unknown owner - C:\DOCUME~1\Drake\LOCALS~1\Temp\W.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)
O23 - Service: WZDC - Unknown owner - C:\DOCUME~1\Drake\LOCALS~1\Temp\WZDC.exe (file missing)

--
End of file - 8572 bytes

Edited by chillwind, 19 April 2008 - 05:22 AM.

Why does it have to be this way?!

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 19 April 2008 - 07:18 AM

chillwind

You are most welcome.

Your Log is Clean from malware
I appreciate your patience in working through this.
 
Now that your log is clean
 
There are some final notes:
Disable and Enable System Restore.Now that your system is clean, lets create a clean System Restore point
the instructions are here
Update your Anti Virus Software
 
Use and maintain a Firewall
 
Visit Microsoft's Windows Update Site Frequently for critical updates
 
Backup your Documents and Files on a regular basisTo a disc or a USB key, not your Hardrive
You may want to read this article"So how did I get infected in the first place" by Tony Klein
Posted Image
Microsoft MVP - Windows Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users